On May 6, 2026, Utah became the first US state to hold website operators directly responsible when users use a VPN or proxy to bypass age verification. Senate Bill 73 does not target VPN providers. It targets you, the operator, and it does not accept "they used a VPN" as a defence.
The response from the privacy and security community was immediate. NordVPN called the law "an unresolvable compliance paradox." TechRadar, reporting on digital rights experts' reaction, described it as "a technical whack-a-mole that likely no company can win." Both are describing the same problem: traditional VPN detection does not work well enough to satisfy a per-violation liability standard.
Utah is not an outlier. It is the leading edge of a global regulatory trend. Over 25 US states have enacted age-verification laws for online content. The UK's Online Safety Act has been enforcing age checks since July 2025. Australia banned under-16s from social media in December 2025. The direction is consistent: legislators are moving from "build a gate" to "the gate must actually work, even when users try to bypass it."
This is what cside's VPN detection was built for.
What Utah SB 73 actually requires
This information is drawn from the enrolled text of Utah SB 73 published by the Utah State Legislature, and the official bill status page maintained by the Office of Legislative Research and General Counsel.
Utah SB 73 amends the state's existing age-verification requirements for sites with a "substantial portion of material harmful to minors." The law introduces two provisions that change the compliance calculus entirely.
The deemed-location rule
A user physically inside Utah is legally a Utah user, regardless of what IP address their device presents. If they route traffic through a VPN exit node in Germany, they are still a Utah user. If they use a residential proxy in California, they are still a Utah user.
That single rule shifts the compliance problem. Previously, the question was whether you had an age gate. Now the question is whether your age gate works against users who are actively trying to defeat it.
The anti-instruction provision
The law also prohibits operators from sharing instructions that would help users bypass the age gate. Publishing a help article that mentions VPNs in the context of access control is now a separate liability risk. This includes:
- FAQ pages that explain how VPNs work in the context of your site
- Support documentation that references VPN workarounds
- Community forums hosted on your domain where bypass methods are discussed
How Utah compares to other state laws
| Utah | Texas | Florida | Louisiana | Indiana | Wisconsin | |
|---|---|---|---|---|---|---|
| Law | SB 73 (May 2026) | HB 1181 (upheld June 2025) | HB3 (enforced Nov 2025) | Act 440 | AG action (2025-26) | AB 105 |
| Core requirement | Age-gate harmful content; detect VPN bypass | Age-verify users on adult content sites | Age-gate minors; restrict under-14 accounts | Age-verify; prevent VPN access | Age-verify adult content | Block VPN IP addresses explicitly |
| VPN liability | Operator liable for bypassed access | Operator liable for failing to verify | Operator liable for access by minors | Parents can sue for VPN-bypassed access | State suing sites accessible via VPN | Operator must block known VPN IPs |
| Penalty | Per-violation civil liability | Up to $10,000/day non-compliance | Up to $50,000 per violation | Civil damages + attorney fees | 50+ sites targeted | Under legislative review |
Texas and Florida create liability for sites that fail to age-gate. Utah creates liability for sites whose age gates are bypassed, including through tools the user controls. That is a materially different compliance standard.
The pattern is clear: every age law triggers a VPN surge
Every time an age-verification law takes effect, VPN demand spikes by three to four digits in that jurisdiction. This is not speculation. It is documented across every major enforcement event.
| Jurisdiction | Date | VPN demand spike | Catalyst |
|---|---|---|---|
| Utah | May 2023 | +967% | Pornhub blocks Utah users |
| Texas | 2024 | +234.8% | Age restriction laws take effect |
| Florida | January 2025 | +1,150% (within 4 hours) | HB3 takes effect; Pornhub blocks Florida |
| UK | July 2025 | +1,400% (Proton VPN); +1,000% (NordVPN) | Online Safety Act enforcement begins |
Sources: vpnMentor, Tom's Hardware, TechRadar
When Florida's HB3 took effect on January 1, 2025, VPN usage surged 1,150% within four hours. In the UK, Proton VPN saw a 1,400% spike in hourly signups the day the Online Safety Act started enforcing age checks, later sustaining at +1,800% for several days. Proton VPN temporarily surpassed ChatGPT as the most downloaded free app on Apple's UK App Store.
Utah operators should expect the same pattern. The users most motivated to bypass your age gate are also the ones most likely to use a VPN to do it. Under SB 73, that bypass is now your liability, not theirs.
Why an IP blocklist cannot solve this
A static blocklist of known VPN exit nodes was barely adequate when VPN use was a niche behaviour. It is not adequate now.
-
The scale problem: The VPN industry is enormous. Over 1.75 billion people use VPNs globally. The market is valued at over $70 billion and projected to reach $330 billion by 2034. Major providers rotate millions of IP addresses across thousands of exit nodes daily. No blocklist can keep pace with this volume of IP churn.
-
The residential proxy problem: Residential proxy networks are harder still. They route traffic through IP addresses assigned to real household broadband connections. These IPs never appear on any VPN blocklist because they are legitimate consumer addresses. By IP address alone, a residential proxy session is indistinguishable from a real user on their home broadband.
-
Why this matters for Utah SB 73: The technical critique from NordVPN and the EFF is correct in one narrow sense: you cannot win a blocklist war against the VPN industry. What they are describing, however, is not a paradox. It is a limitation of one specific detection method. The answer is to stop fighting it on IP addresses entirely and move to behavioural detection.
The growing wave of age-verification laws
Utah SB 73 did not emerge in isolation. It is part of an accelerating global trend toward holding operators responsible for who accesses their content.
| Jurisdiction | Law / regulation | Status | Penalty |
|---|---|---|---|
| US (25+ states) | Various (TX HB 1181, FL HB3, UT SB 73, etc.) | Enforcing; Supreme Court upheld constitutionality June 2025 | Up to $50,000 per violation (varies by state) |
| UK | Online Safety Act | Enforcing since July 2025; 90+ investigations opened | Up to 10% of global turnover or GBP 18M |
| Australia | Social media under-16 ban | Effective December 2025 | Fines on platforms |
| Malaysia | Social media under-16 ban with eKYC | Effective January 2026 | Fines on platforms |
| France | Social media age verification | Planned for September 2026 | Under development |
| EU | Digital Services Act | In effect; age-appropriate design provisions | Up to 6% of global turnover |
| Brazil | Social media age verification | Passed late 2025 | Fines on platforms |
United States
- June 2025: Supreme Court upholds Texas HB 1181 in Free Speech Coalition, Inc. v. Paxton (6-3), confirming age-verification mandates are constitutionally permissible
- November 2025: Eleventh Circuit lifts injunction on Florida HB3, allowing full enforcement
- January 2026: Indiana sues Aylo (Pornhub's parent) specifically because its sites remain accessible via VPN despite being "blocked"
- May 2026: Utah SB 73 takes effect, creating VPN-specific operator liability
At least 25 US states now have age-verification laws on the books. The trend line is unmistakable: legislators watched users route around age gates with VPNs and responded by making that bypass the operator's problem.
United Kingdom
- July 2025: Online Safety Act begins enforcing age checks. Ofcom opens 90+ investigations.
- October 2025: Pornhub reports UK visitors down 77% since age checks started
- January 2026: House of Lords votes 207-159 to ban VPN services for anyone under 18
- February 2026: Pornhub's parent company Aylo shuts off access to new UK users entirely
Ofcom has issued fines totalling over GBP 1.8 million, with maximum penalties reaching 10% of global annual turnover or GBP 18 million. The UK is now moving beyond age-gating content to restricting the tools used to bypass age gates.
The message is converging globally: if your platform serves content that should not reach minors, detecting and managing VPN traffic is your responsibility, not the user's.
How to detect VPNs to stay compliant with Utah SB 73
If you operate age-gated content accessible to Utah users, SB 73 requires more than a checkbox compliance approach. Here is what an effective detection and response programme looks like.
Step 1: Audit your current detection
Start by answering four questions:
- Does your age-verification flow check IP against a blocklist, or does it analyse session behaviour?
- Are you logging VPN detections in a format that creates a compliance audit trail?
- If a user bypasses your gate through a residential proxy, does your system detect it?
- Does any content on your site explain how to use VPNs to access your platform?
If you rely on an IP blocklist alone, residential proxies and newly launched VPN services will pass through undetected. That is the gap SB 73 is designed to penalise.
Step 2: Move beyond IP blocklists to a specialised VPN detection tool
A static blocklist checks IP addresses against a known list. A specialised VPN detection tool analyses how a user accesses your site, examining:
- Network-level signals: routing path characteristics, latency patterns, and the relationship between stated and actual device attributes
- Session behaviour: timing patterns, device fingerprint consistency, and request sequences that differ from organic user traffic
- Residential proxy markers: the asymmetries that come from relayed traffic, even when the IP address belongs to a real household
This approach detects VPN and proxy usage from services not yet catalogued in any blocklist, which is the critical capability Utah SB 73 demands.
Step 3: Build a compliance audit trail
Utah SB 73, like Texas HB 1181, creates per-violation risk. Operators who can demonstrate a good-faith detection-and-response programme are in a materially different position than operators who cannot. Log every VPN detection with:
- Timestamp and session identifier
- Detection method and confidence signal
- Response action taken (block, step-up verification, or log-only)
- Jurisdiction determination
Step 4: Remove bypass instructions from your site
If any content on your domain explains how to use a VPN to access your platform, remove it. This includes help articles, FAQ pages, and community forum posts. Utah SB 73 explicitly prohibits operators from publishing guidance that facilitates bypass.
How cside helps you detect VPNs
cside's VPN detection identifies VPN and proxy traffic across both known commercial services and previously uncatalogued residential proxies using behavioural analysis, not static IP lists.
When a detection fires, operators can route it to a response (2FA, a screen that says "we detected you are using a VPN") or simply log the detection for audit purposes. All modes are configurable per content type, jurisdiction, or risk threshold.
-
Stay compliant with age restriction laws: Age-verification laws in 25+ US states, the UK, and a growing list of countries create operator liability when minors access restricted content. cside detects VPN traffic that bypasses age gates, including residential proxy traffic that never appears on any blocklist. Operators can demonstrate a good-faith compliance programme with detection logs and automated response actions.
-
Catch fraudulent access: VPNs and proxies are core tools in account fraud, payment fraud, and credential-stuffing attacks. Fraudsters use VPNs to mask their location when accessing stolen accounts or making fraudulent purchases. cside's behavioural detection flags these sessions before damage is done, regardless of the VPN service used.
-
Catch malicious scraping, account sharing, and account takeover: Scraping operations, account-sharing services, and account takeover attacks all rely on VPNs and residential proxies to avoid detection. cside identifies the behavioural signatures of each pattern, from high-frequency rotating-proxy requests to location-inconsistent login attempts that deviate from established user patterns.
What operators should do now
The compliance window is narrowing. Utah SB 73 is in effect. More than 25 other US states have similar laws in place or advancing. The UK is actively fining non-compliant operators. Here is a prioritised action list:
- This week: Audit your current VPN detection. Does it catch residential proxies? If the answer is no, you have a gap that SB 73 penalises.
- This week: Search your site for any content that explains VPN access workarounds. Remove it.
- This month: Implement behavioural VPN detection that works against unknown VPN services, not just catalogued exit nodes.
- This month: Configure your detection to build a compliance audit trail: timestamps, detection signals, response actions, jurisdiction.
- Ongoing: Monitor new state laws and enforcement actions. The legislative trend is toward stricter liability, not less.
See how cside's VPN detection works or book a demo to see it against your traffic.
