Utah’s New Age Verification Law Takes Aim at VPN Use
Published
Key Takeaways
- Utah age verification law: Requires websites to verify user ages, even if VPNs are used to bypass restrictions
- VPN enforcement challenge: Law considers physical location, making VPN-based bypass attempts still legally accountable for websites
- Privacy and industry concerns: Critics warn of technical limits, legal risks, and broader impact on user data protection
A new law in the US state of Utah is set to take effect this week, bringing fresh attention to the growing debate around online age verification. The legislation, known as Senate Bill 73, introduces stricter requirements for websites that host content considered harmful to minors, and notably, it directly addresses the use of virtual private networks (VPNs).
This makes Utah the first state in the country to explicitly include VPN usage within its age verification framework.
What the Law Requires
Starting May 6, websites that contain a “substantial portion” of material deemed inappropriate for minors must verify the age of their users. While similar laws are being discussed or introduced in other parts of the United States, Utah’s approach stands out for how it handles users attempting to bypass restrictions.
Under the new rules, a user is considered to be accessing a website from Utah if they are physically located in the state, even if they are using a VPN to mask their location. In addition, affected websites are prohibited from offering guidance on how users might use VPNs to get around these checks.
The move comes at a time when age verification is becoming a major topic nationwide. For example, California is preparing to implement a law next year requiring operating systems to verify user age during account setup. There are also ongoing discussions about introducing similar requirements at the federal level.
Concerns From Experts and Industry
The Utah law has raised concerns among privacy advocates and technology companies. One of the key issues is the technical challenge of accurately determining a user’s real location when VPNs are involved. By design, VPNs are meant to hide a user’s identity and location, making enforcement difficult.
Some industry representatives argue that reliably identifying VPN users in Utah could be nearly impossible. They warn that the law may place an unfair burden on websites, potentially exposing them to legal risks even when users deliberately try to bypass restrictions.
Privacy groups have also voiced criticism. They suggest that the law could force websites into difficult choices - either blocking all VPN traffic or requiring age verification from every user worldwide. Such measures, they say, could lead to more invasive data collection practices or limit access for users who rely on VPNs for legitimate privacy reasons.
Broader Privacy Implications
Although the Utah law does not ban VPNs, it adds a new layer of complexity for both users and online platforms. Critics argue that it could set a precedent for stricter regulations in the future, raising questions about digital privacy and data protection.
As more states and lawmakers explore age verification policies, the balance between protecting minors and preserving user privacy is likely to remain a central issue. Utah’s approach may serve as an early test case for how such laws function in practice, and how they are received by the public and the tech industry.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular