The UK Information Commissioner's Office has imposed a £14.47 million penalty on Reddit for systemic failures in preventing underage access and processing children's data without proper safeguards.
The UK Information Commissioner's Office (ICO) has levied a £14.47 million ($19.5 million) fine against Reddit for fundamental failures in protecting children's data. This enforcement action stems from the social media platform's inadequate age verification systems and failure to conduct mandatory risk assessments despite known underage usage.
Core compliance failures
According to the ICO investigation, Reddit violated UK GDPR requirements through:
Lack of age verification: Until July 2025, Reddit relied solely on terms of service prohibiting under-13s without implementing technical age assurance mechanisms. This allowed "a large number of children under 13" to access the platform.
Missing risk assessments: Reddit failed to conduct a mandatory Data Protection Impact Assessment (DPIA) for processing minors' data until January 2025, despite hosting users aged 13-18. DPIAs are required under Article 35 of UK GDPR to identify and mitigate risks before processing personal data.
Exposure to harmful content: Without proper age-gating, minors were potentially exposed to inappropriate material. UK Information Commissioner John Edwards emphasized: "Children under 13 had their personal information collected and used in ways they could not understand, consent to, or control."
Regulatory requirements timeline
- Effective immediately: All platforms accessible to UK children must implement robust age assurance systems
- July 2025: Online Safety Act enforcement provisions took effect
- October 2025: ICO confirmed positive impact on over 3 million children through recent enforcement
Reddit has since implemented Persona's third-party age verification, requiring government ID or biometric checks for mature content access. However, this solution has drawn scrutiny after security researchers raised surveillance concerns, prompting Discord to terminate its partnership with Persona.
Industry-wide implications
This penalty signals intensified enforcement of the Online Safety Act, with the ICO currently investigating 17 platforms including Discord, Pinterest, and X. Recent actions include:
- Imgur's withdrawal from the UK following similar fines
- Ongoing investigations into Meta and Snapchat's handling of children's location data
Jon Baines, data protection specialist at Mishcon de Reya LLP, notes: "Any UK GDPR fine of £14.4 million is significant, but given that ICO fines are increasingly rare, this stands out. The simple takeaway for controllers: DPIAs are relatively simple ways to assess risk and insulate from enforcement."
Compliance obligations
Organizations must now:
- Implement effective age assurance mechanisms
- Conduct DPIAs before processing children's data
- Continuously evaluate data processing risks
- Align with ICO's Children's code standards
Reddit contests the penalty, stating: "The ICO's insistence that we collect more private information conflicts with our commitment to user privacy." The company plans to appeal, potentially delaying final resolution for years.
This case establishes critical precedent for platforms balancing privacy protections with regulatory requirements for child safety under UK data protection law.
Comments
Please log in or register to join the discussion