Mishcon de Reya page structure
Site header
Menu
Main content section
abstract glowing texture on dark background

Online Safety Act: VPNs and age verification - what the House of Lords debate reveals

Posted on 14 November 2025

In brief 

  • The Online Safety Act 2023 requires providers to use highly effective age assurance (HEAA) to prevent children accessing harmful content, but concerns have been raised that these measures can be circumvented using Virtual Private Networks (VPNs) to mask location and bypass geo-located age checks. 
  • The Government and Ofcom are monitoring circumvention techniques, and services promoting virtual private network (VPN) use to bypass age checks could face enforcement action. Providers must assess circumvention risks as part of their Children's Access Assessments (CAAs), though a ban on VPN apps is not being considered given their legitimate uses. 
  • Ofcom will publish a report by June 2026 assessing the effectiveness of age assurance and identifying factors that have hindered its use. 
  • Despite circumvention concerns, the Age Verification Providers Association reports an additional five million age checks daily since new child safety duties came into force in July 2025, suggesting most users are not seeking to avoid HEAA measures. 

Background: The Online Safety Act's Child Protection Duties 

Under the Online Safety Act 2023 (OSA), providers of user-to-user or search services (such as social media platforms and online search engines) have certain duties to protect children and reduce the risk of harmful content on their services. 

After conducting risk assessments to identify risks posed by their services, providers must take action to mitigate these risks. Where there is a risk that children could access "primary priority content", such as pornography or content encouraging self-harm, the OSA requires providers to use "highly effective age assurance" (HEAA), involving age verification or age estimation techniques to prohibit children's access to inappropriate content. 

Since the new child safety duties came into force in the Summer, Ofcom, the regulatory body responsible for online safety, has reported that the largest adult-content websites and a range of companies across social media, dating, gaming and messaging have started to implement, or have plans to implement, new and effective age checks to prevent children accessing harmful content. However, it has also been widely reported on both traditional and social media that some of the HEAA in use is circumventable via Virtual Private Networks (VPNs) and other means, thereby potentially undermining the effectiveness of the measures.  

The VPN challenge: can age verification be circumvented? 

A VPN is a tool that creates an encrypted tunnel between a device and a server run by the VPN provider. When using a VPN, the user's traffic is encrypted and their IP address and location data are changed – websites and online services see the IP address of the VPN server instead of the user's real IP. If that server is in a different country from the one the user is located in, the service believes the user is in that different country.  

Where services have put in place geo-located HEAA (i.e. where the HEAA is only in place for the UK, but other locations can access the service without completing HEAA), using a VPN can allow users to virtually change their location, thereby bypassing blocks and age verification. 

A recent House of Lords discussion focused on whether VPNs are undermining age verification technologies.  

Government Whip response to House of Lords discussion 

Lord Leong, the Government Whip in the House of Lords, was keen to stress on behalf of the Government that it and Ofcom are monitoring the potential impact of circumvention techniques on the effectiveness of the Online Safety Act, especially since the child safety duties came into effect in July 2025. Therefore, it is possible that services promoting VPN use to bypass age checks could face enforcement action. 

Lord Leong also emphasised that the Government expects services to act decisively, as they are already required to assess circumvention risks and implement proportionate measures as part of their Children's Access Assessments (CAAs). He also reminded that the use of VPNs does not negate the other duties under the OSA intended to keep children safe. 

Lord Leong further confirmed on behalf of the Government that: 

  • Ofcom will publish a report by June 2026 assessing how effective the use of age assurance has been and whether there are factors that prevent or hinder the effective use of age assurance. This will supplement the guidance published in April 2025 which set out what constitutes HEAA and how service providers can comply with their regulatory duties; and  
  • Many people use VPNs for entirely legitimate purposes, and a ban on apps promoting VPN use is not being considered. 

Privacy and free speech concerns 

Baroness Kidron, a cross-bench life peer, noted that the introduction of age assurance has increased VPN use, and that this may result from legitimate concerns from the public about user privacy. She further stated that there was no evidence that the media's reported increase in use of VPNs was entirely attributable to use by children, and that Ofcom's guidance suggests that in fact only one in ten VPN users is a child. Lord Leong could not confirm how many services have been referred by Ofcom to the ICO for failing to uphold users' privacy rights whilst performing age checks.  

IP blocking technology: robust age assurance techniques 

As an alternative to introducing HEAA, some service providers have chosen to block access to their services from the UK using IP blocking to avoid the need to comply with the OSA. IP blocking is a practice where IP addresses are blocked based on the geographic location which is attached to them. This can sometimes be circumvented by use of a VPN, as this will alter the location attached to the user's IP address. 

Notably, a suicide discussion forum which voluntarily blocked access to its website from the UK on 1July 2025, is now subject to investigation following reports to Ofcom by Samaritans that the service is available in the UK as at 4 November 2025. This suggests that the blocking in place may be being circumvented by VPNs. Further developments will provide insight into how Ofcom intends to handle both IP blocking and VPN use. 

Is this a cause for concern? 

Despite concerns about increasing VPN use, the Age Verification Providers Association has reported an additional five million age checks being carried out each day since the child safety duties under the OSA came into force. Therefore, it appears that the vast majority of services using HEAA are not experiencing a total avoidance of the measures through VPN circumvention. 

Related Content
News
abstract cream lines

Comity in practice: a fair, reasonable, and non-discriminatory approach to national jurisdiction in Samsung v ZTE

News
Glass Building

UKIPO announces fee increases following extended price freeze

News
a white room with triangular shapes

Gold standard? Court of Appeal upholds validity of BABEK trade mark

News
Abstract art purple

The art of playing fair in comparative advertising

News
a black background with white circles and red circles with icons

UPC update: November 2025

News
a blue squares in a black background

CMA further tightens focus on Big Tech

News
Steps with a blue light border

The tech drain - and what we can do about it

News
Artifical intelligence AI abstract

The impact of AI on pro bono

News
abstract orange lines

Getty Images v Stability AI: Unpacking the High Court's judgment

News
a black background with orange and blue lights

EU Data Act: What cloud service vendors need to know about new switching rights

News
a close up of a wall

Mishcon de Reya advises DC01UK on significant data centre deal

News
Abstract exit

Patents Court responds to UPC anti-interim-licence injunction in InterDigital v Amazon

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else