The European Parliamentary Research Service (EPRS) has warned that virtual private networks (VPNs) are increasingly being used to bypass online age-verification systems, describing the trend as “a loophole in the law that needs to be closed”.
The warning comes as governments in Europe and elsewhere continue to expand online child-protection rules that require platforms to verify the age of users before granting access to adult or age-restricted content.
VPNs are privacy tools designed to encrypt Internet traffic and hide a user’s IP address by routing the connection through a remote server. While widely used for legitimate purposes such as protecting communications, avoiding surveillance, and enabling secure remote work, regulators are increasingly concerned that the same technology allows minors to evade regional age checks.
EPRS notes that VPN use has increased after mandatory age-verification laws were implemented in countries including the United Kingdom and several US states. In the UK, where online services are now required to prevent children from accessing harmful content, VPN apps have reportedly dominated the download charts since the law was implemented.
The document explicitly presents VPNs as a regulatory gap, stating that some policymakers and child-protection advocates believe age verification should be required for VPN access. England’s Children’s Commissioner has also called for VPN services to be restricted to adults only.
However, forcing users to verify their identity before accessing VPN services can significantly weaken anonymity protections and create new risks around surveillance and data collection. VPN providers and other privacy advocates have already expressed their objection to this approach in a letter sent to UK policymakers.
Last month, researchers found several security and privacy flaws in the European Commission’s official age-verification app shortly after its release. The app, promoted as a privacy-preserving tool under the DSA framework, was discovered to be storing sensitive biometric images in unencrypted locations and exposed vulnerabilities that could allow users to bypass verification controls altogether.
The EPRS paper acknowledges that age verification remains technically difficult and fragmented across the EU. Current systems based on self-declaration, age estimation, or identity verification have been described as relatively easy for minors to bypass. The report highlights emerging approaches, such as the “double-blind” verification system used in France, where websites only receive confirmation that a user meets age requirements without learning the user’s identity, while the verification provider does not see which websites the user visits.
Additionally, regulators are starting to directly incorporate the use of VPNs into law. Utah recently became the first US state to enact a law explicitly targeting the use of VPNs in online age verification. The state’s SB 73 defines a user’s location based on physical presence rather than an explicit IP address, even if VPN or proxy services are used to hide it.
The EPRS suggests that VPN providers may face increased scrutiny as the EU revises cybersecurity and online safety legislation, noting that future updates to the EU Cybersecurity Act could introduce child-protection requirements aimed at preventing the misuse of VPNs to circumvent legal protections.
If you liked this article then do follow us. X/Twitter Even more Linkedin For more specific content.
<a href