The United Kingdom’s communications regulator, Ofcom, has opened a public consultation that could fundamentally reshape how millions of British internet users access virtual private networks and other privacy tools. The proposal, published as part of the government’s ongoing implementation of the Online Safety Act, raises the prospect of age restrictions on VPNs — a move that privacy advocates warn could set a dangerous precedent for digital rights across the Western world.
The consultation, which runs until July 14, 2025, invites input from technology companies, civil society groups, and the general public on how best to prevent children from circumventing age-verification systems that regulated platforms are now required to implement. Among the tools explicitly named in the consultation documents are VPNs, which can allow users to mask their geographic location and bypass regional content restrictions, including age gates mandated by UK law.
Ofcom Acknowledges There Is No Easy Answer
As reported by TechRadar, the regulator itself has conceded that “no approach is a silver bullet” when it comes to stopping minors from using circumvention tools. The consultation document outlines several possible strategies, ranging from requiring VPN providers to implement their own age-verification checks to pressuring app stores to restrict downloads of such software. But Ofcom has been careful to frame the discussion as exploratory rather than prescriptive, signaling that it understands the political and technical minefield it is entering.
The Online Safety Act, which received Royal Assent in October 2023, places sweeping obligations on technology platforms to protect children from harmful content. Under the law, services likely to be accessed by minors must implement age-assurance measures. Pornography sites, social media platforms, and other services hosting user-generated content are all in scope. The challenge, as Ofcom now acknowledges, is that these measures are only as effective as the barriers preventing young people from routing around them — and VPNs are among the most popular and accessible tools for doing exactly that.
The Technical Reality of Restricting VPNs
Privacy and cybersecurity experts have been quick to point out the enormous practical difficulties involved in age-restricting VPN access. VPNs are not merely tools for evading content filters; they are essential security infrastructure used by businesses, remote workers, journalists, and activists. According to data from Surfshark, the UK is one of the largest VPN markets in Europe, with adoption rates climbing steadily since the passage of the Investigatory Powers Act in 2016 — colloquially known as the “Snoopers’ Charter.”
Requiring VPN providers to verify the age of their users would demand that those companies collect and process identity documents or biometric data, creating precisely the kind of centralized data trove that VPNs are designed to protect against. As TechRadar noted, several VPN companies operate under strict no-logs policies and are headquartered in jurisdictions specifically chosen to keep them outside the reach of UK surveillance laws. Compelling those providers to suddenly collect age-verification data would undermine the fundamental value proposition of their products.
Industry Pushback Is Already Building
The VPN industry has not been silent. Representatives from major providers including NordVPN, ExpressVPN, and Proton VPN have previously raised alarms about regulatory overreach in the UK. Proton, the Swiss company behind both ProtonVPN and the encrypted email service ProtonMail, has been particularly vocal. The company’s founder and CEO, Andy Yen, has repeatedly argued that weakening encryption and privacy tools in the name of child safety creates vulnerabilities that bad actors — including authoritarian governments — can exploit.
The Open Rights Group, a UK-based digital rights organization, has also signaled its opposition to any scheme that would impose age restrictions on VPNs. Jim Killock, the group’s executive director, has warned that such measures risk “turning the UK into a country where basic privacy tools are treated as suspicious.” The group has encouraged its supporters to participate in the Ofcom consultation and push back against proposals that could restrict access to encryption and privacy technologies.
A Global Trend Toward Controlling Privacy Infrastructure
The UK is not acting in isolation. Governments around the world are grappling with similar tensions between child protection and digital privacy. Australia passed its own Online Safety Act in 2021 and has since moved toward banning children under 16 from social media entirely. The European Union’s proposed Chat Control regulation, which would require platforms to scan private messages for child sexual abuse material, has sparked fierce opposition from privacy advocates and technologists who argue it would effectively ban end-to-end encryption.
In the United States, a patchwork of state-level age-verification laws — most notably in Texas, Louisiana, and Virginia — has already led to legal challenges on First Amendment grounds. Several federal courts have issued injunctions blocking enforcement of these statutes, finding that mandatory age verification imposes an undue burden on adult users’ right to access legal content. The UK, lacking a comparable constitutional framework for free expression, faces fewer legal obstacles to implementing such restrictions, which is precisely what worries civil liberties organizations.
The App Store Bottleneck Strategy
One of the more technically feasible approaches under consideration involves pressuring Apple and Google to restrict VPN app downloads based on age ratings in their respective app stores. This would not prevent a determined user from sideloading a VPN application or configuring one manually, but it would raise the barrier to entry for younger, less technically sophisticated users. Ofcom appears to view this as a pragmatic middle ground — imperfect but potentially effective at reducing casual circumvention.
However, this approach carries its own risks. Apple and Google already serve as de facto gatekeepers for the mobile software market, and granting regulators additional influence over what those stores can distribute raises competition and censorship concerns. The European Commission has spent years trying to break open app store monopolies through the Digital Markets Act; asking those same monopolists to serve as enforcement agents for age restrictions would cut against that effort. It would also create a two-tier system in which desktop and laptop users — who can install software without app store approval — face fewer restrictions than mobile users.
What Happens After the Consultation Closes
Ofcom is expected to publish its findings and recommendations later in 2025, after reviewing submissions from the consultation period. The regulator has the authority to issue binding codes of practice under the Online Safety Act, and non-compliant companies can face fines of up to 10 percent of their global annual revenue — a penalty structure modeled on the EU’s General Data Protection Regulation.
But enforcement against offshore VPN providers presents a different order of difficulty than regulating domestic social media platforms. Many of the largest VPN companies are incorporated in Panama, the British Virgin Islands, or Switzerland, and they have little physical presence in the UK. Ofcom could theoretically order UK internet service providers to block access to non-compliant VPN services, but such a move would echo the internet censorship tactics employed by China, Russia, and Iran — a comparison that would be politically toxic for a government that still positions itself as a champion of the open internet.
The Stakes for Ordinary Users
For the millions of UK residents who use VPNs for entirely lawful purposes — protecting their data on public Wi-Fi networks, accessing work systems remotely, or simply exercising their right to online privacy — the consultation represents a potentially significant shift in the government’s posture toward personal security tools. The framing of VPNs as circumvention devices, rather than as legitimate privacy infrastructure, concerns advocates who fear that the regulatory conversation has been captured by a narrow child-safety lens at the expense of broader digital rights considerations.
The outcome of this consultation will be closely watched not only in the UK but across Europe and beyond. If Ofcom moves forward with age restrictions on VPNs, it could embolden regulators in other democracies to follow suit, establishing a new norm in which privacy tools are subject to identity checks. Conversely, if the regulator concludes that the technical and civil-liberties costs outweigh the child-protection benefits, it could serve as a powerful counterargument against the global trend toward restricting encryption and anonymity online. Either way, the next few months will be consequential for the future of internet privacy in Britain and, quite possibly, well beyond its borders.
WebProNews is an iEntry Publication