Print article
Authors
Authors
On 24 February 2026, the ICO issued a £14.47m fine to Reddit for unlawfully processing children’s personal data. Reddit, Inc. is a U.S. based online platform founded in 2005 which enables users to post and discuss text, images, videos and links across a wide range of topics. This enforcement action highlights the need for businesses, particularly ones which provide their services online, to implement robust age assurance and conduct a child-focused Data Protection Impact Assessment (DPIA).
What happened?
The ICO is the UK’s independent regulator for data protection, and it undertook an investigation into Reddit, concluding that Reddit was unlawfully using personal data relating to children. The failings included not checking the age of users accessing its platform and not completing the required child‑focused DPIA in advance of the processing of that personal data to allow it to consider the potential impact on the children concerned. Reddit had not carried out this necessary DPIA before January 2025, leaving risks to children unassessed and unmitigated. In setting the £14.47m fine, the ICO took into consideration the number of children affected, the potential harm caused, the duration of the failings, and Reddit’s global turnover. As a reminder, the ICO is able to impose financial penalties for non‑compliance with UK data protection law of up to £8.7 million or 2% of an organisation’s worldwide annual turnover for certain breaches, and up to £17.5 million or 4% of global annual turnover for more serious infringements.
The legal context
Reddit’s conduct prior to the introduction of implementation of its age verification measures in July 2025 was deemed by the ICO to be unlawful because it did not have a lawful basis for processing the personal information of children under the age of 13.
Under UK data protection law, organisations processing personal data must have a valid lawful basis to process personal data (pursuant to Article 6 of the UK GDPR), and at least one must apply whenever they process personal data. These lawful bases are:
(a) Consent – of the data subject whose personal data is being processed.
(b) Contract – processing is necessary as part of a contract with the data subject.
(c) Legal obligation – processing is necessary for compliance with the law.
(d) Vital interests – processing is necessary to protect someone’s life (such as in a medical situation).
(e) Public task – processing is necessary for the controller to act in the public interest and the action has a clear basis in law.
(f) Legitimate interests – processing is necessary for a legitimate purpose unless the data subject’s rights override that purpose.
Children-focused DPIAs are essential to identify and address risks to children, and ICO guidance makes it clear that they are mandatory for businesses offering online services to anyone under 18.
The ICO’s Children’s Code (also known as the Age-Appropriate Design Code) contains 15 standards to help organisations understand what is expected of them, ensuring that the child’s best interests are considered in all aspects of the design of online services, and giving them a high level of privacy by default.
AI considerations
Protecting children online requires organisations to engage in thoughtful and proportionate data processing. Implementing effective age‑verification or child‑safety measures involves balancing robust safety controls with the principle of data minimisation, a challenge that becomes more complex when using AI‑driven tools.
Automated systems designed to detect underage users or identify harmful behaviour must be deployed with strong oversight to ensure they are accurate, fair and compliant with regulatory and legal standards. When developing these systems, organisations should carefully assess and balance competing objectives of identifying and preventing underage access without collecting excessive data, monitor usage patterns in a manner which preserves broader privacy rights, and designing age‑verification systems which meet regulatory expectations while maintaining a smooth and accessible user experience.
Practical guidance for organisations
Both the Online Safety Act 2023 and the ICO as the data protection regulator, highlight that DPIAs are fundamental for children’s safety and data privacy and the ICO’s increased focus on protecting children’s privacy demonstrates that compliance with UK data protection law continues to be vital for managing and mitigating user risk for children. Self-declarations of age are not enough to sufficiently protect children’s privacy where there is a real risk of children interacting with harmful content.
The Reddit fine signals the ICO’s intention to maintain a tough stance on children’s data protection, particularly where age‑assurance measures are weak or DPIAs are delayed.
The message for businesses is straightforward: organisations offering online services to children should continue to review their practices to ensure they can demonstrate robust information governance, effective age‑assurance controls and well‑documented risk assessments. As regulatory scrutiny increases, Michelmores’ Data Protection and Privacy team can support clients in strengthening their compliance frameworks, conducting DPIAs, and navigating engagement with the ICO.