Utah’s SB 73: The "Unresolvable Paradox" of Legislating VPN Compliance

Critical Litigation Update

On May 7, 2026, a joint stipulation was filed in the Aylo v. Utah case, delaying the enforcement of SB 73's VPN and age verification mandates until September 2026. This stay provides a temporary window for platforms to address the technical requirements of the law.

Utah's Online Age Verification Amendments, formally Senate Bill 73, were slated to take effect on May 6, 2026. However, following a significant legal challenge filed by Aylo (Free Speech Coalition), a joint stipulation has delayed enforcement. The law remains the first in the U.S. to explicitly target VPN use as part of age verification legislation. Codified in Utah Code § 78B-3-1002, it establishes that a user is considered to be accessing a website from Utah if they are physically located there, "regardless of whether the individual is using a virtual private network, proxy server, or other means to disguise or misrepresent the individual's geographic location."

Aylo v. Utah Complaint Joint Stipulation (Stay) Base Statute (§ 78B-3-1002) View SB 73 Text

The mandate applies to any commercial entity that publishes a "substantial portion" of material harmful to minors—defined in Section 78B-3-1001(12) as more than 33-1/3% of total content. Under Section 78B-3-1002(1)(b), there is a rebuttable presumption that a website meets this threshold if it markets or brands itself as primarily providing such material. Furthermore, Section 78B-3-1002(4) prohibits covered websites from facilitating or encouraging the use of a VPN to circumvent age verification, specifically banning the provision of instructions on how to use such tools for bypass purposes.

Crucially, the law provides a "Safe Harbor" under Section 78B-3-1006. A commercial entity is deemed in compliance if it uses an age verification method that meets standards established by the Division of Consumer Protection. This includes verification through independent, third-party services that use commercially reasonable methods to verify age and identity.

The Compliance Gap

The Electronic Frontier Foundation (EFF) warned that the legal risk could push sites to either ban all known VPN IPs or mandate age verification for every visitor globally.

The Technical Impossibility of IP-Only Detection

The law is technically flawed because it assumes a web provider can reliably detect VPN traffic and determine a user’s true physical location based on an IP address. They can’t.

IP Reputation Limits: Databases like MaxMind and IP2Proxy can flag known datacenter ranges, but commercial VPNs rotate addresses constantly.
Residential Endpoints: Residential VPN services route traffic through standard home connections, making them indistinguishable from legitimate users.
Personal Tunnels: A WireGuard instance on a cloud VPS routes through the same infrastructure as ordinary web hosting, evading standard ASN analysis.

The Global Landscape

Utah isn’t alone in trying to legislate the impossible. In the UK, the House of Lords voted to ban VPN services for under 18s. VPN use jumped by more than 1,400% on the first day of UK age verification enforcement last July. Meanwhile, France’s digital affairs minister, Anne Le Hénanff, has said that VPNs are “next on my list.”

To date, the only countries that have made progress in blocking VPN traffic with some success are authoritarian regimes with ISP-level surveillance and Deep Packet Inspection (DPI).

How Peabody Bridges the Gap

Peabody Compliance provides the "Software Packages" required to solve the VPN paradox. Instead of relying on spoofable IP signals, our technology stack verifies the physical device environment.

Multi-Signal Triangulation

We combine WiFi, Cell BSSID, and high-precision GPS signals to confirm physical location. A VPN may change your IP, but it cannot move your device's proximity to local cell towers and WiFi access points.

OS-Level Integrity Checks

Our Desktop Agents (Mac/Windows) and Mobile SDKs (iOS/Android) perform hardware attestation to detect system-wide VPN tunnels and "Mock Location" apps at the kernel level.

Passive Verification

Solve the "liability trap" without banning legitimate VPN users. Verify only the physical location without requiring users to disable their privacy tools.

Signed Audit Trails

Provide regulators with a cryptographically signed proof-of-presence, demonstrating that your platform has taken "reasonable steps" that exceed IP-based compliance.

Conclusion: Moving Beyond the IP Address

The Utah law is a wakeup call for digital platforms. The era of "good enough" geolocation is ending. To survive the "liability trap" of SB 73 and similar global legislation, companies must adopt hardware-backed integrity checks that prioritize physical reality over network metadata.

Are you ready for September 2026?

Don't get caught in the Utah compliance paradox. Secure your platform with Peabody’s device integrity suite.

Explore Our Solutions