The United Kingdom has taken a decisive step toward becoming the first Western democracy to mandate UK VPN age verification. On May 26, 2026, the government's three-month public consultation titled "Growing Up in the Online World" officially closed, having gathered over 45,000 responses. The consultation directly asked whether VPN providers should be legally required to verify users' ages - a move that would fundamentally reshape the VPN industry in Britain.
What the Consultation Asked
Launched in late February 2026, the "Growing Up in the Online World" consultation was run by the Department for Science, Innovation and Technology. Among its core questions was whether VPN services should be forced to implement age gates - technical systems that block access for users under 18 - in the same way that adult websites are already required to do under the Online Safety Act 2023.
The motivation is straightforward: Ofcom, the UK's communications regulator, found that approximately one-third of children admitted to using VPNs specifically to bypass age verification systems on adult content sites. As age verification requirements expanded across social media and streaming platforms through 2025, VPN usage among younger users spiked in response.
The government framed VPN access as part of a broader package of online risks for children, alongside algorithmic recommendation systems and infinite scroll features. For regulators, the concern is that strong age gates on platforms mean nothing if a free VPN can route around them in seconds.
The Surge in UK VPN Usage
The numbers tell a striking story. In July 2025, roughly 650,000 people used a VPN daily in the United Kingdom. By May 2026 - following waves of new age verification requirements for social media and video platforms - that figure had more than doubled to 1.4 million daily users. Regulators point to this growth as direct evidence that age gates on content platforms are being systematically circumvented.
The consultation comes against a backdrop of escalating pressure on encrypted services in Britain. Just weeks earlier, the National Crime Agency's director Graham Biggar publicly classified end-to-end encrypted messaging as a "risk feature" for children, calling on Parliament to give law enforcement new powers to restrict E2E encryption in messaging apps. That landmark NCA position marked the first time a major Western law enforcement agency officially targeted encryption as a child safety threat.
What Happens Next
The government has promised an official response to the consultation's findings by summer 2026. The legislative path is already mapped out: proposed amendments to the Children's Wellbeing Bill would give the government authority to restrict children's VPN access without requiring a separate standalone law. If passed, Ofcom would gain powers to enforce compliance on VPN providers operating in the UK market.
Full legislation is expected before the end of 2026. The UK would become the first major Western democracy to impose mandatory age verification on VPN services - a significant precedent that privacy advocates warn could inspire similar moves across Europe and beyond.
Industry groups and digital rights organizations have raised sharp objections throughout the consultation period. Critics argue that age verification for VPNs is technically unworkable - any requirement imposed on UK-registered providers would simply push users toward foreign services beyond British jurisdiction. They also warn that forcing VPN users to submit age-proving identity documents creates new privacy and data security risks, particularly for the journalists, activists, and whistleblowers who depend on anonymous browsing.
The Technical Challenge
Implementing VPN age verification presents unique challenges that differ from verifying ages on a website. VPN protocols operate at the network layer, not the application layer - there is no natural point to insert a verification prompt in the way a website can redirect a visitor to an age-check page.
Proposed approaches include requiring age verification at the point of VPN app installation or account creation, with identity documents checked against a trusted third-party verifier. Critics note this would only affect app stores and registered VPN services, leaving browser-based VPN tools, Tor, and countless foreign-hosted services completely unaffected. A determined teenager could simply switch services within minutes.
The consultation also raised questions about how enforcement would work against VPN providers headquartered outside the UK. The Online Safety Act already struggles with cross-border enforcement, and VPN services by their nature can operate from any jurisdiction in the world.
A Pivotal Moment for Digital Privacy
For privacy advocates, the consultation's closure marks a critical inflection point. While the UK has long been an outlier in Western democracies for its surveillance-friendly legislation - including the Investigatory Powers Act and the Online Safety Act - a mandatory age verification regime for VPNs would represent a qualitative shift. It would be the first law in a democratic country that effectively restricts access to privacy tools themselves, not just to certain types of content.
VPN usage is not just a matter of bypassing content restrictions. These tools protect sensitive communications for business travelers, remote workers, political dissidents, and ordinary users concerned about tracking by advertisers and cybercriminals. Any regulation mandating identity checks for VPN access would require users to surrender anonymity as a condition of using a privacy tool - an inherent paradox that critics say undermines the fundamental purpose of VPNs.
