I’m not being glib. Honestly, why can’t I? There’s precedent for saying that’s unauthorized access, so the feds (not the state; “Interstate Commerce Clause” and all that) should prosecute the visitor for violating my ToS.
The laws are written in a way where the responsibility for enforcement falls on the operator of the business. In both cases, the business doesn't actually have to verify anything if they don't want to, but if it's found that they're allowing violations to happen, they will be held legally responsible.
That would allow you, perhaps, to sue people from MS that used your site for violating the ToS (though, "some idiotic courts have ruled" does not mean "the courts which actually create binding precedent over those that would adjudicate your case have ruled...", so, be careful even there.) But that doesn't actually mean that, if someone from MS used your site and you took no further steps to prevent it you would not be liable to the extent that you did not comply with the age verification law.
> There’s precedent for saying that’s unauthorized access, so the feds (not the state; “Interstate Commerce Clause” and all that) should prosecute the visitor for violating my ToS.
Most things in interstate commerce, except where the feds have specifically excluded the states, are both federal and state jurisdiction, but neither the feds nor the state are obligated, even if applicable law exists which allows them to, to prosecute anyone for violating your ToS. You can (civilly) attempt to do so if you are bothered by it.
So, I'm genuinely curious about this. Does the US not require any kind of territorial nexus in order for a jurisdiction's laws to apply to an individual? Can Texas criminalise abortions in New York, by New Yorkers, for New Yorkers? This seems very unlikely to me.
Under private international law, very generally speaking, you tend to require a nexus of some kind (otherwise, we'd all be breaking Uzbekistani laws constantly). I assume there must exist some kind of nexus requirement in US federal constitutional law too.
Assuming you have no presence, staff, offices, or users in a state, and you expressly ban that state in your T&C, why would that state's laws apply to you at all? You're not providing any services from or to that state, and in as far they can open your landing page, that's sort of like saying they can call your phone number. And in the absence of that state's laws applying at all, would not any requirements about geoblocking etc that may exist in those laws be moot?
(Usual risk calculus would seem to apply re over-zealous state prosecutors, etc.)