The UK Online Safety Act and VPNs
The UK’s Online Safety Act demands strict age checks and content controls, but a sharp rise in VPN use lets users dodge safeguards, creating new compliance risks.
The BBC reports that in July 2025, VPN apps where the most downloaded apps on the Apple App Store in the UK after social media and adult content sites began requiring age verification. In the Google Play Store, a similar rise of VPN apps was observed.
VPNs allow users to hide their location and appear to be browsing from abroad, an easy way to sidestep age verification. This has created a new compliance challenge for UK companies: how should businesses respond when users deliberately evade the safety measures using VPNs?
What the Act actually says about VPNs
To be clear: The Online Safety Act (currently!) does not ban the use of VPNs. However, UK regulators expect businesses to take “reasonable steps” and “highly effective” technical measures to prevent circumvention. If a platform ignores widespread VPN usage entirely, its safeguards may be judged ineffective, since underage users or offenders can easily bypass age checks and content filters. In practice, this means that while VPNs themselves are not outlawed, a lack of VPN detection or mitigation could be seen as falling short of compliance.
In an interview to BBC, the UK Children’s Commissioner Dame Rachel is quoted saying: "Of course, we need age verification on VPNs - it's absolutely a loophole that needs closing and that's one of my major recommendations."
These statements from regulators, combined with Ofcom’s mandate to assess whether platforms are taking “reasonable steps” against circumvention are a clear signal that VPN detection requirements are likely on the horizon. Businesses should anticipate that regulators will soon expect robust systems to identify and address VPN use.
What UK Businesses can do to detect VPNs
Assume evasion will happen: Don’t rely on IP-based geolocation alone. Some users will appear “foreign” but are really in the UK, using a VPN to hide their location. VPN Detection is the next step in ensuring compliance with the UK Online Safety Act. But keep in mind: The goal isn’t to completly ban VPNs, it’s to stop them from cricumventing your safety measures. Strong and reliable VPN Detection is key.
There are various techniques to detect VPN use, one of the easiest being the Focsec VPN Detection API. Focsec provides VPN/proxy intelligence as a signal to keep your safeguards effective without overreaching. Companies simply send the IP address of the user to the Focsec API and receive a highly reliable flag if the IP address is associated with a VPN service. If an IP is flagged as a VPN IP, businesses should apply additional verification measures.
We recommend not to blanket-ban all VPNs IPs, but rather to require extra assurance for high-risk VPN IPs coming to your website or service. In practice, this means a combination of both measures: traditional age verification and VPN detection.