UK Children's Online Safety Push Triggers Age-Check Surge and VPN Boom

The UK government's rolling programme of children's online safety measures — spanning social media, gaming platforms, and AI chatbots — has produced a measurable and unintended side effect: a sharp rise in VPN adoption as users seek to route around age verification controls.

Ofcom research published in May 2026 confirmed that five million additional online age checks are being carried out in the UK every day, a figure reported earlier by The Guardian. That volume reflects the Online Safety Act's age assurance duties taking hold across platforms. It also reflects the friction those duties create — VPN apps climbed to the top of UK App Store charts in mid-2025 as users searched for ways to mask their location and bypass gatekeeping, per BBC reporting from July 2025.

The Policy Landscape

The regulatory architecture behind this friction has been built up in layers. In January 2026, the Secretary of State told the House of Commons that the government was actively considering banning social media access for under-16s and raising the digital age of consent. A day later, the Department published further plans to restrict addictive features in mobile apps and social platforms — scroll-to-infinity feeds, push notification schedules calibrated to maximise re-engagement, and similar design patterns.

By March 2026, that set of proposals crystallised into a landmark public consultation covering social media, gaming platforms, and AI chatbots simultaneously. The breadth of scope is notable: extending age assurance obligations to AI chatbots acknowledges that conversational AI has moved rapidly from a curiosity to a primary contact point for younger users.

Underpinning all of this is Ofcom's age assurance guidance under the Online Safety Act, which sets out what platforms must do to prevent age-restricted content reaching minors. Critically, that guidance also covers platform conduct around circumvention: Ofcom's position, reported by the BBC in July 2025, is that platforms must not host or permit content that encourages users to deploy VPNs to defeat age checks.

The Circumvention Problem

Platform-level enforcement of the anti-circumvention rule is one thing. What it cannot address is the VPN itself, which sits outside the platform's jurisdiction. The government has been explicit on this point. A spokesperson confirmed in August 2025 that VPNs are legal tools for adults and that there are no plans to ban them. That position is consistent with broader UK internet policy, but it sets up an inherent tension: age controls can be technically sound and legally mandated while remaining trivially bypassed by anyone with a smartphone and five minutes.

The VPN adoption pattern here is not novel. Geoblocking of streaming content produced the same response at scale for years, and every jurisdiction that has attempted to restrict access to specific categories of online content has encountered motivated users reaching for tunnelling tools. What is different in the UK context is the population segment doing it — or at least the population segment the controls are meant to protect. The concern is not sophisticated adult users running WireGuard on a self-hosted VPS; it is teenagers installing free consumer VPN apps at volume.

That last point warrants attention. Security and privacy researchers have long documented risks associated with free VPN services — data harvesting, traffic logging, and in some cases malware delivery. A policy designed to reduce children's exposure to harmful content online may, as a second-order effect, route some of those same users through infrastructure with its own set of risks. That is not a reason to abandon age assurance as a mechanism, but it is a real operational consequence that policymakers and Ofcom will need to factor into enforcement strategy and public communications.

What Comes Next

The consultation closed with a wide scope deliberately. Including AI chatbots alongside social media and gaming signals that the government is attempting to get ahead of the next wave of child-facing surfaces rather than playing catch-up, as it did with social media through most of the 2010s. Whether the consultation translates into statute — and on what timeline — depends on parliamentary process and the volume of industry pushback, which historically has been substantial.

The five-million-daily-checks figure is a reasonable early indicator that the age assurance machinery is running. The VPN chart position is an equally reasonable indicator that it is not running frictionlessly. Reconciling those two data points is the work that sits in front of Ofcom and the government now — the technical, legal, and communications challenge of making age controls meaningful without pushing a generation of young users toward unvetted circumvention tools.

Age assurance as a category has been technically viable for several years; the gap has always been in the will and the regulatory scaffolding to require it. The UK is further along that path than most comparable democracies. Whether the circumvention rate stabilises, drops as novelty fades, or becomes a structural feature of the regime is the real question the next twelve months will answer.