Just three weeks ago, Serve Legal reported that the UK’s Online Safety Act (OSA) had triggered a 1,800% surge in VPN use, as internet users looked for ways to avoid new age verification checks. Now, that loophole is dominating national conversation — with the Children’s Commissioner for England warning that VPNs must be regulated to prevent under-18s from accessing harmful content.
The Online Safety Act (brought into action only a number of weeks ago) requires platforms to introduce “highly effective” age assurance to stop underage users accessing adult material, gambling, or harmful forums related to pornography, self-harm, eating disorders, and suicide. In response, major platforms such as Pornhub, Reddit, X, and Discord have rolled out strict age checks, ranging from facial age estimation to ID uploads and banking verification.
But almost immediately, VPNs became the UK’s most downloaded apps. By concealing a user’s IP address and location, VPNs allow under-18s to bypass these checks entirely — exposing a critical flaw in the legislation’s enforcement.
Dame Rachel de Souza, the Children’s Commissioner, urged ministers to close this gap, telling BBC Newsnight:
“Of course, we need age verification on VPNs – it’s absolutely a loophole that needs closing and that’s one of my major recommendations.”
She has recommended that VPN providers themselves be required to implement robust age assurance systems to prevent under-18s from subscribing to or using their services to access pornography and other restricted content.
In a report, her office wrote:
“The Act provides powers to limit children’s access to pornography… The problem is that there will always be ways around measures which limit access. The office is concerned that even with the new rules, users will be able to circumvent restrictions through the use of Virtual Private Networks (VPNs). Within a day of the new rules being in place, VPN use in the UK was platformed as an easy work-around.”
The scale of the problem was highlighted further when online forum 4chan openly defied Ofcom, underscoring the challenge of enforcing compliance across a fragmented global internet.
Despite the VPN surge, early evidence shows that age checks are deterring some users from visiting adult sites altogether.
This suggests that while VPNs remain a workaround, many users are unwilling to link explicit content to verified accounts.
While VPNs remain legal in the UK, the OSA puts the responsibility squarely on platforms to demonstrate they are taking effective, real-world steps to protect under-18s. Any platform hosting user-generated content, forums, or age-restricted material is within scope of the Act — and risks penalties of up to £18 million or 10% of global turnover for non-compliance, enforced by Ofcom.
Crucially, regulators will expect platforms to address not just their internal age checks, but also the practical ways those checks can be bypassed.
At Serve Legal, we help platforms test the real-world effectiveness of their safeguards through independent Online Safety Act Audits.
Our audits simulate genuine user behaviour, using trained mystery shoppers aged 13+ to uncover where systems succeed — and where they can be bypassed. We test:
The Children’s Commissioner’s call to regulate VPNs makes clear that compliance under the OSA will continue to evolve — and that platforms must prepare for higher levels of scrutiny.
Serve Legal provides the independent assurance that platforms need to demonstrate compliance, protect young users, and avoid enforcement action.
Contact our team today to arrange an Online Safety Act Audit tailored to your platform.