A hot potato: Plenty of states (and countries) now have age-restriction measures placed on pornography sites, which are often circumvented using VPNs. But a Utah law is about to go into effect that will specifically target VPN software users as part of its age verification rules.
On May 6, Utah's Online Age Verification Amendments, formally Senate Bill 73, takes effect. The law states that a user is considered to be accessing a website from the state if they are physically located there, regardless of whether they use a VPN, proxy server, or other means to disguise their geographic location.
The big issue is that the law appears to assume websites can both detect VPN traffic and determine a visitor's true physical location with certainty. They cannot. At best, sites can block known VPN IP addresses, a constantly changing and incomplete list that will inevitably catch legitimate users while missing others entirely.
Moreover, websites that host "a substantial portion of material harmful to minors" are now prohibited from facilitating or encouraging the use of a VPN to bypass age checks. This includes providing instructions on how to use a VPN or providing the means to circumvent geofencing. The bill defines a substantial portion as more than one-third of a site's total material.
VPN companies responded to the nation's first VPN-specific age-verification rule exactly as you might expect. NordVPN previously argued that blocking every known VPN and proxy IP address in Utah would be "technically impossible," noting that providers are constantly adding new addresses and that no complete blocklist exists.
Nord warned that efforts to comply could create major problems for legitimate users around the world. Because the rule does not allow adult sites to simply pull out of Utah to avoid the requirements, the company said the only apparent alternative would be to age-verify every visitor globally, regardless of where they are actually located.
Nord also said that this would subject "millions of users to invasive identity checks [when] they have no legal obligation." It defined the rule as a "liability trap."
Digital privacy advocacy group the Electronic Frontier Foundation was similarly critical of the law, arguing that it sets a dangerous precedent by discouraging VPN use, which could lead to sites banning all known VPN IPs. The group said the rule does this by imposing liability on websites while also restricting them from sharing information about VPNs. That raises significant First Amendment concerns, as it could prevent platforms from providing users with basic, truthful information about a lawful privacy tool.
The law does include some carveouts. Internet service providers, search engines, cloud service providers, and news-gathering organizations are not supposed to be held liable simply for providing access to, linking to, reporting on, or otherwise transmitting covered content.
As with earlier state-level age-verification laws, the stated aim is protecting minors from adult material online. The obvious problem is that this one pushes the burden onto websites to identify where a visitor really is, even when the visitor is using tools designed to obscure exactly that information.