UK VPN growth under the Online Safety Act: what should teams do?

TL;DR: UK VPN detections rose up to 30% in Fingerprint’s European traffic after scrutiny around the Online Safety Act intensified, underscoring how privacy-preserving browsing can collide with age verification and compliance duties. Blocking VPNs alone catches many legitimate users, so device intelligence and higher-confidence verification signals become the practical control layer.

NHIMG editorial — based on content published by Fingerprint: UK VPN growth, the Online Safety Act, and device intelligence for compliance

By the numbers:

• In the week following the release of that article, VPN detections in the European region increased by up to 30% compared with our regular traffic.
• Ofcom can issue fines up to £18 million or 10% of global annual turnover, whichever is higher, for non-compliance with the Online Safety Act.
• Fingerprint’s device identification API saw VPN detections rise by up to 30% in the European region, showing that users were actively browsing through privacy tools.

Questions worth separating out

Q: How should security teams handle VPN users without blocking legitimate access?

A: Security teams should use VPN detection as a contextual risk signal, not as an automatic deny rule.

Q: Why do VPNs make age verification harder to enforce?

A: VPNs obscure the network and location signals that many verification workflows rely on.

Q: What do teams get wrong about blocking VPN traffic?

A: Teams often confuse visibility with certainty.

Practitioner guidance

• Treat VPN detection as a risk input Feed VPN signals into a broader decision engine that also considers device reputation, geolocation consistency, and confidence level before applying blocks or step-up checks.
• Build exception paths for legitimate privacy use Allow review-based handling for users whose traffic appears privacy-protected but not clearly evasive, so compliance controls do not collapse into blanket denial.
• Separate age assurance from network origin Use stronger identity and verification checkpoints for age-restricted access instead of relying on IP location or VPN presence as the primary control.

What's in the full article

Fingerprint's full article covers the operational detail this post intentionally leaves for the source:

• How its VPN Smart Signal combines confidence scoring, IP geolocation, and timezone checks to support access decisions
• The specific device intelligence fields practitioners can inspect when a VPN flag needs escalation rather than automatic blocking
• Why broad VPN exclusion can create false positives for legitimate users and what that means for compliance workflows
• How teams can use the signal in product or policy flows without treating it as a standalone verification control

👉 Read Fingerprint’s analysis of UK VPN growth and Online Safety Act compliance →

UK VPN growth under the Online Safety Act: what should teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →