Utah has announced that Online Age Verification amendments, now called Senate Bill 73, will take effect starting May 6. Under this new law, websites will be held responsible for users hiding their location with VPNs.
The bill also prohibits websites from telling people how to dodge age verification using a VPN. People have condemned the move as impossible, but lawmakers went ahead anyway.
A ‘Liability Trap’ dressed up as age verification
Approved on March 19 by Governor Spencer Cox, Senate Bill 73 does two main things. First, it says a user is legally considered to be accessing a website from Utah if they are physically standing there.
It doesn’t matter if they use a VPN, a proxy, or any other tool to fake their IP address. Second, the law forbids covered websites from sharing instructions on how to use a VPN to bypass age checks.
NordVPN didn’t hold back. The company called it an “unresolvable compliance paradox” and a “liability trap.” Why? The law forces websites to track down users who rely on privacy tools, tools designed to keep their identities secret.
The Electronic Frontier Foundation condemned the idea. They think this bill puts websites in a tough spot. To avoid the accruing legal risks, sites have two options: ban every known VPN IP address they detect, or force everyone visiting the site to prove their age. Whichever option the website settles for, millions of people will still lose.
Wisconsin tried similar VPN provisions earlier this year. Heavy backlash killed them. Utah pushed forward anyway.
The technical flaw nobody wants to talk about
Here’s the core problem. The law assumes a website is able to accurately detect VPN traffic and pinpoint a user’s real location. It can’t.
Yes, IP reputation databases like IP2Proxy and MaxMind can flag traffic from already known datacenter IP ranges. However commercial VPN providers often rotate addresses constantly.
Residential VPN endpoints look almost identical to normal home connections. You can analyze Autonomous System Numbers to catch datacenter traffic, but that won’t detect a personal WireGuard tunnel running on a cloud VPS. That tunnel routes through the exact same infrastructure as ordinary web hosting.
So what actually works? Deep packet inspection, or DPI. That’s the only method that reliably picks up VPN protocol signatures. But here’s the catch: DPI analyzes traffic at the network level, not on a server. Russia’s TSPU system and China’s Great Firewall deploy DPI through internet service providers. A random website operator can’t do that. It requires access to the network infrastructure standing between the user and the server.
Meanwhile, setting up a personal WireGuard instance on a cloud provider like AWS takes literally minutes. Meaning the law is not going to deter tech-savvy teenagers. It will only affect users who aren’t tech-savvy and rely only on commercial VPNs for legitimate privacy.
Another group of people who this law will affect includes journalists, political activists, abuse survivors, and people residing in regions with authoritarian regimes.
Other bills similar to Utah’s senate Bill 73
Utah isn’t alone in this impossible chase. The UK’s House of Lords voted 207-159 in January to ban VPN services for under-18s. Those amendments will now head to the House of Commons for debate. When the UK enforced age verification last July, VPN usage jumped more than 1,400% on the very first day. Anne Le Hénanff, France’s digital affairs minister, has already said VPNs are “next on my list.”
To date, the only countries that have made real progress blocking VPN traffic are authoritarian regimes with ISP-level surveillance. That’s not company any state should want to keep.
However, legitimate law enforcement action against criminal VPN services is different. Europol and FBI take action against Safe-Inet VPN service for helping cybercriminals, showing that when a VPN provider actively markets to ransomware gangs and ignores abuse reports, international authorities will respond, not with impossible compliance demands, but with server seizures and criminal charges.
The EFF put it bluntly: lawmakers that can’t tell the difference between a “loophole” and a security tool are now writing rules to regulate one of the most sophisticated infrastructures on Earth. The result is not going to be a safer internet, but a less private one.
