Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know

Executive Summary:

A number of states have expanded age-verification requirements for adult websites, and Wisconsin and Michigan have introduced bills that go further by targeting VPNs, SASE, and other encrypted tunnels as potential circumvention methods. Neither proposal is law, and both are early in the legislative process, but they signal where the discussion is heading.

Wisconsin’s approach would require sites hosting adult content to block access when a user is on a VPN, regardless of age verification. Because the bill relies on broad definitions of what qualifies as“harmful to minors,” some websites or filtering vendors may choose a risk-averse approach and extend blocks to non-adult categories such as social media, major news outlets, or health information pages to avoid liability. That could lead to unexpected friction for legitimate SASE traffic even when corporate policy allows access.

Michigan’s proposal shifts responsibility to ISPs and would classify any encrypted tunnel, including VPNs and SASE, as a circumvention attempt, though it has only been introduced and has not advanced. For now, nothing changes, and there is no impact to SASE or VPN usage.

We are monitoring these developments closely and enhancing routing and policy controls as part of our broader platform roadmap so organizations can adapt cleanly if needed, without compromising security or productivity.

Background

Since 2022, the number of states requiring adult sites to verify that visitors are actually adults has expanded. Louisiana, Utah, Texas, and Virginia led the way, using a simple threshold: if more than one-third of a site’s content is considered “harmful to minors,” the site has to put age verification in place. In June 2025, the U.S. Supreme Court upheld Texas’s law in a 6 to 3 ruling and confirmed that states have a legitimate interest in protecting minors online. That ruling accelerated the age verification trend and encouraged more states to follow the same playbook.

As these laws rolled out, the attention shifted to how people were getting around the verification checks. VPNs, SASE, and other encrypted tunnels became the focus as they can bypass age checks based on geography, which has brought these technologies into the spotlight.

Two states are now focusing on VPNs, SASE, and encrypted tunnels as a circumvention method:

In Wisconsin, Assembly Bill 105 and Senate Bill130 would require any site publishing or distributing material considered harmful to minors to verify a user’s age and block access to that content if the connection is coming through a VPN. The bill treats VPN use itself as a disqualifier, based on the assumption that age verification can’t be trusted when it happens over an encrypted tunnel. In practice, it creates two separate obligations for these sites: confirm the user is not a minor, and deny access whenever the traffic originates from a VPN. These requirements stand on their own, which means the VPN block applies even if the user successfully verifies their age.

In Michigan, House Bill 4938, the Anticorruption of Public Morals Act, takes a much broader swing. Instead of putting the burden on websites, it places it directly on internet service providers and requires them to monitor for and block “circumvention tools,” which explicitly includesVPNs, proxies, and encrypted tunnels. The bill doesn’t limit that obligation to attempts to access prohibited material. As written, simply using a VPN would be treated as an attempt to bypass state-mandated filtering, meaning an ISP would be expected to block the connection regardless of what site the user is trying to reach. The intent is framed around stopping access to adult content, but the mechanism captures all VPN-style traffic, which is why the business implications are so significant. There’s no carve-out for legitimate corporate use, no distinction for SASE or remote work, and no acknowledgment that encrypted tunnels are foundational for modern security. If it ever moved forward in its current form, it would create real friction for businesses that depend on secure tunneling for daily operations.

Right now, neither proposal is law. Wisconsin’s bills passed the State Assembly and are waiting in the Senate.Michigan’s bill has only been introduced and sent to committee. They are still proposals, but they show clearly where the conversation is headed and why it matters to anyone relying on VPNs or SASE for legitimate business use.

Wisconsin Impact

If Wisconsin’s bill passes, the enforcement model is primarily website-driven. Sites that host content considered “harmful to minors” would be expected to stand up age-verification flows and then block access to that material from users on VPNs.

In practice, most sites don’t have a way to distinguish“consumer VPN” from “corporate SASE” when they only see an IP and an encrypted connection, so they lean on IP-intelligence feeds that tag ranges as VPN, proxy, or hosting.

That means SASE egress IPs and traditional business VPNs are likely to be swept up along with consumer VPN services. Today the scope is limited to adult and “sexual” content, and most corporate acceptable-use policies already restrict or block that category.

This is the critical point. If the impact stays limited to adult content, many businesses will feel minimal change, especially since most already restrict that category. The concern is how the bills define “harmful to minors” or “sexual material.” These definitions are broad and often hinge on subjective standards such as content that “appeals to prurient interest,”“depicts sexual conduct,” or is considered “patently offensive” for minors. These terms can sweep in more than explicit adult content, depending on how a website or filtering provider interprets its risk. That is where the fog comes in.

Sites and compliance vendors rarely take chances when liability is on the line. If a platform hosts any material that could be interpreted as sexual under these broad definitions, even if it is educational, health related, or part of normal news coverage, the safest move is often to block VPN and SASE traffic entirely rather than evaluate each individual case.That is where the conflict emerges. A company’s acceptable use policy may allow a perfectly legitimate site, but the site itself may deny access over SASE to avoid falling afoul of a state law. The risk is not only in the statute. It is in the cautious, wide-reaching compliance behavior that often follows broad language.

Michigan Impact

Michigan’s proposal is very different because it shifts responsibility from websites to ISPs. HB 4938 would require ISPs to implement mandatory filtering to block prohibited material and to monitor for and block“circumvention tools,” defined as any software, hardware, or service used to bypass those filters. The bill explicitly includes VPNs, proxies, and encrypted tunnels, which means the simple act of using a VPN becomes the issue, not what the user is trying to access.

There is no technical way for an ISP to inspect an encrypted tunnel or determine the purpose of the connection. They cannot separate a business SASE tunnel from a consumer VPN or any other encrypted transport. The only viable compliance approach is to block all traffic that appears to be VPNor proxy related. This is why many observers have noted that, as written, the bill would effectively eliminate VPN use in Michigan entirely, including legitimate business use that organizations rely on every day.

The bill has not passed, but the implementation path is clear. If ISPs are held responsible for preventing circumvention, they will treat all VPN-style traffic as prohibited because they have no practical way to filter by category or intent. That is a very different outcome than the website-level dynamics in Wisconsin, and it is something we are watching closely.

Legal Analysis/Predictions:

Of the two bills, as written, Wisconsin’s likely has the greatest chance of becoming law. Not only has the Wisconsin bill advanced much further than its Michigan counterpart but the requirements are far less disruptive than Michigan’s bill. Michigan’s bill is so overburdensome to even proper cybersecurity practices that heavy lobbying efforts are likely to force amendments or even cancellation of the bill altogether. The Wisconsin bill is the more prudent of the two and as such the style of regulation most companies should prepare for.

Wisconsin’s bill has two aspects which should be flagged for compliance hurdles at any company engaged in the publication of such material. First, that when conducting an age verification, a company may not knowingly retain identifying information of the individual attempting to access the website after the individual’s access has been granted ordenied. This means that proper data retention and destruction methods must be in place to handle the personal information gathered for this specific purpose. Other personal information may be retained in accordance with standard data collection practices (as long as such collection is explicitly outlined in the company’s privacy notice) but personal information used for age verification must be immediately deleted after either confirming or denying access privileges.

Second, businesses should be aware that the definition of “prurient interest”, as mentioned above, can apply to even material “having a tendency to excite lustful thoughts.” In Roth v. United States, 354 U.S. 476 (1957), and Miller v. California, 413 U.S. 15 (1973), the Supreme Court of the United States formulated a test setting out the constitutionally permissible scope of both federal and state criminal statutes governing obscenity.

The Court in Miller did not define the term "prurient interest." Instead, the Court referred to its earlier opinion in Roth v. United States, supra.  In a footnote in Roth, the Court discussed the meaning of the term "prurient."

The Court first defined material appealing to "prurient interest" as material "having a tendency to excite lustful thoughts." The Court then observed that dictionary definitions of the term "prurient" use words such as "desire or longing," "itching, morbid, or lascivious longings," and "lewd," and that in a prior decision the Court had suggested that "prurient" means the opposite of "wholesome." Ibid., citing Mutual Film Corp. v. Industrial Commission, 236 U.S. 230, 242 (1915).  The US Supreme Court in 1984 ruled that the state of Washington did not draft a statute that was constitutionally overbroad when it used the word “lust” in defining “prurient interest”.

Unlike the state of Washington, Wisconsin does not have a statutory definition of prurient interest. But as seen at the Supreme Court level, that can mean the definition defaults to one that also includes anything inciting lust. This legal precedence simply reinforces the above concern that such a bill could be construed to apply to more than just explicit adult content websites. Should Wisconsin’s bill become law, companies that wish to remain on the safe side should be aware that content they publish should not just be vetted for explicit adult content but also content that is merely suggestive.

How Todyl is Adapting

Our focus is making sure businesses stay secure and productive. Todyl is a business SASE and secure remote access platform, not a consumer privacy VPN, which means we operate with the security, control, and configuration depth organizations expect. Many companies already block adult content through their acceptable use policies.

We are expanding our routing and policy capabilities as part of a broader platform enhancement designed to give organizations more flexibility across a wide range of use cases, including scenarios where websites or regulators take a broad stance on VPN and SASE traffic.

In practice, this means giving organizations the choice to block specific categories at the SASE layer or, where corporate policy allows and state rules require, route those categories out the local gateway while keeping everything else on the secure path. It’s important to note that even when a small portion of traffic is routed locally, the environment remains protected.

DNS security still applies at the SASE layer, and our broader threat management stack, including Endpoint Security and SIEM, continues to provide defense in depth. Business traffic, SaaS applications, and sensitive workloads remain fully secured, while the carved out category follows a path that aligns with both policy and regulatory requirements.

Next Steps for MSPs and IT Professionals

We will be releasing additional information in the coming days to help partners and IT professionals explain the regulatory landscape, the potential impact, and the path forward.

In the meantime, there are several steps we recommend to ensure alignment. Start by reviewing acceptable use policies across your organization or the environments you support. Understand what is allowed, what is restricted, and how decision makers feel about categories that could be affected by age-verification laws.It is also important to prep your teams so they understand that, if these bills move forward, some “works at home but not on VPN” behavior may stem from website or ISP requirements rather than an issue with the SASE platform, depending on policy and filtering configurations.

While the best practice is to keep adult content out of the work environment, we recognize that different organizations have different requirements and that future legislation or compliance behavior could broaden what ends up being blocked. As we introduce more granular controls, we will make them transparent and configurable, and we will provide clear guidance on how to align Todyl policies with evolving state requirements. If you begin seeing real-world issues tied to these proposals, especially unexpected blocks when users are on SASE, we want to hear about it so we can prioritize the right capabilities and help you stay ahead.

Legal Analysis/Predictions contributed by Ryan Whitney

Ryan is an associate in the Nashville office of Lewis Brisbois and a member of the Data Privacy & Cybersecurity Practice. Ryan represents and assists clients during cybersecurity incidents and data breaches as part of a 24/7 incident response team. He guides and counsels clients through the initial incident/breach response phases to ensure maximum risk mitigation and data protection. Ryan provides clients with preventative, pre-breach data privacy best practices to help reduce the amount of data incidents from arising as well as the negative repercussions should a breach occur. Ryan has helped numerous companies design, develop, and manage their own internal data privacy compliance programs which puts legal guidance into operational practice.

Ryan has significant experience in data privacy contract review and negotiation including NDAs, BAAs, DPAs, and DUAs. Additionally, Ryan has experience with HIPAA/HITECH, CCPA/CPRA, VCDPA, CPA, GDPR, GLBA, FERPA, and GINA regulatory requirements.

‍