UK Online Safety Act compliance risks from VPN traffic

The UK’s new Online Safety Act has created uncertainty for many website owners, especially those offering restricted or regulated content. In response, VPN usage in the UK has noticeably increased as users look for ways around the rules. However, for affected services, allowing or ignoring this traffic could lead to penalties. 

In this post, we’ll look at the recent bump we’ve noticed in UK VPN use, the compliance risks it poses for businesses, and how VPN detection can help you stay protected.

What is the Online Safety Act?

The Online Safety Act (OSA), introduced in the UK in 2023, aims to make the internet a safer place, with a focus on protecting children. It places strict legal duties on certain tech companies to protect users from illegal content, as well as legal content that could harm children.

Key highlights include:

• Stronger protections for children: Platforms must assess and manage risks to young users, block age-inappropriate content, and deploy age verification systems.
• Tougher rules on illegal content: Services must proactively identify and remove illegal or harmful content, and provide better moderation.
• Accountability for executives: Senior managers at tech firms can be held criminally liable for serious failures to comply.
• Fraud prevention: Platforms must take steps to prevent scams and fake advertisements.
• User empowerment: Platforms must be more transparent about what content gets through and also must provide adults with tools that enable them to filter out legal but harmful content, like abuse or trolling.

Public discussion about OSA has flared up following the July 25, 2025 deadline, which requires services that provide age-restricted content to verify that the user really meets age requirements before accessing the page. This has widely been criticized by legal and internet freedom experts as a step backward that might harm legitimate businesses and undermine the privacy of end users.

Legal ambiguity and criticism of the UK Online Safety Act

The OSA requirements have drawn criticism for their legal ambiguity, particularly around age verification checks. These obligations extend beyond services that directly serve adult content or other content that might be considered harmful to children. They also apply to platforms that have any ability to link to harmful content, like search engines, social networks, or any service that allows posting content or interacting with people online.

This has been painted with such a broad brush that it requires the majority of businesses to take at least some preventative actions. The need for these measures comes from the fact that businesses might be scrutinized by Ofcom, an independent regulator for the OSA, which has a wide range of enforcement powers, including the ability to issue fines — up to £18 million or 10% of global annual turnover (whichever is higher) — if proven non-compliant with OSA.

In the most severe cases, Ofcom can apply for a court order to block a website if it’s deemed non-compliant. For many businesses, this could be an extremely harsh penalty for an unintended mistake, especially if they have never fought against VPNs or other privacy tools before.

The UK government also issued additional preventative measures for services to catch and block users trying to avoid the required age verifications. Although not specifically issuing a general statement that VPNs are prohibited, the legal ambiguity can unfortunately push companies to take the overly cautious approach of blocking VPN users entirely.

Fingerprint data shows sharp rise in VPN usage

Many users have made it clear they don’t want to be tracked and directly identified on the internet. Public VPN providers have backed this up, noting a massive increase in signups coming from the United Kingdom, as reported by Wired.

Data from our device identification API shows that in the week following the release of that article, VPN detections in the European region increased by up to 30% compared with our regular traffic. This suggests that people are not just signing up and buying VPN service subscriptions in a panic; they are actually using them for their day-to-day browsing. This is a completely understandable response from users who want to use VPN services to protect their privacy. 

Whatever the intent, regulators might still require companies to take extra steps and ensure that everyone who is supposed to be verified has been correctly verified, or face fines.

The problem of blocking legitimate users

Many customers use VPNs for legitimate cases such as protecting their privacy. Businesses, on the other hand, might see this as a threat to their existence. As a result, they might err on the safe side and just say “no VPN users on our platforms” because they don’t have any other device intelligence insights.

However, this drastic measure captures a huge number of legitimate users who might not be trying to bypass anything. A typical user can use a VPN for a variety of good reasons, including increased privacy.

How can Fingerprint help businesses comply with regulations?

While Fingerprint offers VPN detection as a part of our Smart Signals, in this case, simply blocking all VPN users might filter out too many legitimate customers and hurt the business.

This is where Fingerprint’s device intelligence really shines, providing the transparency and context needed to decide whether a user requires further scrutiny. Using the multiple data points provided by our VPN Smart Signal, a customer can:

• Receive a simple VPN detection flag.
• Check if the VPN has been detected with high confidence (meaning multiple independent data collection methods indicate VPN use).
• Verify whether the originTimezone belongs to Europe/London or another UK timezone like GMT or Europe/Belfast.
• Identify the country in our IP Geolocation field to see if the VPN came from a different country and needs to be scrutinized.

This approach is not a silver bullet, and businesses would need to fully comply with the requirements; however, it can provide some of the desperately needed confidence in this otherwise very chaotic rollout.

Stay compliant without losing legitimate users

The UK Online Safety Act has created a complex compliance landscape, especially with the increase in VPN usage. By combining VPN detection with additional context from Fingerprint’s Smart Signals, you can meet regulatory expectations while preserving access for legitimate users.

If you want to learn more about our VPN Detection Smart Signal, visit our development documentation or start a free trial to see it in action.