Reddit fined £14.47m by ICO for unlawful processing of children’s data

The question

What does the ICO’s £14.47m fine against Reddit signal about the regulator's expectations for protecting children’s data, age assurance and online safety governance for online platforms in the UK? 

The key takeaway

The ICO is using significant monetary penalties to encourage major online platforms to strengthen protections for children’s personal information. This includes requiring those platforms to take demonstrably effective age-assurance measures where they may be accessed by children. Platforms are also required to conduct robust data protection impact assessments (DPIAs) that identify and mitigate risks to children at an early stage, and adopt high "privacy by default” design practices under the ICO’s Age Appropriate Design Code (the Children's Code). These expectations are particularly relevant for services likely to be accessed by under-18s, especially where self-declared age gates can be easily circumvented and are therefore unreliable.

The background

The ICO began to investigate Reddit’s handling of children’s personal data as part of a broader regulatory intervention aimed at improving children’s online privacy. The regulator is also coordinating with Ofcom in relation to enforcement under the Online Safety Act, with the objective of aligning regulatory approaches to child safety online (as discussed further in our article on the ICO and Ofcom’s joint statement on online safety obligations). This action follows the ICO’s earlier fine against MediLab.AI, Inc. of £247,590 for unlawfully processing children’s personal information.

The development

The fine is a result of the ICO determining that Reddit committed serious failures in age assurance under UK data protection law. The ICO found that children under 13 were able to access the platform despite Reddit’s terms prohibiting such use, resulting in the processing of their personal data without a lawful basis for Reddit to do so. The regulator also found that Reddit failed to conduct a children-focused Data Protection Impact Assessment (DPIA) until January 2025, despite permitting use of the platform before this time by 13-18 year olds, a group requiring enhanced protections under UK data protection law.

The ICO stated Reddit’s failings potentially exposed children to inappropriate and harmful content, factoring into the level of its penalty factors including the number of children affected, potential harm, duration of that harm, and Reddit’s global turnover.

Reddit introduced age assurance measures in July 2025, including age verification for mature content and age self-declaration at account opening. The ICO has however warned Reddit in its decision that self-declaration is easily bypassed and remains an active supervisory focus.

The monetary penalty notice was published on 19 March 2026 and Reddit appealed to the First-tier Tribunal on 1 April 2026. The final regulatory outcome may evolve as a result, depending on whether the appeal is successful. 

Why is this important?

For large online platforms, this decision reinforces that minimum-age rules in terms of service do not by themselves establish compliance. The ICO expects organisations to implement operational controls that give them confidence in the accuracy of the age of their users where children may be at risk from content on the platform.

It also highlights the importance the ICO places on the link between children’s privacy compliance and product design choices, with the Children’s Code framed as design standards requiring "best interests" and "high level of privacy by default".

Finally, it indicates the ICO is scrutinising age assurance as a core compliance element, especially where platforms use self-declared age, which they have identified as unreliable and inappropriate in many cases.

Any practical tips?

Platforms should reassess whether their services are likely to be accessed by under-18s and either apply the design standards of the Children’s Code protections to all users or implement proportionate age assurance that meaningfully tailors safeguards by age, documented with clear rationale linked to risk.

Where under-13s (or any other group) are prohibited from accessing the platform, organisations should treat enforcement as a controls problem (not a policy problem) and evaluate robust age assurance options rather than relying primarily on self-declaration. 

Governance-wise, teams should ensure DPIAs are completed early for child-accessible features and address exposure pathways to inappropriate content, with sign-off routes that stand up to regulatory scrutiny and can be evidenced if challenged.

Summer 2026