All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
As of May 6, a new Utah law is the first in the U.S. to hold websites accountable if someone uses a VPN to bypass age verification methods. It was challenged in court the same day it went into effect. The state agreed to pause enforcement of the VPN-specific provisions until September while the lawsuit plays out. The precedent, though, is already set — and extends far past the state’s borders.
Utah's age verification law, formally Senate Bill 73, was signed by Gov. Spencer Cox on March 19, 2026, and requires any website hosting a "substantial portion of material harmful to minors" to enforce age gates on Utah-based users. Websites that fail to comply face fines starting at $2,500 per violation.[1] That creates a problem no compliance team has a clean answer for, and privacy advocates are not quiet about it.
The decision matters for a lot of people. According to AAC's age verification survey data, 79% of Americans say they are worried that submitting personal information to comply with age verification puts their data at risk.
SB 73 makes one thing legally clear: your physical location is what counts, not your IP address.
Under the law, a user is considered to be accessing a website from Utah if they are physically located there, no matter what their connection looks like from the outside. A VPN, proxy, or Tor exit node does not change that status. Covered websites are required to treat that user as a Utah resident and enforce age verification accordingly — and aren’t allowed to publish any instructions on how users can use a VPN to bypass age checks.
The Electronic Frontier Foundation published a detailed analysis of the law the day it took effect, calling it "a technical whack-a-mole" and raising serious First Amendment concerns. Preventing platforms from sharing truthful, factual information about a legal privacy tool, the EFF argues, is on shaky constitutional ground.
Enforcement falls to Utah's Division of Consumer Protection, which is authorized to use AI-based detection tools to identify violations. First offenses carry a $2,500 fine. Repeat offenses jump to $5,000. The full enrolled text of SB 73 is publicly available.
The law barely made it to its effective date before a legal challenge landed. According to the Salt Lake Tribune, at least one adult content provider sued the state on May 6, arguing the VPN provision would require the company to enforce age verification for customers everywhere in the world, not just Utah. The state agreed not to enforce the VPN-specific provisions until September while the case runs its course.
Here is where the law gets complicated for everyone, not just the sites it targets.
There is no reliable way to detect every VPN user. That is not a technical gap a compliance tool can close. VPN providers have built detection-evasion into their products precisely because detection is the threat.
NordVPN has described the situation as an "unresolvable compliance paradox" in a quote to TechRadar. Websites can't guarantee detection, yet the law holds them liable when they fail to catch someone.
The practical responses available to websites are not good for ordinary users:
Each of those outcomes lands on people who have done nothing wrong. The law effectively forces websites to choose between user privacy and legal compliance, with no clean path to both.
Utah is the first state to pass this kind of law. It may not be the last — and it also wasn’t the first to try it.
In March 2025, Wisconsin advanced bills that initially included a full VPN ban provision similar to Utah's. Then the backlash hit. Digital rights advocates and residents pushed back hard enough that Wisconsin lawmakers removed the VPN provision entirely from their age verification legislation in February 2026. The revised bill is now awaiting the governor's signature.
Michigan has filed a bill that would go further still, requiring internet service providers to monitor and block VPN connections outright. It has not been scheduled for a hearing.
The takeaway is not that these anti-privacy laws are inevitable. Utah's approach is already drawing First Amendment scrutiny, and Michigan has already stepped back from the most aggressive provisions when public pressure mounted. What happens to SB 73 in court will matter a great deal to every other state legislature watching.
A VPN isn't just about encrypting your traffic anymore. What matters now is whether it can hide the fact that you're using a VPN at all.
Obfuscated VPN protocols are built to solve this problem. Where a standard VPN connection has recognizable traffic patterns that detection tools can flag, an obfuscated protocol disguises that traffic to look like ordinary HTTPS web browsing. The detection system sees nothing worth blocking. The user keeps their connection.
Most major VPN providers now offer some form of obfuscation, but implementation varies significantly. Proton VPN's Stealth protocol is one of the strongest examples: it wraps WireGuard traffic inside TLS, the same encryption layer used by standard web traffic, making it effectively indistinguishable from a normal browsing session to any system scanning for VPN signatures.
Privacy-focused open-source software that comes with free encrypted email account
VPN Accelerator tech improves speeds by up to 400%
Stream from anywhere with 11,300+ high-speed servers, plus block ads and trackers
For a broader comparison of VPN options with strong obfuscation capabilities, our best VPNs guide covers the full field.
Utah's age verification law is not a niche regulatory story about adult content sites. It is the first law in the country to make your use of a routine privacy tool a legal liability for the websites you visit.
The compliance pressure the law creates, and the subsequent technical responses websites will use to meet it, could affect any VPN user, regardless of what they are using a VPN for. That includes a large share of people who are not yet using a VPN at all.
According to AAC's VPN usage survey, 61% of Americans currently lack VPN protection, suggesting the landscape is shifting beneath users who may not yet realize it.
If your VPN doesn't have obfuscation, it's time to upgrade. You need a tool that hides the fact that you're using a VPN, not just your location.
Privacy-focused open-source software that comes with free encrypted email account
VPN Accelerator tech improves speeds by up to 400%
Stream from anywhere with 11,300+ high-speed servers, plus block ads and trackers
/images/2023/06/09/aura-review.png)
/images/2023/06/01/incogni-review.png)
/images/2026/05/13/national_health_service_logo_on_blue_background.jpg){kind=logo}
/images/2026/05/12/hacker_in_data_security_concept._hacker_using_laptop._hacking_the_inte_q9rPpHH.jpg)
/images/2026/05/08/new-utah-age-verification-law-header.png)
/images/2026/05/05/surveillance-pricing.png)
/images/2026/05/04/uk-age-verification.png)
/images/2026/01/21/privacyhawk_review.jpg)
/authors/kate-quinlan-new.jpg){kind=small}
/authors/kalleigh-lane-new.jpg){kind=small}
/images/2022/10/20/vpn-logowordmark-black-purple-transparent-bg.png)
/authors/kate-quinlan-new.jpg)