Utah SB 73 Is a “Liability Trap” — Your VPN Can’t Hide You and Websites Can’t Warn You Why

GigaNectar Team

NewsTechnology
Person holding a smartphone displaying a VPN connection screen while sitting in front of a smart TV at home

Utah’s SB 73: The Law That Put VPNs in the Crosshairs

A state-by-state age-verification arms race has reached a new front — and privacy tools are caught in the middle.

What’s Happening

On May 6, 2026, Utah’s Senate Bill 73 — formally the “Online Age Verification Amendments” — took effect, making Utah the first U.S. state to explicitly hold websites liable for users who mask their location using a VPN. Signed by Governor Spencer Cox on March 19, 2026, the law targets adult content platforms and bars them from sharing instructions on how to use a VPN to bypass age checks. The Electronic Frontier Foundation (EFF) has flagged it as a landmark privacy threat — one that extends well beyond Utah residents. It builds on a pattern seen across states like Florida, Texas, and Wisconsin, where age-gate laws predictably drove surges in VPN use, only for lawmakers to then target the VPNs themselves. The wider context of platform access controls tightening across devices and operating systems makes Utah’s move part of a much larger shift in how digital access is governed.

SB 73
First U.S. law targeting VPN-bypass of age gates
2%
Tax on adult content revenues — effective October 2026
+1,400%
VPN surge when UK enforced age verification rules

What the Law Actually Does

Tap each section to read the key provisions of SB 73
📍
Location Is Physical, Not Digital
Under Section 14 of SB 73, a person is considered to be accessing a website from Utah if they are physically located there — regardless of whether they use a VPN, proxy server, or any other tool to disguise their geographic location. A Utah resident using a VPN appears as non-Utah to a website, but the law treats them as Utah-based anyway.
🚫
Platforms Cannot Mention VPNs
Websites hosting content the law deems “harmful to minors” are prohibited from facilitating or encouraging VPN use to bypass age checks. This includes posting instructions on how to use a VPN or providing any means to circumvent geofencing — even links to legitimate privacy resources.
⚖️
Websites Bear an Impossible Burden
NordVPN called SB 73 an “unresolvable compliance paradox” — websites are legally required to identify users whose entire purpose is to be unidentifiable. If a site cannot verify a VPN user’s true location, the legal risk could push it to ban all known VPN IP ranges, or require age verification from every visitor globally.
🌐
Global Users Caught in Utah’s Net
If sites resort to banning all VPN IP addresses to avoid liability, millions of users worldwide face invasive identity checks or complete blocks — including those outside Utah entirely. The EFF warned this would subject people to “invasive identity checks or blocks to their VPN use, regardless of where they actually live.”
🗣️
Restricting Lawful Information
By barring platforms from sharing basic, factual information about VPNs — a legal technology — SB 73 raises First Amendment concerns documented by the EFF. VPNs are widely used by journalists, political activists, abuse survivors, and anyone seeking basic digital security. The law prevents platforms from directing users to these tools.
🕵️
“Don’t Ask, Don’t Tell” Enforcement
Unlike Wisconsin’s scrapped proposal, SB 73 does not outright ban VPN use. Instead, it operates on a murky standard: websites are likely only obligated to verify age if they learn a user is physically in Utah and using a VPN. If the site never discovers this, compliance obligations remain unclear. The EFF described this as a “don’t ask, don’t tell” model.
“When an internet policy can be avoided by a relatively common technology that often provides significant privacy and security benefits, maybe the policy is the problem.”
Cato Institute — on attacking VPNs to enforce age-verification regimes

Why Enforcement Is Technically Broken

The law assumes capabilities that don’t exist at the website level
🔄
Rotating IPs
Commercial VPN providers constantly rotate IP addresses. No comprehensive blocklist covers them all. IP reputation databases like MaxMind and IP2Proxy can flag datacenter ranges, but residential VPN endpoints are largely indistinguishable from normal home connections.
🔬
Deep Packet Inspection
The only method that reliably identifies VPN protocol signatures is deep packet inspection (DPI) — which requires access to network infrastructure between the user and the server. A website operator cannot deploy DPI. China’s Great Firewall and Russia’s TSPU system use it, but only via ISP-level control.
☁️
Workarounds Are Instant
Setting up a personal WireGuard tunnel on a cloud VPS takes minutes. These routes pass through the same infrastructure as ordinary web hosting — completely indistinguishable from regular traffic. The collateral damage falls on legitimate commercial VPN users who rely on these tools for real data security, not tech-savvy teenagers trying to bypass a gate. This pattern is consistent with how platform-level policy decisions tend to affect everyday users more than their intended targets.
🧱
Only Authoritarian States Succeed
To date, the only jurisdictions that have made measurable progress in blocking VPN traffic are authoritarian states with full ISP-level surveillance infrastructure. No democratic country has achieved reliable VPN blocking at the website layer alone.

The Global Pattern: Age Gates → VPN Surges → VPN Crackdowns

Utah is one piece of a widening international picture
🇺🇸
Utah, USA — SB 73
First U.S. state to target VPN bypass of age gates. Signed March 19, 2026; VPN provisions effective May 6, 2026.
Live
🇬🇧
United Kingdom
House of Lords voted 207–159 in January 2026 to ban VPN use for under-18s. Amendments due for debate in the House of Commons. VPN use surged over 1,400% when age verification enforcement began.
Pending
🇫🇷
France
Minister Delegate Anne Le Hénanff stated VPNs are “the next topic on my list” after France enacted a social media ban for under-15s.
Signalled
🇦🇺
Australia
Mandatory age verification for adult content began March 9, 2026. VPN app downloads spiked immediately, with NordVPN climbing from #189 to #13 in iOS rankings per Sensor Tower data.
Live
🇺🇸
Wisconsin, USA
S.B. 130 / A.B. 105 included a provision banning VPNs from bypassing age checks. Removed in February 2026 following widespread backlash from civil liberties groups.
Scrapped
“Utah is setting a precedent that prioritizes government control over the fundamental architecture of a private and secure internet, and it won’t stop at the state’s borders.”
Electronic Frontier Foundation (EFF)

Where Things Stand

Utah’s SB 73 was discussed here as the first U.S. law to impose direct liability on websites for VPN-masked users — a legal structure that digital rights advocates, including the Electronic Frontier Foundation, have framed as technically unenforceable and constitutionally suspect. The VPN provisions under Section 14 took effect May 6, 2026, while a separate 2% tax on adult content revenues is scheduled for October 2026.

NordVPN’s characterisation of SB 73 as an “unresolvable compliance paradox” and the EFF’s warnings about a potential global spillover effect — affecting ordinary internet users, journalists, abuse survivors, and anyone relying on commercial VPNs for data security — were covered across these developments. The law has been positioned alongside the UK’s House of Lords vote, France’s stated intentions, and Australia’s enforcement rollout as part of a broader international pattern in how governments are responding to age-verification circumvention. Related digital policy shifts continue to evolve across jurisdictions.

Leave a comment

About Us

Subscribe

Contact Us

Powered By Karmactive

PRIVACY POLICY Adsense Disclaimer