The Online Safety Act (OSA) is one of the longest and most complex laws on the UK’s statute books. It’s also one of the most controversial, containing provisions designed to force online platforms to police content, peer into private conversations, and verify the age of their users. It is the latter that sparked outrage from various quarters when it went into force on July 25.

Despite promising to make the internet a safer place, especially for children, the OSA could actually make it more perilous for companies, if it leads to a lasting increase in VPN use. At the very least, organisations may need to update their security controls and acceptable usage policies in line with the new landscape.

Unintended Consequences

The OSA requires any website showing pornographic content to implement strict age verification checks that are “technically accurate, robust, reliable and fair”. Other sites that feature ‘adult’ content – like X (formerly Twitter), Reddit, Discord, Telegram Bluesky, and Grindr – have also committed to age checks. With fines rising to £18m, or 10% of worldwide revenue, many platforms that provide user-generated content are erring on the side of caution.

For many users, this is a problem. Age checks could require them to enter an email, phone number, identity document scan, credit card details, or a photo/video of their face. Providers selected for the job of processing this information include Persona – a US firm – and AgeID, based in Cyprus. Users get no choice. They must use the provider chosen by the website/platform they’re trying to access.

Understandably, internet users are dubious about handing over highly sensitive personal and biometric information to providers that will store it overseas. That’s why many are choosing to invest in a VPN, on their own terms.

The Rise of the VPN

Various stats tell the story of what happened in the days following July 25. VPN provider Proton reported signups originating in the UK increasing by more than 1,400% on that very day. “Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content,” it claimed.

Meanwhile, Google searches inside the country for “virtual private network” hit “peak popularity” on July 26. According to vpnMentor, five VPN providers entered the top 10 most downloaded apps on Apple’s App Store.

The challenge from a security perspective is that not all VPNs are as secure and privacy conscious as they make out. They may:

  • Share data with hostile nations
  • Use outdated or weak encryption which makes connections vulnerable to Man in the Middle attacks
  • Sell user data to third parties
  • Bundle software with malicious code
  • Contain vulnerabilities which could be exploited
  • Present a data leak/breach risk, if the provider is compromised

In short, if an employee downloads a consumer-grade VPN to a work laptop, a personal laptop used for work or a BYOD device, it could present a major shadow IT risk undermining data governance and security posture. That’s aside from the potential risks of visiting adult sites which may harbour malware.

What to Do Next?

Mark Weir, regional director for UK and Ireland at Check Point Software, claims most organisations already prohibit the use of personal VPN tools on both BYOD and corporate devices. But given the recent surge in take-up, he advises security teams to refresh policies and check in case they are missing.

“Organisations should adopt tools that can detect shadow IT systems and identify related users. Where such tools are already in place, special attention should be given to monitoring personal VPN usage, alongside other potential security and compliance risks,” he tells ISMS.online.

“It is also important to run an education campaign to raise awareness of these policies among the end-user community. Taken together, this three-pronged approach of policy enforcement, technology adoption, and user education, can help address the surge in personal VPN usage effectively.”

Deepwatch CISO, Chad Cragle, argues that companies also need to update their information security management systems (ISMS) in three areas: asset management (tracking VPNs); asset control (MFA and conditional access); and acceptable use policies (to state that unmanaged VPNs can’t access sensitive data).

“Governance must treat privacy tools as part of the landscape, not as loopholes. The role is to enforce the guardrails even when traffic tries to go dark. That means: data residency and geo-fencing to keep traffic within approved jurisdictions. Audit trail preservation through endpoint monitoring and DLP, even if traffic is tunneled. And policy alignment where privacy and compliance are not competing values but two sides of the same coin,” he tells ISMS.online.

“Think of it like air traffic control: passengers can value privacy, but planes still file flight plans. Governance has to balance freedom of movement with complete visibility — otherwise, you’re flying blind.”

Menlo Security IT and security director, Brandon Tarbet, wants to see user identity separated from platform interactions.

“The solution is not to restrict privacy tools – it is to implement security architectures that can maintain compliance and data protection without compromising user privacy,” he tells ISMS.online. “This means moving security and privacy controls closer to the content itself, using techniques like remote rendering and isolated execution environments. Organisations can achieve both regulatory compliance and user privacy by ensuring security decisions are made on sanitised, risk-assessed content rather than raw user traffic.”

Ultimately, any type of governance update must take account of the changing way employees tend to access sensitive information today, argues Zimperium VP of product strategy, Krishna Vishnubhotla.

“Governance has to move past the old focus on networks and desktops. The real risks are on mobile devices and the apps people use every day,” he tells ISMS.online. “A VPN might hide traffic, but it doesn’t fix an app that leaks data or uses weak encryption. The answer is simple: check the apps for security issues and protect them on the device. That way, privacy is respected, and compliance isn’t lost.”