On May 6, Utah became the first state in the United States to explicitly criminalize the use of virtual private networks as a means of bypassing online age verification requirements. Senate Bill 73, signed by Governor Spencer Cox on March 19, declares that any user physically located in Utah is subject to the law's requirements - regardless of whether they mask their IP address through a VPN or proxy service. Civil liberties groups, technologists, and legal observers are already questioning not just the law's constitutionality, but its basic technical viability.
What the Law Actually Says
SB 73 amends Utah's existing framework for age verification on websites, extending its reach in two significant ways. First, it establishes physical presence - not apparent IP location - as the legal standard for jurisdiction. A Utah resident using a VPN server in Amsterdam is still considered to be accessing a website from Utah under the law. Second, it prohibits covered websites from publishing or sharing instructions that could help users employ a VPN to circumvent age checks. The implication is that websites bearing any Utah-based traffic must implement age verification, and must not hand their users a roadmap around it.
The websites covered under the law are primarily those that host content considered harmful to minors, a category the legislation ties to existing state definitions. The practical enforcement burden falls on web operators, who are expected to detect Utah-based users and verify their ages - a task the law frames as straightforward and the technical community regards as anything but.
The Technical Problem the Legislature Ignored
The law rests on a core assumption that is false: that web providers can reliably determine a user's true physical location when that user is employing a VPN. They cannot.
IP reputation databases - services like MaxMind and IP2Proxy - can identify traffic originating from known datacenter IP ranges, flagging connections that are likely routed through commercial VPN infrastructure. This catches the obvious cases. It does not catch all of them, and it catches some innocent ones too. Commercial VPN providers rotate their IP addresses regularly, making blocklists perpetually outdated. More problematic are residential VPN endpoints, where traffic is routed through addresses assigned to ordinary home internet connections. These are essentially indistinguishable from a real user connecting from their living room.
Autonomous System Number analysis - which traces IP addresses back to the organizations that own them - can identify traffic flowing through datacenter networks. A standard WireGuard tunnel running on a personal cloud server, however, uses the same infrastructure as ordinary web hosting. There is no reliable technical signal that separates it from a developer testing a website from a home office. The law, in effect, mandates detection of something the current internet infrastructure cannot consistently detect.
Enforcement, Liability, and the Broader Pattern
Utah is not the first state to pass online age verification legislation, but it is the first to extend that framework to explicitly address VPN circumvention. Several other states have enacted or introduced similar age verification laws for adult content platforms, most following the general structure of Louisiana's 2022 law, which became an early template. What sets SB 73 apart is its attempt to close what legislators perceived as an obvious loophole - the VPN workaround that rendered earlier laws trivially bypassed.
The instinct is understandable. If a teenager can defeat an age gate in thirty seconds by enabling a free VPN app, the gate serves little protective function. But legislation that mandates the impossible does not become enforceable by virtue of being law. Web operators face a compliance requirement they lack the tools to meet, creating legal exposure without providing meaningful protection. Small publishers, in particular, face a choice between attempting expensive and imperfect compliance systems or blocking Utah-based traffic entirely - a response that has already become common in response to similar laws in other states.
The law also raises a harder question about the direction of internet regulation in the United States. State-level laws that attempt to govern the global web introduce a fragmentation problem: a site operator must now track an expanding patchwork of conflicting state requirements, some of which are technically incompatible with how the internet actually works. Whether federal courts will ultimately constrain this approach - on First Amendment grounds, on dormant Commerce Clause grounds, or on the simpler basis that a law cannot be enforced against an action that cannot be detected - remains an open question. Litigation is widely expected.
What Happens Next
SB 73 takes effect on May 6, but its operational impact will likely be uneven and delayed. Websites with large legal and compliance teams will attempt some form of response. Many smaller operators will either ignore the law, geo-block Utah, or wait to see whether enforcement actions actually materialize. The state's ability to prove that a specific user was physically located in Utah while appearing to connect from elsewhere is a high evidentiary bar - one that would require either device-level data, behavioral analysis, or cooperation from internet service providers in ways that existing frameworks may not permit.
For now, Utah has passed a law that is first in the country in its ambition and, by the assessment of most technical experts, first in the country in the scale of its enforcement problem. Whether it protects a single minor from a single piece of harmful content depends less on the text of the statute than on a technical infrastructure that the statute fundamentally misunderstands.
