I agree that technically, this is almost impossible to implement. To begin with, traffic can be tunneled through a variety of protocols. I used to evade my school's filtering by tunneling over https, which was a form of VPN for the purposes of this discussion. It would be a game of whack-a-mole at best in order to identify 'rogue' VPN traffic out of the giant pile of normal encrypted sessions. Duration, maybe, but then the VPN software could just establish a new session to a new endpoint every random amount of time; VPNs become more expensive and slower, but don't go away.

Outlawing encrypted traffic altogether would break so much of the internet that it will never happen.

I'm a little tin-foil-hat about this right now, but I think this could be an anti-worker policy at least as much as it is anti-privacy. We keep talking about how all companies are using VPNs. What if this is being pushed to force all remote workers give up their privacy as a way to urge people back into offices. Company XYZ says, "You can still work remote, but the law says you'll have to do a biometric scan of your face every time/week/month in order to use the VPN."

And if companies get exempted somehow... then I've got a great idea for a new startup: "EnVeePee is a company which pays literally nothing to our contractors, and we expect them to be online for hours a day working really hard for us. We also expect them to contribute to the monthly pizza party."