What is Utah SB 73 and when does it take effect?

Utah Senate Bill 73 — formally the Online Age Verification Amendments — was signed by Governor Spencer Cox on March 19, 2026 and the VPN-related section takes effect on May 6, 2026 . The bill amends Section 78B-3-1002 of Utah's existing online age-verification statute. Its Section 14 explicitly addresses VPN use: it treats users as accessing a website from Utah whenever they're physically located in the state, regardless of whether they connect through a VPN, proxy server, or any other location-masking tool. A separate provision imposing a 2% tax on revenues from online adult content takes effect in October 2026.

Does Utah SB 73 ban VPNs?

No — SB 73 stops short of an outright VPN ban. Unlike a similar Wisconsin proposal that was scaled back due to constitutional concerns, Utah's law uses what the EFF describes as a "don't ask, don't tell" enforcement model. Websites that host "a substantial portion of material harmful to minors" face liability if they learn a user is physically in Utah and using a VPN, and they're prohibited from sharing instructions on how to use a VPN to bypass age checks. Using a VPN itself remains legal for Utah residents; the law puts the regulatory burden on commercial websites, not on individual users.

Why are digital-rights groups opposing the law?

The Electronic Frontier Foundation, NordVPN, the Cato Institute, and other digital-rights advocates have raised three core objections. First, the law creates a "liability trap" : because no website can reliably detect every VPN user's true location, sites may respond by either blocking all known VPN IP ranges or requiring identity-style age verification for every visitor globally — including users who don't live in Utah. Second, the prohibition on websites sharing truthful information about VPNs raises First Amendment concerns. Third, the law is technically infeasible to enforce in practice (more on that below).

Will SB 73 actually stop people from using VPNs?

Almost certainly not. As the EFF notes, blocking all known VPN and proxy IPs is a "technical whack-a-mole that likely no company can win" — providers add new IP ranges constantly and no comprehensive blocklist exists. Motivated users will simply migrate to non-commercial proxies, private cloud-tunnel setups (e.g., a self-hosted instance on AWS), or residential proxies that are virtually indistinguishable from regular home traffic. The collateral damage will fall instead on businesses, journalists, and survivors of abuse who rely on commercial VPNs for routine data security, while a tech-savvy minor seeking adult content will find a workaround within minutes.

Are other states following Utah's lead?

Yes — Utah is the first state to enact this kind of law, but the pattern is global. Wisconsin proposed similar provisions and walked them back under pressure. Florida, Missouri, and Texas have already implemented age-verification laws that triggered VPN-usage surges among residents. Internationally, the United Kingdom's Children's Commissioner has called VPNs a "loophole that needs closing," and France's Minister Delegate for Artificial Intelligence and Digital Affairs publicly named VPNs as the "next topic" after the country's social-media ban for under-15s. Australia and Indonesia have also enacted age-verification mandates that drove similar VPN-adoption spikes.

How can Utah residents protect their privacy in 2026?

The simplest path is a reputable commercial VPN with strong obfuscation. Look for: a verified no-logs policy, support for the WireGuard protocol (low-latency tunneling), obfuscated servers (so the VPN traffic isn't trivially fingerprintable), and a kill switch to prevent your real IP from leaking if the connection drops. Avoid free VPNs — they typically log and sell traffic data, which is exactly the privacy harm a VPN is supposed to prevent. For users who need a fixed real-ISP exit IP (rather than rotating commercial-VPN ranges), a Dedicated Residential IP plan from a provider like CometVPN gives you the privacy benefits of a VPN with an IP that's much harder for sites to flag and block.

Utah SB 73 Explained: First U.S. State Law Targeting VPNs (May 2026)

Today, May 6, 2026, Utah becomes the first U.S. state to put VPN users in the legal crosshairs of an age-verification law. Senate Bill 73 — formally titled the Online Age Verification Amendments and signed by Governor Spencer Cox on March 19, 2026 — takes effect today, and its Section 14 fundamentally changes the relationship between Utah residents, VPN providers, and the websites those residents visit.

If you're a Utah resident reading this, the law doesn't make your VPN illegal. But it does mark the moment lawmakers in the United States started treating commercial VPNs not as the standard privacy tool they've been for two decades — used daily by businesses, journalists, students on public Wi-Fi, and anyone connecting to a banking app from a coffee shop — but as a regulatory loophole to be closed.

Here's what SB 73 actually does, why digital-rights advocates from the Electronic Frontier Foundation to NordVPN are calling it a "liability trap," why it almost certainly won't achieve its stated goal, and what it means for your privacy in 2026.

What Utah SB 73 Actually Does

Most of SB 73 is about a 2% tax on revenues from online adult content (effective October 2026). The provisions taking effect today are different — they amend Section 78B-3-1002 of Utah's existing online age-verification statute and explicitly target VPN use in two ways:

Location follows the body, not the IP. Under the new law, an individual is considered to be accessing a website from Utah if they are physically located in Utah, regardless of whether they use a VPN, a proxy server, or any other tool to disguise their geographic location. In other words, even if your IP shows you in Wyoming, the statute treats you as a Utah user the moment your phone is in Salt Lake City.
Websites are gagged on VPN information. Commercial entities that host "a substantial portion of material harmful to minors" are now prohibited from facilitating or encouraging the use of a VPN to bypass age checks. This includes publishing instructions on how to use a VPN — language broad enough that the EFF flags it as a First Amendment problem.

The law stops short of explicitly banning VPN use itself. There are no fines for individual Utah residents who connect through a commercial VPN. The legal pressure points squarely at the websites — and that's where the trouble starts.

The "Liability Trap" That Worries Privacy Advocates

The single biggest objection from digital-rights groups is what the EFF calls a liability trap: under SB 73, a website is on the hook for verifying the age of every user physically located in Utah, even users who appear to the website to be somewhere else. Since no commercial site can reliably detect every VPN user's true geolocation, two unappealing options remain:

Block every known VPN exit IP. Maintain an ever-growing blocklist, accept the false-positive collateral damage (legitimate VPN-using customers who get locked out), and pray you keep up with new IP ranges as providers rotate them.
Demand age verification from every visitor globally. Treat every user as if they might be a Utah resident on a VPN, and require government-ID-tier age proof from everyone — including the millions of people who don't live in Utah and aren't subject to the law.

NordVPN's policy team called it exactly that — "a liability trap" — in comments to TechRadar. Both options expand the blast radius of a state-level law into a global identity-verification regime, and both impose real costs on the journalists, survivors of abuse, business travelers, and ordinary privacy-conscious users who rely on commercial VPNs for legitimate data security.

The First Amendment Problem

The second provision — the gag on websites sharing information about VPNs — is the part most likely to face a constitutional challenge. SB 73 doesn't just ask covered platforms to enforce age gates; it forbids them from telling their users about a perfectly lawful piece of software that exists in the world.

The EFF, the Cato Institute, and free-speech advocates note that this restricts truthful, non-misleading speech about a legal privacy tool. As the Cato Institute put it: "When an internet policy can be avoided by a relatively common technology that often provides significant privacy and security benefits, maybe the policy is the problem."

Will SB 73 Actually Work? The Technical Reality

The short answer is no. The longer answer is that even partial success would require a level of network-level fingerprinting that no single state can compel and no website operator can deliver. Here's what motivated users will do — within hours of the law taking effect, not months:

Migrate to residential proxies. Residential proxies route through real consumer ISP IPs that are indistinguishable from ordinary home traffic. They've existed for years for legitimate web-scraping, ad verification, and brand-protection use cases — and they bypass commercial-VPN blocklists trivially because they're not on those blocklists.
Spin up private cloud tunnels. A $5/month VPS on AWS, DigitalOcean, or Hetzner running WireGuard gives a tech-aware user a personal VPN exit IP that no blocklist will ever catch — because it's a single IP that didn't exist yesterday and will never appear in a commercial VPN range.
Use Tor or self-hosted Shadowsocks/V2Ray. Open-source obfuscation tools developed for residents of countries with strict internet controls already defeat far more sophisticated detection than anything Utah's bill contemplates.

The collateral damage falls on the regular Utah resident who just wants their banking traffic encrypted on hotel Wi-Fi — not on the technically-motivated minor the law was supposed to protect from. As the EFF observed, "these provisions won't stop a tech-savvy teenager, but they certainly will impact the privacy of every regular Utah resident who just wants to keep their data out of the hands of brokers or malicious actors."

Utah's Not Alone — The Global Picture in 2026

SB 73 is the U.S. high-water mark, but it's part of a global pattern of governments responding to the VPN-usage surge that follows every age-verification mandate. The story has played out the same way in over a dozen jurisdictions in the last three years:

U.S. states with age-verification laws driving VPN spikes: Florida, Missouri, Texas, Utah (since 2023), Louisiana, Mississippi, Virginia, Tennessee, North Carolina, Idaho, and others — Utah is now the first to retaliate against the VPN-usage surge by targeting the tool itself.
Wisconsin: Proposed similar VPN-targeting language; advocates successfully forced its removal due to constitutional and technical concerns. Utah pushed forward despite the same objections.
United Kingdom: The Children's Commissioner publicly described VPNs as "a loophole that needs closing" after the Online Safety Act drove a massive VPN-adoption spike.
France: The Minister Delegate for Artificial Intelligence and Digital Affairs named VPNs as the "next topic" on the regulatory agenda after the country enacted a social-media ban for kids under 15.
Australia, Indonesia: Both have implemented age-verification laws that drove VPN-usage surges, with regulatory follow-up under active discussion.

The pattern is consistent: the policy creates the demand for the tool, then the policy turns on the tool. Whether SB 73 stands up to legal challenges or gets quietly walked back like Wisconsin's version is one of the most important U.S. internet-policy stories of 2026.

What This Means for Utah Residents

If you live in Utah and use a VPN today for the same reasons most people do — banking on public Wi-Fi, working remotely from coffee shops, separating work and personal accounts, protecting yourself from doxing, or simply not wanting your ISP to log every site you visit — nothing about your day-to-day VPN use is illegal under SB 73. The law targets websites, not users.

What changes is the experience of using a VPN to visit certain sites:

Some adult sites may now block all VPN traffic. If a site decides the safer compliance path is to ban every VPN IP it can identify, you'll see CAPTCHA walls or hard blocks even though you live in Utah and use the VPN for legitimate reasons.
Some sites may demand global age verification. If they instead choose the "verify everyone" path, you'll see government-ID-tier age verification prompts that didn't exist a week ago — including from sites that are clearly not adult content.
You'll see less information about VPNs on covered platforms. The gag-rule provision means tutorials, recommendations, and even basic explainers about VPNs may disappear from sites operating under SB 73's compliance umbrella.

How to Protect Your Privacy in 2026 (Legitimately)

Whatever your view on age-verification policy, the technical question — "how do I keep my normal internet traffic private and secure in 2026" — has the same answer it had a week ago. Pick a reputable commercial VPN with these qualities:

Verified no-logs policy with independent audit reports you can read.
WireGuard protocol support (low-latency, modern cryptography).
Obfuscated servers so the VPN traffic itself doesn't get fingerprinted.
Kill switch to prevent your real IP from leaking if the tunnel drops.
Jurisdiction outside the 14 Eyes intelligence-sharing alliance — Panama, the British Virgin Islands, and Switzerland are common.

For users who want a step further than commercial-pool VPN ranges — particularly Utah residents who anticipate getting caught in commercial-VPN blocklists at sites that adopt the strictest SB 73 compliance — a Dedicated Residential IP plan from a provider like CometVPN gives you a fixed real-ISP exit IP that looks like an ordinary home connection and won't appear on commercial-VPN blocklists. CometVPN runs on WireGuard, includes a kill switch, ships obfuscated servers, is based in Panama, and starts at $1.89/mo on the two-year plan with the Dedicated Residential IP available as an add-on.

Power users who need finer-grained control — for example, browsing automation, multi-account workflows, or scraping — can also use residential proxies from MarsProxies or IPRoyal, which deliver real-ISP IP origin similar to a Dedicated Residential VPN tier but expose per-application routing.

The Bigger Picture

VPNs are, at their core, the tools that make the modern privacy-conscious internet possible. Attacking them — whether by Utah's gag-rule liability trap, the UK's "loophole" framing, or France's "next topic" agenda — is fundamentally an attack on the architecture that protects journalists, business travelers, abuse survivors, and ordinary users who simply don't want their data sold to the highest bidder.

SB 73 is the first U.S. state law to take that step. It probably won't be the last. The regulatory question for the rest of 2026 is whether the legal challenges, technical workarounds, and public backlash will be enough to slow that trend — or whether the next round of state-level age-verification bills will copy Utah's playbook word for word.

For now, May 6, 2026 is on the books as the day the United States crossed a line. We'll be watching what happens next.

Sources: Electronic Frontier Foundation, Utah Legislature SB 73 enrolled text, TechRadar / NordVPN, Tom's Hardware, CyberInsider, Cato Institute.

Utah SB 73: The First U.S. Law Targeting VPN Users Goes Into Effect May 6, 2026

What Utah SB 73 Actually Does

The "Liability Trap" That Worries Privacy Advocates

The First Amendment Problem

Will SB 73 Actually Work? The Technical Reality

Utah's Not Alone — The Global Picture in 2026

What This Means for Utah Residents

How to Protect Your Privacy in 2026 (Legitimately)

The Bigger Picture

Frequently Asked Questions

Go with a VPN?

Go with Proxies?

How to Bypass xHamster Age Verification: 2026 Working Methods