Summary & Key Facts
The UK Information Commissioner’s Office (ICO) issued a £14,470,000 fine to Reddit, Inc. on 24 February 2026, following an investigation into the platform’s handling of children’s personal data. The case is one of the most significant UK children’s privacy enforcement actions in recent years and sends a clear message to online platforms: age assurance must be robust, and self-declaration is not enough.
Key facts at a glance:
- Organisation fined: Reddit, Inc.
- Regulator: Information Commissioner’s Office (ICO), UK
- Fine amount: £14,470,000
- Date of fine: 24 February 2026
- Violations: Failure to implement robust age assurance; no lawful basis for processing children’s data; no Data Protection Impact Assessment (DPIA) conducted prior to January 2025
- Period of violation: During the period under investigation, the ICO suspects a large number of children under 13 were active Reddit users
- Reddit’s response: Age assurance measures were introduced in July 2025, but the ICO found self-declaration of age to be insufficient
For the full ICO press release, see: ICO: Reddit issued with £14.47m fine for failing to protect children’s privacy
ICO’s Findings
The ICO’s investigation found that Reddit failed on multiple fronts in protecting children under the age of 13 who were using its platform.
Age assurance failures: Reddit did not have a robust age assurance mechanism in place during the investigation period. When it did introduce measures in July 2025, the ICO found that allowing users to self-declare their age — without any technical verification — fell well short of the standard required under UK data protection law. As the ICO and Osborne Clarke analysis notes, self-declaration of age is not sufficient to protect children.
No lawful basis for children’s data: Reddit was found to have no lawful basis under the UK GDPR or the Data Protection Act 2018 for processing the personal data of children under 13. This is a fundamental requirement of lawful data processing.
DPIA not conducted: A Data Protection Impact Assessment — required for high-risk processing activities — was not carried out before January 2025. Processing children’s data at scale without a DPIA is a clear violation of the accountability obligations under UK GDPR.
Scale of the problem: The ICO determined that a large number of children under 13 were likely using the platform during the violation period. The fine was calculated taking into account Reddit’s global annual turnover and the number of children affected.
For third-party legal commentary, see: Hunton Andrews Kurth: UK ICO Fines Reddit £14.47 Million and The Register’s coverage.
GDPR / DPA 2018 Articles Violated
The ICO’s enforcement action against Reddit engaged several provisions of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018):
| Article / Provision | Description |
|---|---|
| UK GDPR Article 6 | Lawfulness of processing — Reddit lacked a valid lawful basis for processing children’s personal data |
| UK GDPR Article 5(1)(a) | Principle of lawfulness, fairness, and transparency |
| UK GDPR Article 5(2) / Article 24 | Accountability principle — failure to demonstrate compliance |
| UK GDPR Article 35 | Data Protection Impact Assessment — required for high-risk processing but not conducted |
| DPA 2018 / Children’s Code | Obligations under the Age Appropriate Design Code (Children’s Code) relating to age verification and default privacy settings for child users |
The ICO’s Children’s Code (also known as the Age Appropriate Design Code) sets out 15 standards that online services likely to be accessed by children must meet. Reddit’s failures cut across several of these standards, in particular the requirement to establish and verify the age of users.
What This Means for Your Organisation
The Reddit fine is not just a story about a social media platform. It is a direct warning to any organisation whose online services, platforms, or apps may be accessed — even inadvertently — by children under 13.
If your organisation operates any of the following, this enforcement action is directly relevant:
- Consumer-facing websites or apps
- Employee-facing platforms accessible from personal devices
- Workplace portals, learning management systems, or HR apps that could be accessed by minors
- Any service that collects personal data without robust age verification
The ICO has made it clear that self-declaration of age is not adequate. Organisations must implement technical or procedural controls that can reasonably verify a user’s age — and those controls must be in place before data processing begins, not retrospectively.
Moreover, high-risk processing activities — including those involving children’s data — require a DPIA. This is not optional. The DPIA must be documented and completed before processing begins.
Key Lessons & Action Points
Compliance teams should take the following steps in light of this enforcement action:
Immediate actions:
- Audit your age assurance measures. If your platform or service could be accessed by children under 13, review whether your current age verification process meets the ICO’s expectations. Self-declaration alone will not suffice.
- Establish lawful bases for all processing. Verify that your organisation has a documented, defensible lawful basis for every category of personal data you process — including data that may inadvertently relate to children.
- Conduct or update your DPIA. If your service involves high-risk processing (including processing children’s data), ensure a DPIA is in place and up to date.
- Review your Children’s Code compliance. Work through the 15 standards in the ICO’s Age Appropriate Design Code and assess your current position against each.
For HR teams:
– Review any employee-facing platforms that may be accessible to children, particularly in contexts where employees use personal devices.
– Ensure data protection training for staff includes awareness of the Children’s Code obligations.
For senior leadership:
– Treat children’s data as a high-risk processing category requiring board-level visibility.
– Ensure your DPO or data protection lead has the budget and authority to implement robust age assurance controls.
For marketing:
– Review audience targeting settings on any advertising or marketing platforms to ensure children under 13 are not being targeted.
– Confirm that consent mechanisms are not being presented to or relied upon from children.
Related ICO Guidance
The ICO has published extensive guidance relevant to this enforcement action:
- ICO Age Appropriate Design Code (Children’s Code) — the definitive standard for online services likely to be accessed by children
- ICO Guidance on Data Protection Impact Assessments — when and how to conduct a DPIA
- ICO Lawful Basis Guidance — understanding your options and obligations
Organisations in scope of the Children’s Code should also refer to the ICO’s Children’s Code Design Resource for practical implementation guidance.
Further Reading
- ICO press release: Reddit issued with £14.47m fine
- Hunton Andrews Kurth: UK ICO Fines Reddit £14.47 Million for Failing to Protect Children’s Privacy
- The Register: ICO fines Reddit
- Osborne Clarke: UK ICO fines online platform and warns age self-declaration not enough to protect children
- ICO Enforcement Register
Strengthen Your Team’s Knowledge
Is your organisation ready to meet the ICO’s expectations on children’s data and age assurance? Our UK GDPR & Data Protection Training for Compliance Teams provides practical, scenario-based learning for HR professionals, marketers, and senior leaders. Our Children’s Code Awareness Module is designed for teams responsible for consumer-facing digital products.
