Utah's new law regulating VPN providers takes effect next week, and the companies being regulated still don't know what they're supposed to do.
Welcome to tech policy in 2026.
The law, part of Utah's broader push to restrict minors' access to certain online content, requires VPN providers to verify users' ages and block underage residents from accessing age-restricted sites. Sounds straightforward until you try to implement it.
The Electronic Frontier Foundation has been sounding the alarm for weeks: the law is vague on enforcement mechanisms, unclear about liability, silent on technical implementation, and probably unconstitutional. But those are just the legal problems. The practical problems are worse.
How does a VPN provider verify someone is from Utah? VPNs exist specifically to obscure location. Asking users to volunteer that they're subject to regulation is like asking tax evaders to self-report income.
How do you verify ages without collecting identifying information that defeats the entire purpose of using a VPN? Privacy-focused services built their brands on not knowing who their users are. Now Utah wants them to not only identify users but verify ages and locations.
And what exactly constitutes "blocking" access? If a Utah teenager uses a VPN to appear to be in California to access content blocked in Utah, has the VPN provider violated the law? What if they're using the VPN from Nevada? What if they're actually 19 but the age verification system gets it wrong?
Nobody knows, because the law doesn't say.
The VPN industry's response has been predictably chaotic. Some providers are geoblocking Utah entirely - if you can't comply with an unworkable law, don't do business there. Others are implementing age verification gates that anyone with basic technical knowledge can bypass. A few are ignoring it and daring the state to enforce.
Meanwhile, Utah teenagers with any technical sophistication are simply switching to VPN providers based in countries that don't recognize Utah jurisdiction. The law is already failing at its stated goal, and it hasn't even taken effect yet.
This is what happens when legislators try to regulate technology they don't understand, solving problems they haven't defined, using mechanisms that don't exist.
The Reddit tech community has been having a field day with this, generating over 600 upvotes and dozens of comments explaining exactly how to circumvent the law. One popular comment: "Congratulations to Utah teens on learning about Tor."
I'm sympathetic to the underlying concern - yes, kids have unfettered access to content that's probably not great for them. But the solution isn't to ban or regulate the tools adults use for legitimate privacy protection. It's to give parents better controls, educate kids about online risks, and hold platforms accountable when they actively exploit minors.
Instead, Utah has created a surveillance framework that won't achieve its goals, will push users to less safe alternatives, and sets a precedent for states trying to control what residents can access online.
Oh, and it probably violates the First Amendment. That too.
The law takes effect in one week. Implementation guidance? Still pending. Enforcement mechanisms? Unclear. Constitutional challenges? Probably incoming.
The technology is impressive. The question is whether Utah lawmakers understand any of it.
