EU Research Service Warns VPNs Are a 'Loophole' in Age-Verification Laws

The European Parliamentary Research Service has warned that virtual private networks are increasingly being used to The warning comes as governments across Europe and elsewhere continue expanding online child-safety rules that require platforms to verify users' ages before granting access to adult or age-restricted content. VPNs encrypt internet traffic and hide a user's IP address The EPRS notes that VPN usage surged after mandatory age-verification laws took effect in countries including the United Kingdom and several US states. In the UK, VPN apps reportedly dominated download charts after the law came into force. The document explicitly frames VPNs as a regulatory gap, stating that some policymakers and child-safety advocates believe VPN access itself should require age verification. England's Children's Commissioner has also called for VPN services to be restricted to adults only. Privacy advocates have objected to restricting VPN access, arguing that forcing users to verify their identity before accessing VPN services could significantly weaken anonymity protections and create new risks around surveillance and data collection. Last month, researchers found multiple security and privacy flaws in the European Commission's official age-verification app shortly after its release. The app, promoted as a privacy-preserving tool under the DSA framework, was discovered storing sensitive biometric images in unencrypted locations and exposing weaknesses that could allow users to The EPRS paper acknowledges that age verification remains technically difficult and fragmented across the EU. Current systems based on self-declaration, age estimation, or identity verification are described as relatively easy for minors to Regulators are beginning to address VPN use directly in legislation. Utah recently became the first US state to enact a law explicitly targeting VPN use in online age verification. The state's SB 73 defines a user's location based on physical presence rather than apparent IP address, even if VPNs or proxy services are used to mask it. The EPRS suggests VPN providers may face increasing scrutiny as the EU revises cybersecurity and online safety legislation, noting that future updates to the EU Cybersecurity Act could introduce child-safety requirements aimed at preventing VPN misuse to