Utah HB 289: New CSAM Liability Rules Heading to the Governor

Utah HB 289 Is Heading to the Governor — Here's Why Adult Platform Operators Should Pay Attention

On March 16, 2026, Utah's HB 289 — the Child Sexual Abuse Material Amendments — was transmitted to the governor for signature. The bill cleared both chambers of the legislature and represents Utah's latest move in a sustained legislative campaign targeting online platforms that host or distribute illegal content. Given Utah's track record (the state was a co-plaintiff in the FTC action against Aylo/Pornhub and has been among the most aggressive states on age verification enforcement), any bill coming out of Utah's Capitol on CSAM deserves immediate attention from platform operators.

What HB 289 Does

HB 289 amends Utah's existing criminal and civil code around child sexual abuse material. While the full enrolled text is still being analyzed, the bill's core thrust — consistent with similar CSAM amendment legislation in other states in 2025 and 2026 — is to:

• Expand platform liability for knowingly hosting, distributing, or failing to remove CSAM once on notice
• Strengthen civil enforcement tools available to the Utah Division of Consumer Protection and the Attorney General, mirroring the enforcement posture Utah demonstrated in the Aylo settlement
• Increase penalties for platforms that fail to act on known CSAM, potentially including fines assessed per item rather than per incident
• Clarify reporting obligations for platforms operating under Utah jurisdiction, in coordination with federal NCMEC CyberTipline requirements established under the REPORT Act

The specific penalty structure and any safe harbor provisions will become clearer once the governor signs and the enrolled text is published. Operators should treat this as a watch item with a short runway — Utah governors have historically signed technology-related child safety bills quickly.

Why Utah's CSAM Legislation Matters Beyond Utah

Utah has a well-established playbook: pass aggressive legislation, then use it as a template or enforcement lever nationally. The state was one of the first to enact age verification requirements for adult sites, a model that has now been adopted by more than 25 states following the SCOTUS ruling in Free Speech Coalition v. Paxton. Utah's Division of Consumer Protection was a named co-plaintiff in the FTC's $5M action against Aylo.

When Utah strengthens its CSAM statutes, two things typically follow:

1. Other states adopt similar language within 1–2 legislative cycles
2. Utah's AG and DCP use the new tools aggressively, often as a precursor to or in coordination with federal enforcement

For platform operators, this means HB 289 is not a Utah-only compliance question. It signals the direction of state-level CSAM enforcement nationally.

How This Interacts With Your Existing Federal Obligations

It's worth being clear: CSAM is already a federal crime with severe penalties. The REPORT Act, signed in May 2024, quadrupled fines for failing to report CSAM to NCMEC and extended data preservation requirements to one year. Federal law requires all platforms — not just large ones — to report apparent CSAM to NCMEC's CyberTipline within specific timeframes.

What state bills like HB 289 do is layer additional civil and criminal liability on top of federal requirements. A platform that fails to report CSAM under federal law is already exposed to federal prosecution. Under HB 289 as passed, that same failure could also expose the platform to Utah state enforcement — separate penalties, separate proceedings, potentially separate litigation.

For platforms with any Utah user base (which, practically speaking, means any platform operating in the U.S.), the compliance calculus compounds.

The Payment Processing Dimension

This is where the stakes escalate quickly for platform operators. As we covered in Why Your Acquirer Is Your Biggest Compliance Risk, card networks require acquirers to monitor their merchants for illegal content. CSAM on a platform isn't just a criminal exposure — it's a near-automatic trigger for:

• Immediate merchant account termination
• MATCH list placement (making it extremely difficult to obtain new processing)
• Potential clawback of prior settlements
• Acquirer liability under Visa VAMP and Mastercard MMP programs, which means acquirers are motivated to terminate you before they get a compliance inquiry

State legislation like HB 289 that increases civil penalties and expands enforcement tools also increases the reputational and legal risk that acquirers associate with adult merchants generally — even compliant ones. Every high-profile enforcement action tightens underwriting standards across the industry.

What Platform Operators Should Do Right Now

1. Verify your CyberTipline reporting process is operational. Federal law already requires you to report apparent CSAM to NCMEC. If you don't have an active CyberTipline account and a documented process for identifying and reporting, fix that before HB 289 is signed into law.

2. Audit your content moderation stack. Do you have automated scanning in place for known CSAM hashes (PhotoDNA or equivalent)? Manual review alone is not sufficient at any meaningful scale. The FTC's action against Aylo turned in part on the platform's failure to implement systematic detection.

3. Document your notice-and-removal workflow. When you receive a report of potentially illegal content, what happens? Who is responsible? What's the SLA? This workflow needs to be written down, tested, and auditable — because "we remove it when reported" is not a compliance program.

4. Review your model verification and content intake process. CSAM liability exposure is highest at the point of upload. Robust age and identity verification for content contributors is a first-line defense, not just a regulatory checkbox. The FTC settlement with Aylo required verification of existing content — don't wait for an enforcement action to drive this.

5. Monitor the enrolled text when HB 289 is signed. The specific penalty amounts, any expanded definitions of platform "knowledge," and any new civil cause of action language will matter for your legal team. Set a calendar reminder to pull the enrolled bill text within 48 hours of signature.

6. Talk to your payment processor. If you are not already having regular compliance conversations with your acquirer, a state expanding CSAM liability is a good catalyst. Understanding what your processor expects from you — and documenting that you're meeting those expectations — protects you if enforcement activity increases.

What to Watch

Expect the governor to act on HB 289 within the next few weeks — Utah's legislative session concluded in mid-March and the governor typically processes transmitted bills on a rolling basis. Once signed, watch for:

• Implementation guidance from the Utah Division of Consumer Protection on what "notice" means and how the new civil penalties will be assessed
• Companion legislation in other states — Arizona, Texas, and Florida have all moved quickly on Utah-originated adult content legislation in recent sessions
• Federal coordination signals — the FTC and DOJ have both signaled increased focus on platform-level CSAM liability, and state enforcement actions frequently precede or accompany federal activity

Utah is not finished. For platform operators, the question isn't whether this regulatory environment will intensify — it's whether your compliance infrastructure is built to operate in it.