The UK government has unveiled plans to limit children's use of virtual private networks (VPNs) as part of a broader push to tighten online safety rules and curb underage access to social media.
The move, announced by Prime Minister Keir Starmer, would introduce new powers to enforce minimum age limits and prevent minors from bypassing platform restrictions through privacy tools.
Starmer said ministers would seek parliamentary approval for expanded authority under the Children’s Wellbeing and Schools Bill. Among the measures under consideration are a statutory minimum age for social media, restrictions on “addictive” features such as autoplay and infinite scroll, and limits on VPN access for under-16s to stop them circumventing age checks.
The announcement builds on the UK’s existing Online Safety Act (OSA), which already mandates age verification for adult content platforms and imposes duties of care on online services. The government also plans to amend the Crime and Policing Bill to ensure AI chatbot providers fall clearly within regulatory scope, following recent controversies involving generative AI systems and non-consensual image creation.
While the prime minister framed the VPN restrictions as a child protection measure, the proposal has raised significant technical and legal questions. VPNs are widely used tools that encrypt internet traffic and mask users’ IP addresses, enhancing privacy and security. They are recommended by the UK’s National Cyber Security Centre (NCSC) to improve online safety, particularly on public Wi-Fi networks. Industry groups warn that enforcing age limits on VPN use would likely require identity or age verification before granting access.
Mandatory age checks for VPN services could undermine their core privacy benefits, as such systems would either require users to upload identity documents or rely on third-party age estimation technologies, which can expose sensitive data.
Assuming that UK businesses are granted exemptions, the government would need to determine which entities qualify. Small or newly formed companies that rely on VPNs for secure remote access could face additional bureaucracy or compliance costs. It remains unclear whether employees need to verify their age to access the corporate VPN infrastructure.
VPN provider Mullvad criticized the proposal more bluntly. In a public statement, the company argued that so-called “age verification” would effectively amount to identity verification for all users. “A law like this would require everyone to identify themselves in order to use a VPN,” Mullvad said, warning that such measures could endanger whistleblowers, journalists, and others who rely on anonymity for safety.
VPNs are also frequently used by vulnerable individuals, including victims of domestic abuse, to access support resources discreetly. Mandatory identity checks could deter such users from seeking help, particularly if they require uploading government-issued identification or undergoing facial age estimation.
The government is expected to publish detailed proposals addressing all those questions and concerns next month.
For now, businesses and individuals in the UK that rely on VPNs should closely monitor the upcoming consultation and consider engaging in the public consultation process before the legislation is finalized.
Leave a Reply