UK Online Safety
UK Online Safety Act Age Checks and VPNs
The UK's Online Safety Act has moved from policy argument to live enforcement. Pornography services in scope of the law have had to take steps toward highly effective age assurance since January 2025, and broader children's safety duties for user-to-user and search services came into force on July 25, 2025.
In 2026, the story is no longer theoretical. Ofcom has issued fines for sites that failed to put age checks in place, and its guidance explicitly treats VPN-based circumvention as a risk services need to think about. That does not make VPNs illegal in the UK. It does mean privacy tools are now part of the age-verification policy debate.
For related context, see our analysis of Swiss VPN surveillance pressure and our guide to the best VPNs for privacy.
Quick answer: what changed?
- Pornography services: Ofcom says Part 5 services that display or publish pornographic material must use highly effective age assurance to prevent children from normally encountering that content.
- Social and search platforms: services likely to be accessed by children needed to complete risk work by July 24, 2025, and take action under the Protection of Children Codes from July 25, 2025.
- Weak age gates are out: simple "I am over 18" self-declaration is not considered highly effective.
- VPNs are not banned: but Ofcom guidance says services should not direct or encourage child users to bypass age checks with tools such as VPNs.
- Privacy remains unresolved: age assurance can involve sensitive data, including identity, payment, facial-estimation or mobile-network signals.
What Ofcom requires
Ofcom's age assurance guidance says providers that allow pornography must implement highly effective age assurance so children are not normally able to encounter pornographic content.
The regulator describes a highly effective process as one that is technically accurate, robust, reliable and fair. In plain English: the system must work in real deployment, use trustworthy signals, avoid obvious bypasses and not discriminate unfairly against groups of users.
Ofcom lists several types of age assurance as capable of being highly effective:
- open banking checks;
- photo-ID matching;
- facial age estimation;
- mobile-network operator age checks;
- credit-card checks;
- digital identity services;
- email-based age estimation.
The same guidance says methods such as simple self-declaration, debit-card checks that do not prove the user is over 18, and general contractual bans on children are not enough.
The enforcement timeline
Ofcom's compliance timetable shows the main milestones:
- January 17, 2025: online pornography age-assurance duties came into effect for relevant publishers.
- March 17, 2025: illegal content codes of practice came into force.
- July 25, 2025: Protection of Children Codes came into force for services likely to be accessed by children.
- June 19, 2026: Ofcom fined First Time Videos LLC for not having age checks in place, calling age checks a cornerstone of the law.
The important practical takeaway is that UK porn age verification is no longer a proposed policy. It is an active compliance and enforcement regime.
Why VPNs entered the debate
A VPN can make a user appear to connect from another country. That is useful for legitimate privacy and security reasons, but it can also interfere with location-based enforcement systems. Ofcom's own guidance says services should not host or permit content that directs or encourages child users to circumvent age controls, including by pointing them to a VPN.
A June 2026 research paper, Online Safety Regulation Increases Privacy Risk, found sharp increases in UK VPN discussion around Online Safety Act milestones. The authors reported that UK VPN-related Google Trends search interest rose by 89% around the age-verification deadline, and that users often framed VPN interest around privacy, surveillance and distrust of intermediaries rather than simple access seeking.
That is the core tension. A VPN is a mainstream privacy tool for public Wi-Fi, ISP privacy, travel and account security. But once age checks depend partly on geography and access control, VPNs become part of the policy conversation even when the law is not aimed at VPN providers directly.
Privacy trade-offs in age assurance
Ofcom says all age-assurance methods involve processing personal data and should follow a data-protection-by-design approach. It also says online safety and data protection compliance are both mandatory and should not be treated as a trade-off.
That is a useful baseline, but it does not eliminate the practical privacy concerns. The risk depends heavily on implementation:
- Data minimisation: does the service learn only that you are over 18, or does it receive a full identity document, selfie or payment signal?
- Retention: are age-check records deleted quickly, tokenised, or kept in a form that could be exposed later?
- Vendor concentration: are many sites relying on the same age-verification intermediaries?
- Function creep: can infrastructure built for child safety later be reused for broader identity-linked access control?
Those questions matter for adult users as well as children. Sensitive browsing categories, identity documents and biometric-style estimation data are exactly the kinds of data that should be handled with the least possible collection and the shortest possible retention.
What this means for VPN users
The Online Safety Act does not change the basic privacy advice: choose a reputable VPN, avoid free providers with unclear logging practices, enable the kill switch, and test for IP, DNS and WebRTC leaks. What changes is the legal and product context around access controls.
- Do not use a VPN to help children bypass age checks. That undermines the child-safety goal and is exactly the circumvention scenario Ofcom highlights.
- Do use a VPN for ordinary privacy needs such as hotel Wi-Fi, ISP privacy, travel networks and account security.
- Avoid panic-installing unknown VPN apps. The privacy paper found demand rose across the VPN market; users should still evaluate providers by audits, logging, ownership and jurisdiction.
- Keep browser privacy separate from VPN privacy. A VPN hides your IP from some parties, but it does not stop account login, cookies, device fingerprinting or an age-assurance vendor from collecting data you choose to submit.
If you are comparing services, start with our best VPN for privacy guide. If the practical concern is unsafe networks while travelling, see our hotel Wi-Fi VPN security guide. Freelancers handling client files should also read best VPN for freelancers.
Bottom line
The UK Online Safety Act is now one of the clearest real-world tests of age assurance at scale. Supporters see a long-overdue protection layer for children. Critics see a shift toward a more identity-linked web where sensitive access decisions depend on third-party checks.
For VPN users, the balanced position is simple: VPNs remain legitimate privacy tools, but they are no longer outside the policy debate. The more governments rely on age checks, location signals and access controls, the more important it becomes to choose privacy tools carefully and to demand age-assurance systems that minimise data collection.
Sources and further reading
- Ofcom: Age assurance duties under the Online Safety Act
- Ofcom: Important dates for Online Safety compliance
- Ofcom: Porn site fine for failing to have age checks
- ICO and Ofcom joint statement on online safety and data protection
- Online Safety Regulation Increases Privacy Risk: Evidence from the UK Online Safety Act
UK Online Safety Act and VPNs: FAQ
No. The Online Safety Act does not ban VPNs. Ofcom guidance does, however, treat VPN-based circumvention as part of the risk model for age assurance, especially where children may use a VPN to bypass protections.
Ofcom lists methods such as open banking, photo-ID matching, facial age estimation, mobile-network operator checks, credit-card checks, digital identity services and email-based age estimation as methods capable of being highly effective when implemented properly.
No. Ofcom says simple self-declaration is not capable of being highly effective age assurance for services that need robust checks.
Age assurance can involve personal data such as identity documents, facial analysis, payment signals or mobile-network checks. Ofcom says data protection compliance is mandatory, but privacy advocates still worry about data retention, breaches and mission creep.