The Information Commissioner’s Office (ICO) has fined US based social news service Reddit £14.5m for using the data of children under the age of 13 unlawfully and potentially exposing them to inappropriate and harmful content. This represents the largest ICO fine to date for a breach of children’s privacy and is the third largest fine the ICO has issued (after a £20m fine for a British Airways data breach, and an £18.4m fine for the Marriott Hotel group in 2014). The ICO noted the following as relevant factors in setting the financial penalty: the number of children impacted, the degree of potential harm caused, global turnover and the duration of the infringements. The decision is part of a broader regulatory crackdown on online platforms whose age‑assurance and child‑safety controls fall short of UK data‑protection standards. The Reddit decision is important for UK business to note: the ICO’s decision confirms that relying on terms of use or a policy-only (stating website is for over 13 only) is not sufficient where there is a real risk of children interacting with harmful content, and conducting a Data Protection Impact Assessment (DPIA) is critical.
Terms of use insufficient, and DPIA is key
The ICO said the fine had been levied over "failures" falling between 5 May 2018 to 8 July 2025, when it said Reddit was processing the personal information of children under the age of 13 unlawfully. Reddit had introduced age checks in July, including age verification to access mature content in order to comply with the requirements of the Online Safety Act. The ICO however said the platform relied on asking users to declare their age when opening an account - a technique it said was "easy to bypass". It should be noted however that the ICO guidance on age assurance does not prohibit use of self-declaration outright – instead, the risk profile of the activities should be considered, with self-declaration as an option for activities which do not pose a high risk to children.
Under UK data protection law, children should be given special treatment when it comes to their personal information; the law requires parental consent to process personal data of children aged under 13. The ICO stated that Reddit lacked a legal basis for processing the personal data of children under 13 with its failure to implement an adequate age assurance mechanism. The ICO’s Age-appropriate design code (also known as the Children's Code) translates the legal requirements into design standards for online services likely to be accessed by under-18s, helping organisations understand what is expected of them, including considering children’s best interests in all aspects of the design of online services and giving them a high level of privacy by default.
Where businesses offer online services to under 18 year olds, a Data Protection Impact Assessment (DPIA) is required in conjunction with the risk assessments under the Online Safety Act. Reddit did not draft a DPIA until early 2025 and thus was unable to prove data protection standards were being complied with.
Appeal likely
The ICO said it is keeping Reddit’s processing of children’s personal information under review as part of on-going work focusing on online platforms that primarily rely on self-declaration - an area of focus for the ICO. John Edwards, UK Information Commissioner, said:
“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine… Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place… Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.”
Read the ICO statement here: Reddit issued with £14.47m fine for children’s privacy failures | ICO
Reddit said it would appeal against the decision. “The ICO’s insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users’ online privacy and safety,” a spokesperson said.
Takeaways
The substantial ICO fine demonstrates the need for companies to comply with child protection, data protection and online laws and guidelines. Online safety is clearly high on the agenda for regulators with increased appetite for enforcement and ability to levy hefty fines. Practically, UK companies may wish to consider the following:
- Build in robust age assurance tools to act as a guardrail to prevent children from accessing online services they shouldn’t be using to reduce the risks faced by children. Self-declaration is not sufficient where there are significant risks to children from personal data processed on the online service.
- Review DPIAs, checking for compliance with the 15 standards of the Children’s Code.
- Keep an eye on changes to legislation and guidance, monitor ICO and Ofcom decisions and publications to ensure continued compliance.
