Mozilla tells UK regulators not to age-gate VPNs in Online-Safety consultation

In a formal submission to the Department for Science, Innovation and Technology, Mozilla argues that restricting young users' access to VPNs would undermine — not advance — the regulator's online-safety goals.

Mozilla published its response to the UK's "Growing up in the online world" consultation on 15 May 2026, opposing proposals to age-gate virtual private networks under provisions of the Online Safety Act ^[1]. The consultation is run by the Department for Science, Innovation and Technology and forms part of the rollout of mandatory age-assurance systems ^[1].

Mozilla's core argument, in its own words, is that "VPNs serve as critical privacy and security tools for users across all ages," and that "restricting young people's access to privacy-protecting technologies is in tension with the goal of equipping them to navigate the internet safely" ^[1]. The submission lists the standard functions VPNs serve — hiding users' IP addresses, reducing tracking, avoiding IP-based profiling, enabling remote network access and circumventing censorship — and treats them as collectively too important to gate by age ^[1].

The proposed alternative is straightforward and not new: hold platforms accountable for content and design, encourage parental-control use, invest in digital-skills programmes, but do not put privacy tools themselves behind an age check ^[1].

The substantive disagreement is about how VPNs interact with the UK's age-verification regime. The Online Safety Act creates obligations on user-to-user services to verify ages for certain content categories, and VPNs let users sidestep that verification by appearing to access services from outside the UK. The regulatory instinct in response is to restrict VPN access for minors. Mozilla's position is that this trades a small enforcement convenience for a meaningful loss in baseline privacy protection.

What the blog post does not do is engage in detail with the specific drafting language the consultation proposes. The body of the Mozilla post is positional rather than line-by-line technical — readers wanting the actual proposed-rule language will need to find it in the DSIT consultation itself, which Mozilla links to but which is outside this brief's scope.

For technical practitioners building VPN clients or related privacy tooling, the relevant practical question is whether the UK joins France and the EU's broader trend toward presence-based regulation that treats VPN use itself as a regulated activity. Mozilla's submission is a data point in that conversation.