Reddit fined £14.47m by UK regulator over children’s data failures

The UK’s Data Commissioner’s Workplace this week fined Reddit £14.47m after discovering the platform processed kids’s private info and not using a lawful foundation and with out implementing any strong age verification mechanism. The announcement, dated 24 February 2026, marks the biggest penalty the ICO has issued particularly below its kids’s privateness enforcement programme – and arrives simply weeks after a separate effective towards a smaller platform demonstrated the regulator’s broadening attain.

The core findings

The ICO’s investigation established two central failures. First, Reddit didn’t apply any strong age assurance mechanism, which meant it had no lawful foundation to course of the non-public info of kids below the age of 13. Second, the platform had not carried out a knowledge safety influence evaluation (DPIA) to guage and mitigate dangers to kids earlier than January 2025. Neither failure was minor or technical. Collectively, in keeping with the ICO, they left numerous under-13s on the platform with their knowledge processed in methods they may not perceive, consent to, or management.

Reddit’s phrases of service had all the time prohibited kids below 13 from utilizing the platform. The ICO discovered that prohibition meaningless with none mechanism to implement it. There have been no checks at account creation that might reliably forestall a baby from signing up. There was no system to determine customers who had been already on the platform and below the minimal age. The hole between coverage and follow was, within the ICO’s view, not simply insufficient – it was illegal.

John Edwards, UK Data Commissioner, mentioned: “Kids below 13 had their private info collected and utilized in methods they may not perceive, consent to or management. That left them probably uncovered to content material they need to not have seen. That is unacceptable and has resulted in in the present day’s effective.”

Age assurance: what Reddit finally did

In July 2025, Reddit launched age assurance measures as a part of its compliance work below the UK’s On-line Security Act. The implementation required UK users seeking access to mature content to verify their age by way of one in all two routes: a selfie add utilizing biometric know-how to estimate age, or a authorities ID add. At account creation, Reddit additionally started asking customers to declare their age.

The ICO knowledgeable Reddit, nonetheless, that self-declaration alone presents unacceptable dangers. Kids can merely enter a false date of start. Self-declaration is straightforward to bypass, and the regulator is now conducting a selected overview of corporations that rely totally on this technique. Reddit’s present controls stay below energetic scrutiny.

That distinction – between self-declaration and strong age assurance – is central to the ICO’s ongoing enforcement posture. Based on the ICO, organisations should match the reassurance technique to the extent of danger on their platform. The place kids below a sure age will not be permitted to make use of a service in any respect, blocking entry is the expectation, not merely asking customers to substantiate their age.

The penalty calculation

In setting the £14.47m determine, the ICO took under consideration 4 components: the variety of kids affected, the diploma of potential hurt induced, the length of the failings, and Reddit’s international turnover. The corporate’s scale was related. Reddit will not be a small operator – its promoting income reached $358.6 million in Q1 2025, representing 61% year-on-year progress, and its each day energetic customers reached 108.1 million in the identical quarter. A penalty calibrated to an organization of that dimension carries totally different weight than one levied towards a smaller platform.

The effective dwarfs the £247,590 penalty the ICO issued towards MediaLab.AI, Inc. – proprietor of the picture sharing platform Imgur – on 5 February 2026, simply 19 days earlier than the Reddit announcement. The MediaLab case concerned comparable structural failures: no age assurance, no DPIA, kids’s knowledge processed with out lawful foundation. The 2 circumstances collectively kind what the ICO describes as a wider intervention programme focusing on platforms the place kids’s private knowledge is in danger.

The regulatory framework

UK knowledge safety regulation requires that kids obtain particular remedy with respect to their private info. The ICO’s Age Applicable Design Code – also referred to as the Kids’s code – interprets these authorized necessities into concrete design requirements for on-line companies more likely to be accessed by under-18s. The code requires companies to behave in kids’s greatest pursuits throughout all points of their design and to supply a excessive stage of privateness by default.

Normal 12 of the code requires that profiling for kids – including profiling for personalised advertising purposes – be switched off by default. This has direct implications for promoting know-how. Programmatic programs that ingest user-level knowledge to personalise content material and goal audiences turn out to be problematic the second kids’s knowledge flows by way of them unidentified. Advertisers might unknowingly goal minors. Publishers might violate model security commitments. The platform internet hosting that stock might face enforcement of precisely the sort Reddit has now encountered.

In December 2025, the ICO revealed a kids’s privateness progress replace reporting sturdy outcomes from its proactive supervision programme focusing on social media and video sharing platforms. That programme is continuous. The ICO has signalled it’ll push for additional modifications the place platforms fail to adjust to the regulation or conform to the Kids’s code, and it’ll coordinate its work with Ofcom, which holds duty for imposing the On-line Security Act.

The ICO issued its provisional findings to Reddit on 8 July 2025. Reddit submitted representations on these findings. The ICO thought-about these representations after which reached its resolution to impose the effective – a course of that took roughly seven months from provisional findings to ultimate penalty.

Implications for digital promoting

The Reddit effective issues past little one safety enforcement alone. Reddit is an promoting platform. Its Custom Audience API, promoting phrases, and expanded advertiser agreements replicate a platform that has been constructing out its industrial infrastructure aggressively. Promoting on Reddit includes processing consumer knowledge – and that processing, for UK customers who’re below 13, was occurring and not using a lawful foundation.

The ICO’s enforcement motion doesn’t instantly tackle Reddit’s promoting enterprise, however the structural failure it recognized – the absence of age assurance – has direct penalties for anybody working campaigns on the platform. If a platform can’t affirm that customers are above a minimal age, advertisers can’t be assured their campaigns are reaching solely the audiences their consent mechanisms and focusing on parameters assume.

The new COPPA rules in the United States – which took impact on 23 June 2025, with a full compliance deadline of twenty-two April 2026 – launched stricter necessities on consent for third-party knowledge sharing involving kids’s knowledge. The regulatory strain on platforms dealing with kids’s knowledge will not be confined to the UK. It’s constructing concurrently throughout a number of jurisdictions, with enforcement timelines that at the moment are starting to supply seen penalties.

Based on the ICO, age assurance instruments act as a guardrail to forestall kids from accessing companies they shouldn’t be utilizing, or to assist platforms tailor the expertise for various age teams. These instruments can even kind a part of a broader technique for decreasing the info dangers kids face – and for guaranteeing that the promoting infrastructure constructed on high of platform knowledge operates on a lawful basis.

The regulator was direct about what it expects going ahead: “Counting on customers to declare their age themselves will not be sufficient when kids could also be in danger,” in keeping with Edwards. That message will not be addressed solely to Reddit. The ICO has explicitly flagged corporations that primarily depend on self-declaration as an space of present focus.

Coordination with Ofcom

The ICO and Ofcom are working in parallel on kids’s on-line security. The ICO handles knowledge safety. Ofcom enforces the On-line Security Act, which imposes its personal obligations on platforms concerning kids’s entry to dangerous content material. Each regulators have recognized age assurance as a shared precedence. Their coordination issues for platforms navigating overlapping compliance obligations – a knowledge safety failure of the sort Reddit skilled can now set off scrutiny from two separate regulators with distinct however complementary enforcement powers.

Timeline

• September 2021 – MediaLab begins working Imgur with out age assurance for kids within the UK, a interval that extends till September 2025.
• January 2025 – Reddit carries out its first DPIA specializing in dangers of kids’s private info, greater than a yr after such an evaluation was required.
• 8 July 2025 – ICO points provisional findings to Reddit over kids’s knowledge processing failures.
• July 2025 – Reddit introduces age assurance measures in the UK, together with age verification for mature content material and self-declaration at sign-up, following On-line Security Act necessities.
• 23 June 2025 – New COPPA guidelines take effect in the United States, with full compliance required by 22 April 2026.
• December 2025 – ICO publishes kids’s privateness progress replace reporting sturdy outcomes from its proactive supervision programme.
• 5 February 2026 – ICO publicizes £247,590 effective towards MediaLab.AI, Inc. for children’s privacy failures on Imgur.
• 24 February 2026 – ICO fines Reddit £14.47m for failing to use age assurance and for processing kids’s private knowledge and not using a lawful foundation.

Abstract

Who: Reddit, Inc., the US-based social media and content material aggregation platform, was fined by the UK’s Data Commissioner’s Workplace. John Edwards, the UK Data Commissioner, introduced the penalty.

What: A £14.47m effective for failing to use any strong age assurance mechanism and for processing the non-public info of kids below 13 and not using a lawful foundation. Reddit additionally failed to hold out a knowledge safety influence evaluation earlier than January 2025.

When: The ICO introduced the effective on 24 February 2026. The ICO’s provisional findings had been issued to Reddit on 8 July 2025. Reddit launched age assurance measures in July 2025, although the ICO considers self-declaration inadequate.

The place: The enforcement motion covers the processing of private knowledge of UK-based customers on Reddit’s platform. Reddit, Inc. is included in the US.

Why: Reddit’s phrases of service prohibited under-13s from utilizing the platform, however the firm had no mechanism to implement that prohibition. Numerous kids below 13 had been current on the platform, their knowledge was processed with out lawful foundation, they usually had been probably uncovered to inappropriate and dangerous content material. The effective types a part of a broader ICO programme focusing on platforms that fail to implement enough age assurance below the UK Kids’s code.