Apple's own support page, "If you're asked to confirm that you're an adult," now lists what counts in the UK: a credit card in your name, a scan of a driver's license, a passport, or an Apple ID with enough history behind it to vouch for you on its own (Apple), plus, per a companion Apple support page specific to the UK, one of several PASS-accredited proof-of-age cards such as CitizenCard or the Young Scot National Entitlement Card (Apple). That is not what the page said when the feature arrived with iOS 26.4 in March 2026. At launch, only a credit card, driver's license, or national ID counted; passports were explicitly turned away, and Forbes quoted one UK user locked out despite holding a valid passport: "I don't drive, I don't have credit cards and I'd never heard of a National ID card... I do have a valid U.K. passport, which is what I've always used as age verification in the past. I just spoke to Apple support and they couldn't do anything for me." (Forbes) Apple has since added passport scanning for UK users, closing that specific gap. It has not closed the wider one. On Apple's own community forums, one user summed up who is still stuck, in a complaint posted during the original rollout but describing a gap the passport fix does nothing for, since it assumes a passport to begin with: "I do not own credit cards, don't have UK driving licence or passport... I'd assume Apple would be working on setting up an alternative way but still in the meantime there's no way." (Apple Community) A commenter on the accessibility forum AppleVis made the same point about a specific group: roughly 75 percent of working-age visually impaired people in the UK are not employed, so most cannot qualify for a credit card either, leaving anyone in that position with no route through the check if they also lack a passport or driver's license (AppleVis).

That banner is the visible edge of a much bigger shift. The UK's Online Safety Act put age-verification duties on platforms hosting adult content, plus anything touching suicide, self-harm, or eating disorders, starting July 25, 2025, requiring a selfie scan, a bank check, or a photo ID before a site lets you in (Ofcom). The reaction was immediate and measurable. Proton VPN, which sells the product people were signing up for, posted that UK signups had surged more than 1,400 percent within minutes of the law taking effect (Proton VPN), a spike its general manager, David Peterson, told the UK tech-trade outlet UKTN then settled into "a sustained increase of over 1800%" that ran for days (UKTN). The independent monitor Top10VPN tracked UK VPN traffic up 1,327 percent on day one, 1,712 percent on day two, and close to 2,000 percent by day three (Top10VPN), while NordVPN, another provider with a stake in the surge, told Wired it logged a 1,000 percent jump in UK purchases over the same stretch, as reported by the cybersecurity trade outlet GovInfoSecurity (GovInfoSecurity). None of that is illegal. The Online Safety Act does not criminalize using a VPN to route around a UK age check, a loophole Ofcom, the UK's media and communications regulator, has tried to narrow by telling platforms in its own guidance that they must not host or permit content that encourages exploiting it, including links to VPNs (Ofcom).

Parliament's answer has been to regulate the VPN itself. In January, the House of Lords voted 207 to 159 (UK Parliament) for an amendment to the Children's Wellbeing and Schools Bill requiring commercial VPN providers to apply "age assurance which is highly effective at correctly determining whether or not that person is a child" to anyone signing up from the UK, according to the trade publication Biometric Update, which tracks the identity-verification industry (Biometric Update). In practice, a check effective on children is a check on everyone, since a VPN has no reliable way to card only the under-18s. The Age Verification Providers Association, the trade body for the vendors who sell these checks (and so has its own stake in more checks, not fewer), has pushed back on what it calls the "VPN fallacy," arguing on its own site that legislation "offers no exemption" for VPN use and that platforms remain liable regardless of who is routing around them (AVPA). Baroness Beeban Kidron, a longtime child-safety campaigner in the Lords, argued the opposite failure, telling Biometric Update that "regulation has failed... because the regime envisaged by Parliament was weakened by lobbying," and that Ofcom itself has been "too timid... too close to tech" (Biometric Update). Ofcom has not answered that specific charge point by point; it has instead defended its record in general terms, telling the Register that "the majority of the top 100 most popular adult sites in the UK have now deployed an age check" and that it has "launched investigations into 69 sites and apps" (The Register). Wikipedia co-founder Jimmy Wales called the vote "an embarrassment," arguing the UK was legislating to make children less safe online while claiming to protect them (TechRadar). The government has so far resisted the amendment and opened a consultation instead; a spokesperson for the Department for Science, Innovation and Technology told TechRadar, "We recognize that VPNs serve legitimate purposes, including protecting privacy and security online" (TechRadar).

That population of VPN users includes people for whom the tool is not a convenience but a safety line. Evan Greer of the digital-rights group Fight for the Future told TechRadar that discouraging VPN use "will put human rights activists, journalists, abuse survivors and other vulnerable people in immediate danger" (TechRadar), and a July 2026 joint letter to the UK government from Amnesty International, the Open Rights Group, and more than twenty other rights groups and VPN providers made the same case in writing: VPNs are "essential for human rights defenders and journalists, domestic abuse survivors, the LGBTQ+ community, and others at heightened risk online" (Open Rights Group). Only about 3 percent of children had used a VPN to reach content meant for adults, a figure widely attributed to Ofcom and cited by that same joint letter. An identity mandate on VPNs would therefore burden the millions of UK adults who rely on one for everyday banking security, remote work, or public wifi, to catch a sliver of the children the law is actually aimed at.

Which points to the question the VPN fight tends to obscure: closing that loophole would not make the identity check disappear, it would just push it further upstream, onto whichever company is left holding the ID photo and the face scan. Facial-geometry scans count as special-category data under the UK's data protection law, UK GDPR, requiring explicit consent and a formal privacy impact assessment before use, according to the UK data-protection consultancy Data Protection People (Data Protection People). The Online Safety Act does not require platforms to use a certified verification vendor: the Age Check Certification Scheme that the Information Commissioner's Office and Ofcom jointly endorsed in March 2026 remains voluntary, so there is no guarantee any given vendor meets the ICO's own expectations (ICO), and retention terms vary company to company. Yoti, one of the larger UK verification providers, states in its own privacy policy that it holds a user's data for 28 days when a check needs manual review (Yoti). The breach risk is not theoretical. Discord's own account of an October 2025 incident says attackers compromised a third-party support vendor and made off with at least 70,000 images of government ID submitted for age-related appeals (Discord); the named vendor, 5CA, has disputed that it handled any government IDs for the account in question, and the attackers themselves claimed a much larger haul than Discord confirmed (Bitdefender). The Electronic Frontier Foundation puts the underlying argument bluntly on its own campaign page: "every age-verification system is, at its core, a surveillance system" (EFF).

The two-year question I ask about every device applies here too: not just does this protect a child today, but what happens to the ID scan, the face print, the account history, two years on, and who is still holding it.