In a landmark enforcement action, the UK’s Information Commissioner’s Office (ICO) has fined Reddit £14.47 million ($19.52 million) for unlawfully processing the personal data of children under 13.
Despite hosting 121 million daily users, Reddit had no effective age verification mechanisms prior to July 2025, exposing children to potentially harmful content.
For privacy officers, CISOs, and platform operators, this incident highlights critical risks in handling underage users’ data:
- Legal liability under UK data protection law
- Exposure of children to unsafe content
- Enforcement of the Age Appropriate Design Code (Children’s Code)
This article explores the fine, Reddit’s response, the regulatory context, and actionable steps for platforms handling children’s data.
What Happened: The ICO Investigation
The ICO found multiple failures in Reddit’s data processing:
- Processing of Under-13 Data Without Consent
- Children under 13 were active on Reddit despite terms prohibiting their use
- Reddit lacked lawful basis under UK GDPR to process their data
- No Age Assurance Mechanisms Until 2025
- Platforms relying solely on self-declared age are insufficient
- Age verification to access mature content introduced only in July 2025
- Failure to Conduct a Data Protection Impact Assessment (DPIA)
- DPIAs are mandatory to assess risks to children
- Reddit allowed users aged 13–18 without mitigating risks until early 2025
UK Information Commissioner John Edwards said:
“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. That is unacceptable.”
Reddit’s Response and Age Assurance Measures
In response, Reddit implemented several age assurance controls in July 2025:
- Age verification prompts during account creation
- Age-gated access to mature content
However, the ICO noted that self-declaration alone is still easily bypassed, and continues to monitor Reddit’s compliance.
Reddit has stated its intention to appeal the fine, citing concerns that more intrusive data collection could compromise overall user privacy.
Regulatory Context: Age Appropriate Design Code
The ICO’s Children’s Code is designed to ensure online services are safe and age-appropriate. Key aspects include:
- Platforms must assess and mitigate risks to children’s personal data
- Age verification must be robust and not easily bypassed
- DPIAs are mandatory for services likely to be accessed by children
The Reddit fine is the largest ever issued by the ICO for children’s privacy, signaling an escalation in regulatory enforcement.
Other notable enforcement actions include:
- MediaLab.AI (£247,590 fine) for Imgur, which resulted in the platform leaving the UK market
- Ongoing investigations into Discord, Pinterest, X, and scrutiny of Meta and Snapchat for children’s location data
Why This Fine Matters for Tech Platforms
The Reddit fine illustrates the growing importance of children’s data protection and signals that:
- Self-declaration of age is not enough
- Platforms are accountable for assessing risk and implementing technical safeguards
- Regulatory penalties can reach millions and affect global operations
For developers, privacy officers, and platform operators, this serves as a clear warning to audit age verification processes and ensure compliance with data protection law.
Best Practices: Protecting Children’s Privacy Online
1. Implement Robust Age Verification
- Multi-factor or document-based verification for users under 18
- Continuous monitoring for suspicious self-declaration attempts
2. Conduct Data Protection Impact Assessments (DPIAs)
- Assess potential harm to children before introducing features
- Update DPIAs whenever services or data flows change
3. Minimize Data Collection
- Only collect data necessary for service delivery
- Avoid excessive profiling or sharing with third parties
4. Age-Gated Content & Access Controls
- Mature content should be restricted to verified users
- Consider default privacy-friendly settings for under-18 accounts
5. Maintain Regulatory Awareness
- Keep abreast of ICO guidelines, GDPR, and the Children’s Code
- Regularly review and update privacy policies and compliance measures
Key Takeaways
- The £14.47M fine against Reddit is a wake-up call for all platforms handling children’s data
- Robust age verification, DPIAs, and minimal data collection are no longer optional—they are legal requirements
- Platforms relying solely on self-declaration risk regulatory action and reputational damage
Ensuring children’s online safety is both a legal and ethical obligation. Companies must proactively evaluate and update their systems, or risk fines, enforcement actions, and user distrust.
