The Information Commissioner’s Office (ICO) has imposed a record-breaking fine of over £14 million on Reddit, underscoring the importance of robust data protection for children and highlighting the regulator’s commitment to enforcement.
The investigation found that Reddit processed children’s personal information unlawfully by failing to implement adequate age-verification safeguards, Sky News reported.
The ICO said the platform lacked a lawful basis for handling data from users under 13.
The watchdog concluded that Reddit:
- Did not deploy robust age-assurance mechanisms, meaning children could access the platform without verification.
- Failed to conduct a data protection impact assessment before January 2025 to evaluate risks to minors.
- Did not adequately mitigate potential harms associated with children’s use of the service.
The ICO emphasised that online platforms such as Reddit must demonstrate that processing children’s data is lawful, proportionate, and safe under UK law, providing clear guidance for data protection professionals and policymakers on regulatory expectations for social media companies.
The ICO highlighted that Reddit’s shortcomings exposed children to avoidable privacy risks, such as unauthorised data collection and harmful content, underscoring the urgent need for stronger child safety measures across social media platforms for policymakers and industry leaders.
The fine underscores the increasing regulatory pressure on major technology companies operating in the UK, aiming to reassure data protection professionals and regulators that enforcement is actively safeguarding online child safety and platform accountability.
Broader context
The ruling is part of a global push to tighten online child protection standards for large digital platforms, especially social media companies with young user populations.
Sky News reported John Edwards, UK Information Commissioner, saying: “It’s concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children.
“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine.
“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place.
“Reddit failed to meet these expectations. They must do better and we are continuing to consider the age assurance controls now implemented by the platform.
“Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.”
“Reddit doesn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety,” said a Reddit spokesperson told Sky News.
“The ICO’s insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users’ online privacy and safety.”
Chris Linnell, Associate Director of Data Privacy at Bridewell said: “While the headlines focus on the penalty, the core issues appear far more fundamental: a failure to complete an appropriate Data Protection Impact Assessment (DPIA) for high-risk processing, and a lack of effective controls to prevent under-13s from accessing the platform – despite terms and conditions stating they should not.
Where processing is likely to pose a high risk to individuals (particularly children) a DPIA is not optional. It is a statutory requirement designed to force organisations to properly assess, document and mitigate risk before harm occurs. The absence of a robust DPIA suggests that the risks to children were not adequately identified or addressed at the outset.
Equally, relying on terms and conditions to state that under-13s should not use the service is not, in itself, a protective measure. If no effective technical or operational controls are in place to enforce that rule, the organisation cannot credibly argue that it has taken reasonable steps to prevent access. Compliance cannot sit solely in contractual wording; it must be reflected in practical safeguards.
The consequences of getting this wrong are serious. Not only may children’s data be processed unlawfully, but those same children may be exposed to inappropriate or harmful content. In regulatory terms, this represents both a data protection failure and a broader safeguarding failure.
For organisations operating in similar digital environments, this case is a clear reminder to focus on the basics:
- Identify where children are likely to access your services – even if they are not your intended audience.
- Complete and regularly review DPIAs for high-risk processing.
- Establish and document a lawful basis for processing children’s data.
- Implement proportionate, effective controls rather than relying solely on policy statements.
There is, of course, a broader and ongoing conversation about how platforms balance data minimisation with the need to understand who is using their services. But that debate sits on top of a more immediate obligation: if children are likely to be on your platform, you must proactively assess the risks and implement real-world safeguards.
This fine is ultimately a reminder that when it comes to children’s data, regulators expect more than intentions and disclaimers – they expect demonstrable, accountable action.”
Leave a Comment