Could VPNs Be Banned in the UK? What the Age Verification Backlash Tells Us About Privacy, Policy, and the Future of the Internet

The UK’s new age verification laws under the Online Safety Act 2023 have sparked public outcry, technical workarounds, and a five-fold spike in VPN downloads across the country. But now, the government is “looking very closely” at VPN usage, raising raising questions about whether these tools could face greater scrutiny or possible restrictions in the future.

For data protection professionals, this moment is about more than bypassing adult content filters. It reflects growing tension between safety-driven regulation and privacy-preserving technologies, and how this tension could shape the UK’s online freedoms over the coming years.

What’s Happening?

On 25 July 2025, new rules came into force requiring all websites hosting 18+ or potentially harmful content to implement robust age verification checks. Ticking a box is no longer enough. Sites must now verify identity through biometric scanning, government-issued IDs, or trusted third-party systems.

The result? Tens of thousands of users turned to virtual private networks (VPNs) to bypass the checks altogether. VPN services like Proton and AdGuard reported usage spikes of over 1,000%, and VPN-related search traffic skyrocketed.

In response, UK Science Secretary Peter Kyle confirmed that while VPNs are not currently under threat, the government will be monitoring their usage “very closely.”

Why Are People Turning to VPNs?

VPNs (Virtual Private Networks) allow users to change their visible location and encrypt their internet traffic. They’re often used to access geo-blocked content or browse the web more privately.

In this case, many UK users are using VPNs to appear as though they are based outside the UK, bypassing sites’ legal obligations to run age checks.

For some, this is about convenience (or avoiding inconvenience). For others, it reflects deeper concerns about data protection risks such as the potential over-collection of personal data, and broader privacy concerns about surveillance and government overreach.

Are VPNs at Risk of Being Banned in the UK?

As of now, VPNs remain legal in the UK. There is no formal proposal to ban or restrict them. Ministers have, however, noted their increased use following the Online Safety Act, particularly where this undermines compliance measures.

While an outright ban appears politically and technically unlikely, policymakers could explore measures such as VPN-detection obligations or other technical interventions if they believe circumvention is materially affecting enforcement.

From a policy perspective, VPN usage in this context creates a loophole that undermines enforcement.

The surge in VPN adoption also reflects a wider public preference for tools that reduce personal data disclosure and increase control over online identity.

A Bigger Question: Is This About Safety or Surveillance?

For the government, age verification is about child safety, a widely supported goal.

But for data protection professionals, the implementation methods, especially the use of facial recognition, ID scanning, and mandatory identity checks just to access online content raises significant concerns:

• Necessity and proportionality under Article 5 (1) (c) UK GDPR
• Purpose limitation (ensuring data is not repurposed beyond age verification
• Security and retention safeguards to prevent misuse or breach

This is where VPNs become symbolic. They are not just tools for dodging rules. They represent resistance to what some users see as an increasingly monitored and censored internet.

If public trust in online regulation continues to erode, the use of VPNs, encrypted browsers, and other privacy-enhancing technologies (PETs) is only likely to grow.

What Does This Mean for Data Protection Professionals?

The age verification surge, and the reaction to it, is a live case study in consent, proportionality, and transparency, three of the core principles under the UK GDPR.

Here’s what DPOs and privacy teams should be considering:

1. Review DPIAs for Age Verification Systems
Ensure assessments for age verification systems are comprehensive, address biometric and ID processing risks, and consider less intrusive alternatives.

2. Understand the Role of VPNs in Bypassing Compliance
While bypassing geo-controls is legal, it can complicate enforcement. If your organisation operates globally, review how your systems handle users accessing content through VPNs.

3. Stay Informed About Potential Regulation
The fact that the UK government is publicly acknowledging VPN usage suggests that future policy responses may involve restrictions, monitoring obligations, or technical standards.

FAQs: VPNs, Data Protection and the Online Safety Act

Is it illegal to use a VPN to bypass age checks?
No, VPN use is lawful in the UK. However, platforms still have a legal duty to prevent underage access, and individuals bypassing that protection raise compliance questions for the platform.

Could the UK government ban VPNs in the future?
There are no current plans to ban VPNs, and such a move would be controversial. But targeted restrictions or obligations for platforms to detect VPN use may emerge.

Are VPNs a data protection risk?
Not all VPNs are created equal. Free VPNs often log user activity or sell data. Trusted, paid VPN providers generally apply stronger safeguards.

Does using a VPN guarantee anonymity?
No. VPNs improve privacy by encrypting traffic and masking location but it does not make users anonymous. Additional tools (like encrypted browsers) are needed for that.

Should my organisation block VPN users?
It depends on your risk profile and legal obligations. Blocking VPNs can create usability issues and false positives. Any such approach should be risk-based and compliant with data protection principles. Work with your legal and IT teams to assess the impact.

Horizon Scanning: What’s Next?

We are entering a new phase of tension between safety legislation and data protection considerations . As government measures become more prescriptive, public demand for privacy may lead to increased use of:

• VPNs
• Decentralised platforms
• Anonymous browsers like Tor
• Self-hosted or federated services

These shifts are as much cultural as technical, reflecting public concerns about personal data handling and the desire for greater online autonomy.

Data Protection People’s View

At Data Protection People, we believe data protection and safety should not be treated as trade-offs. Both are essential. The current wave of VPN usage tells us that the public is concerned about how their personal data is being handled, and that concerns around surveillance are very real.

Organisations and regulators should prioritise proportionality, transparency, and fairness in online safety measures, ensuring that personal data is processed lawfully, securely, and only to the extent strictly necessary to achieve legitimate aims.

Need Help Navigating Compliance and Public Sentiment?

Whether you’re implementing age verification, assessing vendor risks, or preparing for scrutiny around online access and privacy, we can help.