Navigating Utah's SB 73: A Compliance Guide for Websites Facing VPN Liability

Introduction

Utah's Online Age Verification Amendments (Senate Bill 73) take effect on May 6, making the state the first to hold websites directly liable when users bypass age checks using VPNs or similar location-masking tools. If your site serves content that requires age verification—such as adult material, alcohol sales, or social media for minors—you need a robust strategy to comply. This guide walks you through the essential steps to avoid penalties, protect minors, and stay ahead of enforcement. Each step includes actionable details, and we've included internal links to the prerequisites and tips at the end.

What You Need

• Legal counsel familiar with Utah's digital privacy laws
• Current age verification system (e.g., ID submission, credit card check, or age estimation API)
• VPN detection tools (list of known VPN IP ranges, behavior analysis, or third-party services)
• Geolocation API that uses multiple signals (IP, GPS, Wi-Fi triangulation)
• Logging system for compliance audit trails
• Content management system (CMS) access to implement code changes
• Testing environment with VPN clients for validation

Step-by-Step Compliance Process

Step 1: Understand the Law's Scope

SB 73 requires any website that conducts business in Utah or targets Utah residents to verify the age of users accessing age-restricted content. The key twist: you are liable if a user uses a VPN or proxy to hide their true location and thereby circumvents your age gate. Read the full text or summarize with your attorney. Focus on definitions of age-restricted (materials harmful to minors, gambling, alcohol) and liable (fines up to $10,000 per violation).

Step 2: Audit Your Current Verification System

Map out your existing user flow: How do you check age? If you rely solely on IP geolocation, that's now risky. Audit for gaps—for example, a user in Utah appears to be from a different state because they use a VPN. Note any content that's age-gated but could be reached via direct links or sharing. Create a list of all entry points.

Step 3: Implement VPN Detection

You must identify users masking their location. Options include:

• IP reputation databases (e.g., MaxMind, ipapi) that flag VPN and proxy addresses.
• Behavioral analysis – users connecting from a different city than in their profile? Flag for extra checks.
• WebRTC leak detection – some VPNs expose real IPs.
• Third-party API (like IPQualityScore or ProxyCheck) that returns a VPN/ proxy score.

When a user is flagged, don't just block them; redirect to an alternative verification method (step 4).

Step 4: Use Multi-Factor Location Verification

Even if a VPN is detected, you must still attempt to determine the true location. Combine methods:

• Geolocation API via browser (requires user permission) – use HTML5 geolocation or Wi-Fi positioning.
• Credit card billing address – for purchases, compare billing ZIP code with claimed location.
• Phone area code from SMS verification.
• Biometric age estimation (like Yoti) that scans face to approximate age without storing images.

If you can confirm the user is not in Utah, you may allow access. But if the system is uncertain, treat them as Utah-based and run age verification.

Step 5: Strengthen Age Verification

Once you know a user is likely from Utah (or can't rule it out), verify age rigorously. Acceptable methods per SB 73 include:

• Government ID scan (must discard data after verification).
• Credit card transaction (proves age 18+ via bank check).
• Digital ID like mobile driver’s license (Utah supports this).
• Knowledge-based authentication (questions from public records) – less reliable but usable.

Ensure your system doesn't store more data than necessary; otherwise you risk privacy complaints.

Step 6: Update Your Terms & User Notifications

Add a clear policy explaining how you detect and handle VPN users. Use pop-up or banner language: "Utah law requires us to verify your age. If you use a VPN, we may ask for additional verification." This educates users and sets expectations. Also update privacy policy to describe data collection for compliance.

Step 7: Document Compliance Efforts

SB 73 includes a defense if you can prove you made reasonable efforts to verify age and detect VPNs. Keep logs of:

• System updates (e.g., VPN list refreshes).
• Audit trails of verification attempts.
• User complaints and responses.
• Third-party service agreements.

Use a compliance dashboard or exported reports.

Step 8: Test and Monitor Continuously

Set up a testing environment with popular VPNs (ExpressVPN, NordVPN, etc.) and try to access your age-gated content from simulated Utah IPs. Check if your system flags correctly. Monitor false positives (e.g., corporate VPNs used by legit Utah residents). Adjust thresholds. Monthly reviews are recommended as VPN providers change IPs frequently.

Tips for Success

• Don't overblock. Users using VPN for privacy (not to bypass age checks) may get frustrated. Offer a clear alternative (e.g., ID upload) rather than a flat ban.
• Partner with age verification specialists. Companies like AgeChecker, Veriff, and Jumio offer out-of-the-box solutions that include VPN detection.
• Stay updated on other states. Several are considering similar laws. Build a flexible system that can adapt.
• Consult an attorney before launching changes; exemptions may apply (e.g., for news sites or platforms that don't knowingly host harmful material).
• User privacy first: Minimize data collection; delete verification data after use.
• Communicate with users via blog posts or FAQs about why you're asking for more info.

Utah's SB 73 is a test case for the nation. By following these steps, your website can comply with the law while respecting user experience and privacy. Start your audit today—May 6 is closer than you think.