ICO fines Reddit over children’s privacy failures and age-assurance gaps
The UK ICO says Reddit processed children’s data unlawfully, failed to implement robust age assurance, and did not complete a relevant DPIA before January 2025.
What happened
In February 2026, the UK Information Commissioner’s Office announced a £14.47 million fine against Reddit over children’s privacy failures. The ICO said Reddit failed to apply a robust age-assurance mechanism, did not have a lawful basis for processing the personal information of children under 13, and failed to carry out a data protection impact assessment focused on children’s risks before January 2025.
Why it matters
This is the kind of privacy enforcement that also functions as platform-governance policy. The case is not only about paperwork or formal compliance. It is about whether a large platform can credibly say it knows who is using age-restricted services and whether it assessed foreseeable harms before processing children’s data at scale. The ICO’s statement also makes clear that self-declaration alone is not being treated as an adequate answer where child safety risk is high.
Who is affected
- large platforms that rely on weak or bypassable age checks
- companies serving content that may be inappropriate for children
- privacy and product teams responsible for children’s data governance and risk assessment
What to watch next
- whether other UK platforms face similar enforcement over age assurance and child-data handling
- whether regulators push more aggressively against self-declared age models
- whether product design changes follow faster than legal or policy messaging
Sources and links
- ICO announcement: Reddit issued with £14.47m fine for children’s privacy failures
- ICO children’s privacy progress update referenced by the regulator
Verification status
This briefing is based on an official ICO enforcement announcement.