On May 6, 2026, Utah's SB 73, the "Online Age Verification Amendments," took effect, making Utah the first US state to write virtual private networks directly into an age-verification statute. The law's mechanism is novel and aggressive: it deems any user physically located in Utah to be in Utah "regardless of whether the individual uses a virtual private network or proxy server," and it bars covered adult sites from facilitating — or even explaining — how to use a VPN to bypass age checks. The bill also layers a 2% excise tax on online adult-content revenue. Governor Spencer Cox signed it in March 2026.
Utah's move is not isolated. In its June 5, 2026 analysis, the Electronic Frontier Foundation placed SB 73 inside a fast-growing global wave of age-gating — from Australia's under-16 social media ban to the UK's Online Safety Act to the EU's age-verification app — and noted that regulators abroad are now eyeing the circumvention tool itself. Britain's Children's Commissioner, Dame Rachel de Souza, has called VPNs "a loophole that needs closing." France's digital affairs minister, Anne Le Hénanff, told Franceinfo that VPNs are "the next topic on my list" after the National Assembly approved an under-15 social media ban requiring age verification by September 2026.
The Strongest Case for the Rule
The regulatory logic deserves a fair hearing. Once a jurisdiction mandates age verification for adult content, VPNs are the obvious escape hatch — and the data suggests teenagers find it quickly. After the UK's Online Safety Act age checks began in July 2025, VPN apps surged to the top of British download charts within days. A law that can be defeated by a free app in the app store is not much of a law, and lawmakers who genuinely want to keep explicit content away from minors have a coherent reason to ask why the most-downloaded circumvention tool should sit entirely outside the rules. That is a real problem, not a manufactured one.
Why the Mechanism Backfires
The trouble is that Utah's specific fix is both technically incoherent and constitutionally radical. A VPN's entire function is to mask a user's location; a website genuinely cannot know whether an anonymized connection originates in Salt Lake City or Stockholm. SB 73's "deemed-location" provision does not solve that — it simply assigns the legal risk of the unknowable to the website. To comply with certainty, a platform would have to age-verify every user on earth on the theory that any of them might secretly be a Utahn behind a VPN.
That is precisely the argument Aylo, the parent company of Pornhub, made when it sued Utah in federal district court in spring 2026. According to its complaint, the deemed-location provision "transforms what is nominally a Utah regulation into a de facto global mandate," placing the company in "an impossible position" and violating constitutional protections for interstate and foreign commerce. The challenge had immediate effect: on April 27, 2026, the Utah Department of Commerce agreed not to enforce the VPN-liability provisions until September 3, 2026 while the case proceeds. The state blinked on the very feature that made the law a national first.
The Speech Problem Hiding in the Statute
The provision barring sites from "facilitating" or explaining VPN use is more troubling than the location fiction. VPNs are mainstream, lawful privacy tools relied on by journalists, domestic-abuse survivors, remote workers, and ordinary users on public Wi-Fi. A statute that forbids a website from describing how a legal technology works is a content-based restriction on truthful speech about a lawful product — the kind of rule that ordinarily draws strict First Amendment scrutiny. Banning information about a tool, rather than the tool itself, is a censorship shortcut, and it sets a precedent that has nothing to do with the age of the reader.
A Precedent Worth Resisting
The deeper risk is architectural. VPNs and proxies are not loopholes bolted onto the internet; they are core components of how a private, secure network functions — the same encryption that lets a teenager reach a blocked site also protects a dissident, a banking session, and a corporate network. Treating that infrastructure as presumptively suspect, as Utah, Britain, and France are each now flirting with, trades a narrow and porous enforcement gain for a broad weakening of everyone's privacy. Proportionate regulation would target the harm directly — through device-level controls, parental tools, and narrowly drawn duties on platforms — rather than conscripting websites into policing a tool they cannot detect and punishing them for explaining how it works.
Utah's September pause is an admission that the mechanism, as written, does not function. Lawmakers elsewhere should read the delay as a warning, not a roadmap. The goal of protecting minors is legitimate; deputizing the entire web to fight an unwinnable war against encryption is not the way to reach it.