The European Parliament Research Service (EPRS) recently warned that virtual private networks (VPNs) are increasingly being used to bypass online age verification systems, describing this trend as a "loophole in legislation that needs to be closed." The warning comes as governments in Europe and elsewhere continue to expand online child safety rules, requiring platforms to verify a user's age before granting them access to adult or age-restricted content.
VPN is a privacy tool designed to encrypt internet traffic and hide the user’s IP address by routing the connection through a remote server. While VPNs are widely used for legitimate purposes such as protecting communications, avoiding surveillance and enabling secure remote working, regulators are increasingly concerned that the technology also allows minors to bypass regional age checks. The European Parliament Research Service notes that VPN usage has surged after countries including the UK and several US states implemented mandatory age verification laws. In the UK, online services are now required to prevent children from accessing harmful content, and VPN apps reportedly dominated download charts after the law came into effect.
The document clearly defines VPNs as a regulatory void, noting that some policymakers and child safety advocates believe that VPN access itself should require age verification. England's Children's Commissioner has also called for VPN services to be restricted to adults only. However, forcing users to verify their identity before accessing a VPN service could seriously weaken anonymity protections and create new risks in terms of surveillance and data collection. VPN providers and other privacy advocates have expressed their opposition to the approach in a letter to UK policymakers.
Last month, researchers discovered multiple security and privacy vulnerabilities in the European Commission’s official age verification app shortly after its release. The app, which was promoted as a privacy tool under the Digital Services Act (DSA), was found to be storing sensitive biometric images in an unencrypted location, exposing weaknesses that could allow users to completely bypass verification controls.
The document from the European Parliament’s Research Service acknowledges that age verification remains technically difficult and fragmented across the EU. Current systems based on self-declaration, age estimation or identity verification have been described as relatively easy to bypass by minors. The report highlights emerging methods, such as the "double-blind" verification system used in France, in which websites only receive confirmation that a user meets age requirements without knowing the user's identity, while the verification provider cannot see which websites the user has visited.
At the same time, regulators are starting to address VPN use directly in legislation. Utah recently became the first state in the United States to enact a law specifically targeting the use of VPNs for online age verification. The state's SB 73 bill defines user location based on physical presence rather than apparent IP address, even if a VPN or proxy service is used to mask the location.
VPN providers are likely to face increased scrutiny as the EU revise cybersecurity and online safety legislation, the European Parliament’s Research Service said. The agency noted that future updates to the EU Cybersecurity Act may introduce child safety requirements designed to prevent the misuse of VPNs to bypass legal protections.