Reddit fined for children’s privacy failures
Written by Catarina Santos
Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age.
Reddit issued with £14.47m fine for children’s privacy failures
Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age. The ICO investigation found two core failures:
- Reddit did not properly verify users’ ages
- Reddit failed to carry out a Data Protection Impact Assessment (DPIA) before allowing risks to children to materialise
As a result, children under 13 had their personal data processed without a lawful basis and were potentially exposed to content they should never have seen.
What happened?
Reddit’s terms of service have long stated that children under 13 cannot use the platform. However, until July 2025, Reddit did not have meaningful measures in place to check users’ ages; people could open an account by declaring their age themselves. The ICO found that large numbers of under-13s were likely using the platform during this period, meaning their personal data was being processed without a lawful basis.
Even more concerning was the lack of early risk assessment: Reddit had not carried out a Data Protection Impact Assessment looking properly at risks to children until 2025 – despite allowing teenagers aged 13–17 to use the service.
According to the ICO, this meant children’s data was collected and used in ways they could not reasonably understand or control, potentially exposing them to harmful or inappropriate content.
Reddit has since introduced age assurance measures, including checks for access to mature content but ICO has made it clear that these changes came late and remain under review.
This is a great example for us to consider around age verification mechanisms. For ages, much of the intern relied on the self-declaration method: “please confirm you are over 13”. It seems reasonable enough to say that everyone (children, parents and organisations) were aware on how easy this was to bypass… and the big problem was the enforcement and its slow interference – many organisations convinced themselves that putting age limits in terms and conditions was enough and self-declaration is sufficient.
On this, ICO’s message is clear: relying mainly on users to declare their own age is not acceptable where children are likely to access a service – and this should go beyond social media: gaming platforms, forums apps, online communities
Age verification
I had the chance to explore this topic within my research for my thesis dissertation and I can easily say that one of the challenges organisations face is that stronger age checks can appear to conflict with data protection principles – for example, uploading passports to join an online community is excessive and this would come with its own risks. This is why I find the approach discussed by the Irish data protection commission particularly helpful: rather than pushing one technical solution, it focuses on proportionate, risk-based age assurance: the higher the risk to children, the stronger the assurance needed.
Not every service needs the same level of verification, but every organisation should be able to explain what risks to children exist, how likely access by children is and why the chosen safeguards are appropriate.
The ICO made it clear that it is now actively focusing on platforms that primarily rely on self-declaration – which means that Reddit is unlikely to be the last case…
Conclusion and takeaway
I actually welcome this decision; not because fines are the main goal (as they rarely solve problems on their own, particularly for these big companies) but because the clarity that they bring helps organisations move forward and to think about their own practices.
I think that for too long, there has been uncertainty around how far companies needed to go when it came to age checks and, at the same time, regulators and industry need to work together to avoid turning age assurance into mass identification or unnecessary data collection.
Links:
https://www.theguardian.com/technology/2026/feb/24/reddit-fined-uk-children-under-13-data
https://www.dataprotection.ie/en/dpc-guidance/fundamentals-child-oriented-approach-data-processing