From privacy to permission: how age-gating changes the web
The world is seeing a global trend towards age-gating the internet more and more, and the UK has become the country that makes the biggest legal effort in that direction, with its Online Safety Act and other regulations. These restrictions have already drawn a lot of criticism from various privacy groups and individuals, and it was mostly focused around the negative implications for people’s privacy and the low efficacy of the introduced age verification systems. Conversely, in their recent joint statement, Electronic Frontier Foundation, Mozilla, several VPN companies, and many others claimed that the new UK policies that push towards broader age checks are not simply ineffective and infringing on privacy, but that they are undermining the open web as a whole. While the signatories agree that the age verification technology and the infrastructure behind it are not ready for the challenge, it is not their main point. Instead, they highlight a different, more fundamental problem: the answer to online harms should not be building a web increasingly dependent on identity checks, effectively turning parts of the internet into permission-based spaces where users must continuously prove who they are.
What is going on in the UK
Over the last few years, the UK has passed — or proposed — several controversial laws affecting the online sphere. The Online Safety Act, passed in 2023, has made the biggest waves. As the country’s main online safety framework, it requires regulated online services to assess risks to children and take steps such as age checks, safer recommendation systems, and stronger moderation where minors are likely to use the service.
The need to protect children from online harms regularly appears in UK legislation as a justification for new restrictions and limitations. The Children’s Wellbeing and Schools Act, passed earlier in 2026, was also presented in part as a child-safeguarding measure and includes, for example, powers to require internet service providers to prevent or restrict children’s access to certain services. On March 2, the UK government launched the “Growing up in the online world” consultation to explore additional online safety measures for minors, including curfews, social media age limits, restrictions on features like infinite scroll and autoplay, AI chatbot restrictions, and ways age verification or age assurance could support enforcement.
The government itself acknowledges that enforcing minimum age rules may require adults to verify their age in order to access certain services, creating privacy trade-offs and additional friction for users. Still, those concerns have done little to slow the push toward broader age-assurance requirements, and the trend shows no signs of stopping.
From privacy concerns to internet checkpoints
In our previous articles, we already outlined how this trend — and it is by no means limited to the UK — threatens online privacy. Age verification often means collecting or processing IDs, biometrics, phone numbers, payment credentials, or other sensitive data. The more often users are asked to verify themselves, the more opportunities there are for leaks, scams, and misuse of personal information.
But the UK debate adds a whole other layer to the discussion. The issue goes beyond simply asking what happens to your data once you upload it. It becomes a question of what the internet itself will look like when identity checks become the norm. The risk is not only that your passport scan could be leaked — it is the normalization of asking for that passport scan in the first place.
In the joint statement mentioned earlier, the signatories warned that widespread age gates could undermine the decentralized nature of the web and push it toward a more permission-based model. Age verification at scale creates an infrastructure of permission: more services need to know who you are, how old you are, where you are, and whether you are allowed to enter. This is very different from the web many users have grown accustomed to — one based on open standards, shared protocols, and cross-border interoperability. Critics warn that if governments continue expanding age-assurance requirements, that model of the web may gradually give way to one increasingly built around identity checks and access controls.
VPNs under age checks: when privacy tools become restricted
VPNs provide a clear example of how this shift toward mandatory identity checks could affect basic privacy tools. The aforementioned UK consultation identifies VPNs as a possible circumvention tool and asks whether restricting children’s access should be prioritized. It even asks respondents whether, in principle, “everyone should go through age checks to access a VPN if it would prevent children from using them.”
But treating VPNs as mere loopholes misses the broader point. For many users, a VPN is an essential part of basic digital hygiene and an indispensable privacy protection tool — and now this tool itself could potentially be placed behind an age check.
And it’s hard to attribute this to ignorance. The government’s consultation acknowledges that VPNs have legitimate uses, including remote work, protecting sensitive communications, and safeguarding privacy, and notes that early evidence does not suggest the post-age-assurance VPN spike was driven by children trying to bypass checks. Yet the question of age-gating VPNs remains on the agenda, undermining rights while failing to address the root causes of online harm.
The real problem
Age-gating websites and restricting VPNs and other privacy tools is a superficial fix that misses the underlying problem. The real issue is not that children might outsmart the system and access harmful material; it is the system itself — the predatory tactics that exploit adults and minors alike, and the large platforms optimized for mass data collection and precise ad targeting. If anything, going further down the age restriction path would only solidify the dominance of Big Tech gatekeepers, as few large-scale apps and platforms controlled by tech giants would very likely decide who can and who can’t access content online.
The solution should not be “collect even more sensitive data but promise to handle it carefully.” Instead, it should be “collect less data in the first place.” It should mean designing spaces and services that are safe for children by default, reducing tracking, improving parental controls, and — perhaps most importantly — holding platforms accountable for intentionally harmful design.
Despite the warnings of privacy advocates, the trend so far points in the opposite direction. Age verification in the UK is just one example, but it reflects a broader pattern already present in other countries. As an individual, you can take steps to protect yourself: be cautious when a site asks for an ID, biometric data, or phone number. Even legitimate requests may affect your privacy, and fraudulent ones can have severe consequences. Be especially wary of shady “bypass services,” fake verification tools, and unknown apps promising easy access. And if you are concerned about the direction the web is heading, raise your voice — collectively, our voices may be heard.
The UK debate illustrates where online safety policy may be heading next. If every new online risk leads to more age checks, identity verification, and restrictions on privacy tools, the result could be an internet that is neither safer nor more private. Children deserve protection online, but everyone — including children — also deserves privacy. A safer internet should not require building a less private one.
