UK proposal for age checks on VPNs begins to look like a policy traffic jam

In a move that has already stirred controversy, the UK House of Lords has voted to allow an amendment to the Children’s Wellbeing and Schools Bill (CWSB), which would put age assurance restrictions on Virtual Private Networks (VPNs).

The VPN question has been an albatross for the age assurance ecosystem, held up as an easy workaround to digital age checks – and, therefore, as proof that age assurance laws as designed don’t work to fulfil their purpose.

The age assurance industry’s response has been to note that online safety laws don’t allow for loopholes. The Age Verification Providers Association (AVPA) has described what it calls the “VPN fallacy”:

“Some argue that because VPNs exist, any age assurance system will fail,” AVPA says. “This leads to the mistaken belief that age-restricted sites are exempt from compliance if users connect through a VPN. Legislation we have reviewed globally, including the UK’s Online Safety Act and similar measures in Australia or U.S. states, offers no such exemption. In practice, there are ways to detect and address circumvention and there is no need to even consider banning VPNs outright.”

While the UK government is not (yet) considering banning VPNs, its proposed law would mean requiring every VPN user to prove their age. There is an echo of the realization that set in once the Online Safety Act (OSA) imposed age check requirements on porn sites: to make sure users aren’t kids, age assurance has to apply to everyone.

Age assurance debate chases its own tail with more checks

The text of the Lords’ amendment inserts “action to prohibit the provision of VPN services to children in the United Kingdom,” ostensibly “for the purpose of furthering the protection and wellbeing of children.

The regulations “may make provision for the provider of a relevant VPN service to apply to any person seeking to access its service in or from the UK age assurance which is highly effective at correctly determining whether or not that person is a child.”

They must apply to any VPN service provided to users in the UK. Ofcom, it says, “may produce guidance for providers of relevant VPN services to assist them in complying with the child VPN prohibition.”

There is a circular logic at play: age checks prompt minors to find workarounds, so put age checks on the workarounds, too. It is symptomatic of a pattern that has seen regulators apply a whac-a-mole approach to enforcement, while adult content firms try and shift responsibility away from the platform level and onto Google, Apple and Microsoft, and the age assurance industry navigates multiple shifts in tone and messaging from the Labour government.

The VPN debate is unlikely to go away – but the proposed legislation might. According to ISPreview, the amendment passed the House of Lords with 207 votes in favour and 159 against, with the majority of yes votes coming from the Conservative Party and the majority of the no votes coming from Labour. “Crucially,” it says, “this suggests that the amendment, at least in its current form, is currently opposed by the party of Government and so may struggle to survive once the Bill is returned to the House of Commons.”

The proposal will also face resistance from privacy rights groups, given the widespread use of VPNs to preserve anonymity online.

Strong words for Ofcom from Baroness Kidron

Meanwhile, there is a debate raging about how useful more legislation will be if enforcement isn’t ratcheted up – and how much of the blame Ofcom should take for the perceived failures of the OSA. In remarks to the House of Lords, noted champion of child online safety laws Baroness Beeban Kidron says that “regulation has failed, not because it can’t work, but because the regime envisaged by Parliament was weakened by lobbying and critically undermined in its implementation. It’s not regulation failing in principle. It’s political will failing in practice.”

“I will finally say in public what others have been saying for months: Ofcom are too timid. They’re too close to tech, they’re too secretive, they’ve narrowed the scope, they’ve tackled the act in the most bureaucratic  fashion possible, and they have held Parliament in contempt by failing to enact all parts of the Act.”

“Nothing will change until Ofcom changes.”

Kidron says another consultation is just more dithering, and points to Australia as a model of a child online safety scheme that has worked because of a combination of political will, strong regulatory powers, and the gumption to stand up to Big Tech.

The House of Lords is also hosting discussion about restricting social media for users under 16, in the Australian model. Some oppose a “blunt, one-size-fits-all ban,” preferring a tiered or banded model. Others call widespread social media addiction a “social catastrophe.” Most everyone seems to agree that parents and health professionals are telling them that something needs to be done.

So, the UK continues to move toward additional child safety legislation on tech, be it age thresholds for social media or age verification for VPNs. Some see it moving in circles, taking the longest possible route to reach its goals. Others want to put the brakes on. But all of the lively debate in the House of Lords is another indication that, in 2026, Big Tech’s bill is coming due.

Article Topics

age verification  |  children  |  Children’s Wellbeing and Schools Bill  |  legislation  |  Ofcom  |  Online Safety Act  |  UK  |  UK age verification  |  VPN (virtual private network)