By In 72 hours—on May 6, 2026—Utah will become the first U.S. state to legally target VPN usage. Senate Bill 73 holds websites liable if Utah residents use privacy tools to bypass age verification, even when sites block every known VPN IP address. NordVPN calls it an “unresolvable compliance paradox”: sites must verify ages of users whose tools are specifically designed to be unidentifiable.
This isn’t just about adult content. It’s a precedent that could criminalize privacy tools nationwide. Twenty-six states have age verification laws, but only Utah explicitly targets VPNs. Wisconsin legislators removed identical provisions in February after backlash. Utah proceeded anyway.
VPN Detection is a Technical Whack-a-Mole
Here’s why compliance is impossible: VPN providers rotate IP addresses constantly. IPinfo research shows 10-56% of privacy IP classifications change monthly, making fresh data critical. Even sites that deploy expensive VPN detection APIs ($10,000-100,000/month for high-traffic sites) cannot catch all VPN users.
Residential VPNs are the real killer. These services route traffic through regular home connections, inheriting the reputation of real ISP subscribers. VPN detection vendors admit: “You cannot blacklist an IP without also blocking the legitimate homeowner using it.” The arms race has inverted—residential VPN services have a structural advantage that no blocklist can overcome.
The Electronic Frontier Foundation puts it bluntly: “Blocking all known VPN and proxy IP addresses is a technical whack-a-mole that likely no company can win.” NordVPN echoes this: “Blocking all known VPN and proxy IPs is technically impossible—providers constantly add new addresses and no comprehensive blocklist exists.”
Websites Face Three Bad Options
Under SB 73, website operators are trapped in an impossible dilemma. Option 1: Geofence Utah entirely. Block all Utah IPs, and 3.4 million residents lose access. Some adult content sites have already done this in states with strict age verification laws.
Option 2: Mandate global age verification. Force ALL users worldwide to verify age—uploading government IDs or submitting to facial scans—to catch the small percentage who might be Utah VPN users. The EFF warns this approach would “subject millions of users to invasive identity checks they have no legal obligation” to provide. It’s a privacy nightmare for non-Utah users who have nothing to do with the law.
Option 3: Deploy VPN detection systems. Integrate commercial APIs (IPQualityScore, Fingerprint.com, IPinfo) at $0.001-0.01 per lookup. For a high-traffic site with 10 million daily visitors, that’s $10,000-100,000 per month. And it still doesn’t work—residential VPNs slip through, new IPs bypass blocklists, and legal liability remains.
There is no good option. Every compliance path is either ineffective, harmful to privacy, or excludes millions of users.
First Amendment Red Flag
SB 73 prohibits websites from providing “any instructions on how to use a VPN” to bypass age checks. This means sites can’t educate users about legal privacy tools—a likely First Amendment violation.
The EFF’s legal analysis is clear: “This raises significant First Amendment concerns, as it prevents platforms from providing basic, truthful information about a lawful privacy tool to their users.” Legal precedent supports this. In Bernstein v. DOJ, courts ruled the government can’t ban publication of information about legal encryption tools. VPN instructions fall into the same category—truthful speech about lawful technology.
Wisconsin legislators recognized this constitutional problem and removed VPN instruction prohibitions from their age verification bill (SB 130) in February 2026 after digital rights groups, VPN providers, and the tech industry lobbied heavily. Utah ignored this precedent.
Wisconsin Rejected This, Utah Proceeded
Wisconsin’s reversal is instructive. Politicians learned that VPN blocking is “technically impossible” and “raises constitutional concerns.” After backlash from the EFF, VPN providers, and tech advocates, legislators stripped VPN-targeting provisions from SB 130. The bill still includes age verification requirements, but without the unenforceable VPN liability.
Utah is now the ONLY state with active VPN-targeting provisions in an age verification law. That makes it a test case. If SB 73 survives legal challenges, 25 other states with age verification laws may add similar VPN provisions. If it’s struck down—which legal experts estimate at 60% probability based on First Amendment and Commerce Clause arguments—it discourages copycat legislation.
The EFF and NetChoice (an industry group already suing four states over age verification laws) are likely to add Utah to their legal challenges. The First Amendment argument is strong. The technical impossibility argument is airtight. And Wisconsin’s precedent shows that even legislators who support age verification recognize VPN targeting goes too far.
What’s Next
The law takes effect May 6. Websites have had no time to comply—SB 73 was signed March 19, giving sites less than seven weeks to solve a technically unsolvable problem. Expect legal challenges, likely from the EFF or NetChoice, within weeks of the effective date.
The broader stakes are high. Twenty-six states have age verification laws. If Utah’s approach spreads, privacy tools could be criminalized nationwide. Journalists who use VPNs to protect sources, activists who use them to avoid surveillance, domestic abuse survivors who use them to hide from abusers, and corporate employees who use them for remote work—all would face blocks or forced identity checks.
Key Takeaways
- Utah’s VPN law takes effect May 6, holding websites liable for VPN users despite technical impossibility
- VPN detection can’t catch all users: 10-56% monthly IP churn, residential VPNs undetectable, no comprehensive blocklists
- First Amendment concerns: prohibiting VPN instructions likely unconstitutional, Wisconsin removed similar provisions in February
- Legal challenges expected from EFF, NetChoice—60% probability of being struck down on constitutional grounds
- Precedent battle ahead: 25 other states with age verification laws are watching
