Utah Just Made VPNs a Liability Trap. The Law Is Now Officially Ahead of the Tech.
Compliance

Utah Just Made VPNs a Liability Trap. The Law Is Now Officially Ahead of the Tech.

On May 6, 2026, Utah became the first U.S. state to write VPN circumvention directly into an age-verification statute. NordVPN and digital-rights groups have already warned the enforcement model is unworkable in practice.

CAIRL

CAIRL Team

May 7, 20263 min read

Utah Just Made VPNs a Liability Trap. The Law Is Now Officially Ahead of the Tech.

On May 6, 2026, Utah became the first U.S. state to write VPN circumvention directly into an age-verification statute. Senate Bill 73, the Online Age Verification Amendments, applies to commercial entities that knowingly publish or distribute material harmful to minors from a website where a "substantial portion" — defined in the bill as more than one-third — of the content meets that definition. Those entities must verify the age of any user physically located in Utah, regardless of whether their IP address says they're somewhere else, and the bill expressly bars covered websites from facilitating or encouraging VPN or proxy circumvention.

If you run an online platform that touches that definition, this single change rewrites your liability surface. If you're a compliance leader, it rewrites your roadmap. And if you read only one paragraph of this post, read this one: the law is demanding a verification capability that has not yet become a widely adopted, low-friction, privacy-preserving default.

That gap — between what regulation requires and what verification infrastructure has actually deployed at scale — is the single most important compliance story of 2026.

What SB 73 actually says, in plain English

Three points cover the substance:

  1. Covered "commercial entities" — those that knowingly publish material harmful to minors and where a substantial portion (more than one-third) of the content meets that definition — must verify that a user is 18 or older before serving content to anyone physically in Utah.
  2. Whether a user is "in Utah" is determined by physical location, not IP address. If a Utah resident is using a VPN that makes their traffic look like it's coming from Iceland, the platform is still on the hook. The bill also prohibits covered websites from facilitating or encouraging VPN or proxy circumvention.
  3. Failing to verify those users can trigger statutory liability, regulatory enforcement, administrative fines, civil penalties, and damages.

In other words: the burden has shifted from "where does the request appear to come from" to "where is the human actually sitting." That's a fundamentally different engineering problem — and most platforms aren't built for it.

VPN providers and digital-rights groups have already warned the enforcement model is unworkable

NordVPN and digital-rights groups have publicly warned that reliably identifying Utah-based VPN users is impractical, with NordVPN describing the obligation as a "liability trap" in public comment. The Electronic Frontier Foundation, which has tracked the bill closely, has called the enforcement model "a technical whack-a-mole" and flagged Utah as a first-in-the-nation VPN-targeting approach. None of these are ideological objections. They are infrastructure objections.

VPNs work, in part, because IP geolocation is unreliable. A regulation that pretends otherwise doesn't make the unreliability go away — it just transfers the cost of that unreliability onto whichever business is closest to the user.

Right now, that's the platforms.

The three bad choices, and the one good one

When a regulation outruns the available tech, operators tend to fall into one of three failure modes:

Option 1: Over-block. Geofence aggressively. Block any traffic that even smells like a VPN. You lose legitimate users, your revenue takes a hit, and you create a press story about over-broad censorship.

Option 2: Under-block. Trust IP geolocation, hope for the best, and absorb the liability and enforcement risk when Utah residents inevitably slip through. This is the cheapest option until the first enforcement action lands. Then it becomes the most expensive.

Option 3: Bolt on a verification vendor. Stand up a third-party ID check at the front door of your site. This works, technically. But it imposes maximum friction on every user, collects sensitive personal data you'd rather not be holding, and creates a privacy story that regulators are increasingly scrutinizing: over-collection, weak deletion, unclear notice, and sensitive-data exposure.

None of those are good answers. They are damage-control answers.

The fourth option — and this is where we plant our flag — is compliance-by-design: building verification into the user journey as a native, minimal-data, portable signal that satisfies the law without burning the user experience or hoarding sensitive data. That's a different architecture, not a different vendor.

Why this is bigger than Utah

SB 73 is not just a Utah story. It is a preview of the verification problem every platform is about to face.

Across the U.S., age-verification laws are no longer a fringe policy experiment. The EU is pushing a privacy-preserving age-verification app that Member States can deploy or integrate into digital identity wallets by the end of 2026. The FTC has also signaled that age-verification technologies may fit within COPPA enforcement policy — but only when operators limit use, delete data promptly, secure it properly, give notice, and take reasonable steps to ensure accuracy. California's privacy posture, meanwhile, points in the opposite direction: stronger rights around deletion, sensitive personal information, data minimization, and youth privacy.

Read those trends together and a clear shape emerges:

  • The pressure to verify is going up.
  • The penalty for collecting too much data is also going up.
  • Location, age, consent, and privacy are becoming one compliance problem.
  • Reactive verification will not survive the next wave.

If your verification strategy in 2026 is still "we'll figure it out when a state sues us," you don't have a verification strategy. You have a litigation budget.

What we're building, and why

We are building the system that lets users and platforms comply naturally. That word is doing real work: naturally means the verification happens at the right moment, with the minimum data legally required, in a format that travels with the user across platforms — so the user isn't re-uploading a driver's license on every adult-content site, every social platform, every checkout flow.

That model only works if it's built into the architecture, not bolted onto the front door. SB 73 is the regulation that finally forces that distinction into the open.

As of May 6, 2026, Utah is the live test case. By the end of 2026, the EU is the next one. By 2027, this is likely to be the default direction of travel.

The platforms that will win this decade are the ones that stop treating verification as a compliance tax and start treating it as part of the product.

Sources

  1. Utah Legislature — Enrolled SB 73, Online Age Verification Amendments (effective 05/06/26)
  2. Electronic Frontier Foundation — "Utah's New Law Targeting VPNs Goes Into Effect May 6th"
  3. European Commission — "The EU approach to age verification"
  4. European Commission — "Commission urges fast rollout of age verification app"
  5. Federal Trade Commission — COPPA Age-Verification Enforcement Policy Statement (Feb 25, 2026)
  6. Industry commentary (secondary): TechRadar — "A technical whack-a-mole: Utah to become first US state to target VPN users"; National Law Review — "Age-Verification Laws Reshape Online Compliance in 2026"

Verified. Not exposed.

See how claim-based verification works.

See the demo
Back to all posts