Utah's VPN law: what it means for your privacy rights

On 19 March 2026, Utah Governor Spencer Cox signed Senate Bill 73—formally titled the Online Age Verification Amendments—into law. It took effect on 6 May 2026, making Utah the first US state to hold website operators legally responsible when a user physically located in Utah accesses age-gated content via a VPN, proxy, or any other tool that masks their location. Fines start at $2,500 per violation.

That framing is worth pausing on. The law does not ban VPN use outright. Instead, it shifts liability onto platforms: if a Utah resident uses a VPN to reach age-restricted content and the platform cannot prove the user was outside Utah, the platform is exposed. The practical effect is enormous pressure on websites to detect and block VPN traffic—or face the consequences.

A legal challenge was filed on the day the law took effect, enforcement of the VPN-specific provisions has been paused until at least 3 September 2026, and civil liberties groups are already calling the technical premise of the law unworkable. This article unpacks what happened, why it matters, and what the likely trajectory looks like—in the US and closer to home in the UK.

What SB 73 actually says

The core mechanism of SB 73 is liability transfer. Age-verification laws are not new—Utah has had them since 2023. What is new is the explicit treatment of circumvention tools. Under SB 73, a website that hosts age-restricted material is liable if a user who is physically present in Utah accesses that material, regardless of what IP address or apparent location that user presents to the site.

The law also contains a provision that restricts platforms from publishing instructions or guidance about how to use VPNs or proxies to bypass age verification. The Electronic Frontier Foundation has flagged this as a serious First Amendment problem—prohibiting speech about how a legal technology works is a very different matter from regulating the technology itself.

The $2,500-per-violation fine structure means that even modest traffic volumes could translate into liability that would be existential for smaller publishers. For large platforms, the calculus is different, but the pressure to block VPN traffic aggressively is real either way.

The immediate legal challenge

Aylo—the parent company of Pornhub—filed suit in federal court on 6 May 2026, the same day SB 73 took effect. The state of Utah agreed to pause enforcement of the VPN-specific provisions until 3 September 2026 while the case proceeds.

The core arguments in the challenge centre on two issues. First, the technical impossibility argument: no website can reliably identify every user routing traffic through a VPN. The EFF described the law as a technical whack-a-mole—blocking known VPN IP ranges is an arms race that website operators cannot win with certainty, yet the law imposes liability as though certainty were achievable.

Second, the First Amendment argument around the prohibition on publishing VPN guidance. Courts have generally treated instructions about how to use legal tools as protected speech. Whether that protection survives a compelling state interest in protecting minors is exactly the kind of question federal courts will now have to weigh.

The September 2026 date is not a resolution—it is a pause. The outcome of this case will determine whether the VPN-liability model survives constitutional scrutiny or collapses before it can be replicated.

Why this case is being watched so closely

More than 25 US states have active age-verification laws on the books. Most of them focus on the verification mechanism itself—requiring platforms to check government IDs, credit card data, or third-party age estimates. SB 73 goes further by addressing what happens when users try to work around those checks.

If the Utah law survives the federal challenge, it provides a ready-made legislative template. State legislatures looking to strengthen existing age-verification regimes could adopt the same liability-transfer model without needing to reinvent the legal architecture. Conversely, if the law is struck down—particularly on First Amendment grounds—it sets a ceiling on how far states can go in regulating circumvention tools.

The stakes are therefore not Utah-specific. A ruling here, one way or the other, will shape the legal landscape across dozens of jurisdictions.

The UK parallel: Online Safety Act pressure

The Utah situation is unfolding against a backdrop of similar legislative movement in the UK. The Online Safety Act places obligations on platforms to prevent children from accessing harmful content, and Ofcom's implementation guidance has created strong pressure for robust age-verification systems. While the UK has not yet legislated VPN-specific liability in the way Utah has, the direction of regulatory travel is comparable.

The question being debated in UK policy circles is essentially the same one Utah has now forced into the courts: what happens when users route around age checks? If the answer is that platforms bear liability regardless, the same technical and legal tensions arise—detection is imperfect, VPN use is legal, and prohibiting speech about circumvention tools raises free expression concerns under the Human Rights Act as much as the First Amendment.

UK legislators and regulators will be watching the Utah case carefully. A successful constitutional challenge in the US does not bind UK courts, but the technical arguments—about what platforms can and cannot reliably detect—are universal, and they will surface in any serious policy debate about VPN-aware age verification.

What this means for VPN users

If you use a VPN for legitimate privacy reasons—protecting your browsing on public Wi-Fi, securing traffic on a remote work connection, or simply keeping your ISP from building a profile of your activity—SB 73 does not target you directly. The law places obligations on platforms, not on individual users.

That said, the practical consequence of laws like this, if they proliferate, is increased pressure on websites to block VPN traffic broadly. A platform that cannot distinguish between a Utah resident using a VPN and a London resident using a VPN may find it easier to block all VPN-associated IP addresses rather than attempt granular detection. The collateral effect on legitimate VPN users could be significant.

There is also a broader privacy concern worth naming clearly. Age-verification systems that require government ID or credit card data create their own privacy risks—centralised databases of who accessed what, held by third-party verification providers, are attractive targets. The policy tension here is real: the goal of protecting minors is legitimate, but the mechanisms proposed often require collecting more personal data, not less. Understanding what a VPN actually does and what it cannot protect you from is useful context when evaluating these trade-offs.

The technical reality the law ignores

The EFF's whack-a-mole framing is technically accurate. VPN detection relies on maintaining lists of known VPN server IP addresses, and those lists are always incomplete. Dedicated IP addresses—where a single user is assigned an IP not shared with thousands of others—are particularly difficult to classify as VPN traffic. Residential IP proxies are harder still.

A dedicated IP does not appear on commercial VPN block lists in the way that shared VPN exit nodes do, because there is no pattern of many users cycling through the same address. From a website's perspective, it looks like a normal residential or business connection. This is not a loophole—it is simply what the technology does—but it illustrates why the detection premise underlying SB 73 is technically shaky.

For platforms, the choice under a regime like SB 73 is between imperfect detection (and residual liability) and blocking VPN traffic so aggressively that legitimate users are caught in the net. Neither option is clean, which is precisely why the EFF argues the law places an unreasonable burden on publishers.

What to watch between now and September 2026

Three things will determine how significant SB 73 turns out to be.

1. The federal court ruling on the preliminary injunction. If the court grants a wider injunction before September, the law's VPN provisions may be on ice for considerably longer than the current agreed pause.
2. Whether other states move before a ruling lands. Copycat legislation introduced before the Utah case is decided could create a patchwork of liability rules that platforms find unworkable to comply with simultaneously.
3. How the First Amendment argument on VPN speech fares. The prohibition on publishing VPN guidance may be the most legally vulnerable part of the law. If that provision falls, it removes one of the most chilling aspects of the legislation even if the liability framework survives.

If you want to stay current on developments at the intersection of VPN technology and privacy law, our no-log policy page explains the privacy principles that underpin how PremierVPN operates—relevant context for understanding why legal frameworks that treat VPN use as inherently suspicious are contested territory. And if you are assessing your own exposure on shared or public networks, our IP leak test is a practical starting point.

Summary

Utah SB 73 is the first US law to hold websites liable for VPN-assisted age-gate circumvention. It took effect on 6 May 2026, was challenged in federal court the same day, and its VPN-specific provisions are paused until at least 3 September 2026. The law's technical premise—that platforms can reliably detect all VPN traffic—is contested by civil liberties groups and is almost certainly imperfect in practice. The outcome of the Aylo case will either validate or invalidate a legislative model that more than two dozen other states could adopt.

For individual VPN users, the immediate risk is indirect: if VPN-blocking becomes a legal compliance tool for platforms, access to services that currently work fine over a VPN may become less reliable. The broader concern is a policy direction that treats privacy technology as an obstacle to be engineered around rather than a legitimate interest to be weighed. That debate is active, the courts are now involved, and the result matters well beyond Utah's borders.