Britain has shifted from "check age" to "close the loophole." In the summer of 2026, the government is preparing to ban social media for children under 16 and — for the first time openly — is discussing restrictions on VPNs themselves, while the European Commission calls them "a loophole that needs to be closed." Let's break down what is happening, why commercial VPNs are under threat, and which privacy tools will actually survive this wave.
What Happened: From Age Checks to Hunting for Workarounds
The story unfolds like a textbook case. First, the government introduces age verification, users widely install VPNs to pretend to be residents of another country, and then the government targets the VPN itself. The UK passed the first two acts in 2025 and is now entering the third.
The starting point is the Online Safety Act 2023, which came into effect on July 25, 2025. It mandated that websites with "adult" content and self-harm materials implement a "highly effective" age verification: uploading a government ID and a selfie. The reaction was immediate and record-breaking: Proton VPN reported a 1400% increase in registrations in the UK right after the law was enacted, and at its peak, it surpassed ChatGPT as the most downloaded free app in the British App Store; the company then recorded a steady daily registration growth of up to 1800%. NordVPN confirmed a 1000% spike in purchases in the UK, with five VPN apps making it to the top 10 in the App Store. A petition on the Parliament's website demanding the repeal of the Online Safety Act was signed by over 270,000 people.
This is not a British anomaly. Similar surges have already occurred in France (+1000% after similar rules were introduced in June 2024) and Turkey (+1100% after tightening internet restrictions). We detailed how age verification laws worldwide are fracturing the internet and why demand for proxies and VPNs is hitting record highs in our article on age verification and the surge in demand for workarounds — this is the backdrop against which the new episode unfolds.
The New Episode: "Australia-plus" and the Focus on VPNs
In June 2026, the government announced a ban on social media for teenagers under 16, calling it the "Australia-plus" approach — stricter than Australia's. The ban affects TikTok, Instagram, Snapchat, X, Reddit, YouTube, and Facebook. Unlike Australia with its "reasonable steps," the UK demands "highly effective" age verification, and the regulator Ofcom is assessing coercive technologies.
A key shift is that for the first time, the focus is on the workaround itself. Andy Burnham, who is considered a likely future prime minister, is reportedly preparing restrictions on VPNs to prevent teenagers from circumventing the ban. Technology Minister Liz Kendall stated directly: "We will make further announcements regarding VPNs in July." This means the government is moving from content control to controlling the access tool.
Technically, the ban has an inconvenient arithmetic: approximately 10% of teenagers do not have a passport. Therefore, alternatives are being discussed — facial age estimation, digital ID schemes, and verification through financial and telecom data. Human rights advocates are sounding the alarm. Maya Thomas from Big Brother Watch warns that mass collection of IDs and biometrics will not make children safer but will create "a completely new set of cyber risks" for everyone. Former Member of the European Parliament David Campbell Bannerman expressed his concerns more sharply: "We are sleepwalking into a dystopian nightmare."
Europe: "VPNs are a loophole that needs to be closed"
Britain is not alone. The Executive Vice-President of the European Commission Hanna Virkunen supported the idea of restricting VPNs. The European Commission itself is promoting an age verification app and the concept of a "digital passport" for internet access, explicitly stating that their system cannot be circumvented through VPNs. The European Parliament's analytical center even called VPNs "a loophole that needs to be closed."
It is important to understand a fundamental thing that regulators have finally realized. There are two different types of blocking:
- Geo-blocking by IP. The website checks from which country the request originated. VPNs and proxies work against this: you take an IP from the desired country — and the content opens up.
- Identity-bound verification. Age is confirmed by a government ID and a face scan at the account level, rather than by geolocation. Location spoofing is useless against this: it doesn't matter whose IP you have if the system requires your face and your document.
This is precisely why the new wave of laws is betting on identity-bound verification — and this is an honest technical fact that needs to be acknowledged: neither VPNs nor proxies will "bypass" age verification tied to biometrics and documents. Any service promising otherwise is selling an illusion. The regulators' shift in this direction is not a coincidence but a direct response to the VPN surge of 2025.
Why Commercial VPNs are the First to be Targeted
If facial verification cannot be bypassed by VPNs, why do governments want to ban VPNs at all? Because they still work for geo-blocking and censorship — and because they are technically the easiest to detect and shut down. The experience of countries that have already cracked down on VPNs is telling.
Russia
By mid-January 2026, approximately 439 VPN services had been blocked in the country — 70% more than in the fall of 2025. Deep packet inspection (DPI) is used through the TSPU system and AI traffic classification: the system learns to recognize the characteristic "fingerprints" of VPN protocols without even decrypting the content.
China
The "Great Firewall" has added entropy analysis and active probing of servers. After the seizure of domestic relay servers in April 2026, the success rate of connections for NordVPN and ProtonVPN dropped "almost to zero."
UAE
Using VPNs to access blocked services falls under Federal Decree-Law No. 34 of 2021 — with fines of up to 2 million dirhams.
The common denominator is simple: commercial VPNs are a narrow, well-known set of server IPs and a recognizable protocol signature. The ranges of public VPN endpoints have long been cataloged, OpenVPN/WireGuard handshakes are recognized by DPI, and hundreds of thousands of users connect through the same addresses. For a government firewall, this is a large, static, easily fingerprintable target. Hence the "almost zero" success rate of connections in China.
What Will Actually Survive This Wave
The takeaway for those working with privacy and data legally — business analytics, ad verification, price monitoring, QA in different regions, cross-regional access to public content — differs from the slogans of "bypass everything."
Firstly, where verification is tied to your identity (biometrics, government ID), technical means do not solve the problem at all — it is a matter of law and consent, not proxies. Let's be honest and not sell workarounds.
Secondly, where geo-access and IP reputation are concerned, the difference between tools becomes crucial. Unlike general VPN endpoints, residential and mobile proxies use real IPs from home providers and cellular operators. For systems assessing the origin and reputation of an address, such traffic appears as a regular user, not as a known VPN node. This is the foundation of resilience: not a clever workaround of the law, but an infrastructure that is harder to confuse with a "list of public VPNs."
- Residential proxies — IPs from real home networks; suitable for collecting public data, checking listings, and advertising in specific regions.
- Mobile proxies — IPs from cellular operators; offering the most "human-like" profile where detection is the strictest.
This is why market reviews for 2026 increasingly recommend real operator IPs over public VPNs and data center addresses: the latter are easier to catalog and block wholesale. What is currently decimating VPNs in Russia and China is precisely the fingerprinting of static endpoints, not "proxies as a class."
What This Means in Practice
- Differentiate the type of barrier. Geo-blocking by IP — proxies help. Identity verification by document/face — nothing helps, and it's okay to acknowledge that.
- Do not rely on a single public VPN endpoint. As 2026 shows, static ranges are being shut down wholesale. Resilience comes from diversity and the reality of IPs, not a "secret protocol."
- Operate within the legal framework. Age laws and biometrics are a matter of compliance, not circumvention. Legal scenarios (analytics, advertising, price monitoring, cross-regional QA) are not affected by the new wave.
- Prepare for the DPI era. Regulators are shifting from IP blocking to traffic inspection and identity binding. The infrastructure that looks like a regular home or mobile user will prevail.
Conclusion
In July 2026, Britain is doing what everyone who introduces age checks eventually does: it stops fighting content and starts fighting the workaround. The European Commission calls VPNs "a loophole," Russia is shutting down hundreds of services, and China is reducing their success to zero. But the lesson here is not "proxies are dying," but rather the opposite: the era of static, easily fingerprintable endpoints is coming to an end. Identity-bound checks cannot be honestly bypassed by anything — and this needs to be stated clearly. For legitimate geo-access and working with public data, the infrastructure that is indistinguishable from a real user wins: real residential and mobile IPs. Governments are closing loopholes — but they are closing those that were wide and noticeable.
