ICO fines Reddit £14.47m over children’s data failures and weak age checks

26 Feb

UK regulator says self-declaration is not enough as it steps up enforcement of children’s privacy online.

The UK Information Commissioner’s Office has fined Reddit £14.47 million after finding the platform failed to use children’s personal information lawfully and did not implement robust age assurance measures.

The regulator concluded that Reddit breached Articles 5(1)(a), 6, 8 and 35 of the UK General Data Protection Regulation. The case centers on the platform’s handling of users under 13 and its approach to age checks before mid-2025, raising wider questions for online platforms used by students and young people.

In a LinkedIn post announcing the decision, the Information Commissioner’s Office said: “We’ve fined Reddit £14.47 million for failing to use children’s information lawfully.”

No effective age checks until 2025

According to the ICO, Reddit’s terms of service prohibited children under 13 from using the platform, but the company did not introduce age assurance measures until July 2025.

The regulator estimates that a large number of under-13s were using the service and found that Reddit did not have a lawful basis for processing their personal information. It also concluded that Reddit had not carried out a data protection impact assessment focusing on risks to children before January 2025, despite allowing users aged 13 to 18 on the platform.

The ICO states that by processing personal information of under-13s without a lawful basis and without fully assessing wider risks, children were potentially exposed to inappropriate and harmful content.

John Edwards, UK Information Commissioner, says: “It's concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children.”

He adds: “Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine.”

Age assurance under scrutiny

In July 2025, Reddit introduced age assurance measures including age verification for mature content and requiring users to declare their age at account creation. However, the ICO has made clear that relying on self-declaration alone presents risks.

Edwards says: “Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place.”

He continues: “Reddit failed to meet these expectations. They must do better and we are continuing to consider the age assurance controls now implemented by the platform.”

On self-declaration specifically, Edwards states: “Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.”

The ICO confirms it is keeping Reddit’s processing of children’s personal information under review as part of broader work targeting platforms that primarily rely on self-declaration.

Wider intervention and children’s code enforcement

The penalty follows earlier enforcement action against MediaLab and forms part of a wider intervention aimed at improving how online platforms handle children’s personal information.

Under UK data protection law, children are entitled to enhanced protections. The ICO’s Age appropriate design code, also known as the Children’s code, sets out standards for online services likely to be accessed by under-18s. These include considering children’s best interests in service design and providing high privacy settings by default.

The regulator says it will continue to work with Ofcom, which enforces the Online Safety Act, to coordinate oversight where services fall under both regimes.

For schools, EdTech providers, and digital learning platforms, the case is a reminder that age assurance is not simply a compliance box. Where services are likely to be accessed by children, organizations must either apply full Children’s code protections to all users or implement proportionate and effective age assurance methods matched to risk.

Yasmin London, Child Digital Safety & Wellbeing Lead at Smoothwall, says the case “highlights a broader and ongoing challenge in online safety,” noting that while age verification options have moved beyond self declarations, “when implementation is inconsistent, or poorly executed, gaps inevitably emerge that children can and do fall through.”

She adds that “age checks alone do not create safety,” arguing that safer by design principles must work alongside age assurance technologies, and concludes that “this landmark fine signals that regulators are serious about holding platforms to account where standards are not being met, and it is positive to see scrutiny strengthening to protect our young people online.”

The ICO’s message is clear: self-declaration without further safeguards will face increasing scrutiny.

ETIH Innovation Awards 2026

The ETIH Innovation Awards 2026 are now open and recognize education technology organizations delivering measurable impact across K–12, higher education, and lifelong learning. The awards are open to entries from the UK, the Americas, and internationally, with submissions assessed on evidence of outcomes and real-world application.

Featured