UK VPN Downloads Jumped 1,800% After Online Safety Act Kicked In — And The Government Wants More Control

When the UK’s Online Safety Act came into force on July 25, 2025, something unexpected happened. Within minutes, VPN providers reported signup surges they’d normally associate with political upheaval in authoritarian states.

Blimey, the numbers were staggering:

• Proton VPN: 1,400% immediate spike, climbing to 1,800% sustained increase
• NordVPN: 1,000% jump in UK purchases
• Windscribe and AdGuard: Similar surges across the board
• Apple App Store: Five VPN apps landed in the UK top 10 by Monday

Proton VPN knocked ChatGPT off the number one spot. Let that sink in — a privacy tool became more popular than the AI everyone’s been banging on about.

“We would normally associate these large spikes in sign-ups with major civil unrest,” Proton told the Financial Times. “This clearly shows that adults are concerned about the impact universal age verification laws will have on their privacy.”

Here’s the properly mad bit: the UK is now among the highest VPN usage countries for Proton’s service. That puts Britain in the company of Iran, Russia, and Turkey — nations where VPN adoption spikes during government crackdowns on internet freedom. Not exactly the club most Brits expected to join.

What Triggered The Surge

The Online Safety Act requires websites hosting adult content to implement “robust” age verification. Fancy watching something for grown-ups? You’ll need to prove you’re over 18 through:

• Government ID uploads — yes, your passport or driving licence
• Facial recognition scans — proper biometric stuff
• Credit card checks — because nothing says “privacy” like handing over your banking details

Sites that fail to comply face fines of up to £18 million or 10% of global revenue, whichever hits harder. Ofcom’s got full enforcement powers and they’re not mucking about.

The backlash was swift. Within days, a petition to repeal the law gathered over 290,000 signatures on the official UK Parliament website — well past the threshold that triggers mandatory government response and potential parliamentary debate.

Tech Secretary Peter Kyle wasn’t having any of it. The rules are “not negotiable,” he said, and will be enforced as planned.

But Brits found their own workaround, didn’t they? VPNs let users appear as though they’re browsing from another country entirely, giving two fingers to UK-specific restrictions. The technology encrypts internet traffic and masks your real location. Sorted.

The Investigatory Powers Act Complicates Things

Here’s where it gets properly sticky for VPN users. The UK already has sweeping surveillance laws that affect privacy tools operating in the country.

The Investigatory Powers Act 2016 — nicknamed the “Snoopers’ Charter” for good reason — requires communication service providers to:

• Retain internet connection records for 12 months
• Make records available for national surveillance cases
• Comply with data retention requirements if they run servers in the UK

As explained by team the law got even more heavy-handed in April 2024. Under the Investigatory Powers (Amendment) Act 2024, companies must now notify the government of planned changes to their services. The Home Secretary can issue technical capability notices without judicial oversight. No judge required. Just a minister’s say-so.

Privacy advocates have been ringing alarm bells about the law’s reach beyond British borders. Any service used by people in the UK could fall under these requirements, even if the provider operates from Timbuktu.

The Center for Cybersecurity Policy & Law put it bluntly: this “could force companies into an impossible position: either violate laws in other jurisdictions, or bifurcate services between the UK and rest of the world, providing UK users with less secure versions.”

Some providers might simply pack up and leave the UK market rather than compromise their security principles. Can’t say we’d blame them.

Apple Already Pulled A Key Feature From UK Users

The clash between UK surveillance demands and tech company resistance hit a peak in early 2025 when the government went after Apple’s encryption.

In January 2025, the UK Home Office issued Apple a Technical Capability Notice demanding the company build a backdoor into iCloud’s encrypted backup service. The order sought access to encrypted data globally — not just British citizens.

Apple’s response was blunt. Rather than create a backdoor, the company disabled its Advanced Data Protection feature for UK users entirely in February 2025. British customers lost the option to enable end-to-end encryption for iCloud backups, photos, notes, and several other data categories.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said. “As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”

Apple filed a legal complaint with the UK’s Investigatory Powers Tribunal in March 2025, marking the first challenge of its kind against the surveillance regime.

The US government weighed in. Vice President JD Vance and Director of National Intelligence Tulsi Gabbard pressured the UK to withdraw the order. President Donald Trump likened Britain’s demands to “Chinese state surveillance.”

Despite apparent diplomatic pressure, the UK issued a new order in September 2025 — this time targeting only British users’ data. Privacy campaigners say this changes nothing. Caroline Wilson Palow, legal director at Privacy International, argued: “If Apple breaks end-to-end encryption for the UK, it breaks it for everyone. The resulting vulnerability can be exploited by hostile states, criminals and other bad actors the world over.”

What UK Residents Are Doing About It

The VPN surge shows British internet users aren’t waiting for lawmakers to reconsider. They’re taking privacy into their own hands.

For anyone considering a VPN service, the choice depends on what matters most: speed, server locations, privacy policy, or price. Several factors deserve attention when selecting a provider.

Find the best VPN for you; there are different options, whether you need to prioritise speed or the number of devices you can connect. Once activated, the VPN encrypts all the data that passes through your device. This encryption ensures anyone trying to snoop on the network can’t make sense of what you’re doing, and your data is safe.

Jurisdiction matters. VPN companies based in Five Eyes countries — the intelligence-sharing alliance that includes the UK, US, Canada, Australia, and New Zealand — face more pressure to share data with governments. Providers based in Switzerland, Panama, or the British Virgin Islands operate under different legal frameworks.

Server infrastructure matters too. A VPN headquartered abroad but running servers in the UK may still be subject to Investigatory Powers Act requirements for those specific servers. Users routing traffic through UK-based servers should understand that data retention laws could apply.

Logging policies vary significantly between providers. Some keep no activity records whatsoever. Others retain connection timestamps or bandwidth usage. The only way to verify these claims is through independent audits, which not all providers undergo.

Technical features also differ. Obfuscated servers disguise VPN traffic as regular HTTPS browsing, making it harder for networks to detect and block VPN usage. RAM-only servers delete all data on reboot. Kill switches cut internet access if the VPN connection drops, preventing accidental exposure.

The Pattern Repeats Globally

The UK’s experience mirrors what’s happened elsewhere. When France introduced similar age verification requirements in June 2024, Proton VPN saw a 1,000% signup surge. Turkey experienced an 1,100% spike after internet restrictions tightened. Florida saw over 1,000% growth when Pornhub withdrew from the state following age verification mandates.

The pattern suggests a consistent user response to content restrictions: rather than comply with ID requirements, people adopt tools to bypass them entirely.

Critics argue this undermines the laws’ stated purpose of protecting children. Internet Matters, a child safety organization, warned that the Online Safety Act “makes it easy for [minors] to circumvent important protections.”

Worse, some free VPN services aren’t privacy shields at all. Certain providers harvest user data and sell it to unknown third parties. Users seeking to protect their privacy might inadvertently expose themselves to greater risks by choosing the wrong service.

Where This Goes Next

The UK government shows no signs of backing down. Ofcom continues enforcement, and the Home Office has now issued multiple orders demanding tech companies compromise encryption.

Meanwhile, VPN providers are adapting. Services are adding features specifically designed to evade detection and blocking attempts. The technical cat-and-mouse game is escalating.

The broader question is whether the UK’s approach to internet regulation will achieve its goals or simply drive users further into unregulated spaces. The 1,800% surge in VPN adoption suggests many Britons have already decided the answer for themselves.

For now, the Investigatory Powers Tribunal case continues. Civil society groups, encrypted communications services, and industry representatives have joined Apple’s challenge. The Internet Society and over 200 organizations have called on the UK government to withdraw its demands.

The outcome could set precedent for how democracies balance child safety, law enforcement access, and individual privacy in the years ahead. Or it could confirm what privacy advocates fear: that the UK is willing to compromise global security standards in pursuit of domestic surveillance capabilities.