UK data watchdog fines Reddit £14.47M for letting kids slip past the gate

Steven

UK data watchdog fines Reddit £14.47M for letting kids slip past the gate

Summary

The UK’s Information Commissioner's Office (ICO) has fined Reddit £14.47 million for failing to protect children's data. Although Reddit's terms prohibit under-13s, the ICO found the company did not implement an age-assurance mechanism until July 2025 and had not completed a required data protection impact assessment (DPIA) before January 2025. The regulator says many under-13s likely used the site and were processed without a lawful basis, potentially exposing them to inappropriate content.

Reddit says it prioritises user privacy and intends to appeal. It now asks UK users seeking mature content to provide a birth date and complete third-party identity checks via Persona. Persona has itself been criticised recently, and Discord dropped it as a partner amid concerns about the way it handles submitted data. The ICO issued provisional findings in July 2025; the fine reflects those findings and Reddit's response.

Key Points

  • The ICO fined Reddit £14.47M for inadequate age assurance and data protection relating to children.
  • Reddit prohibited under-13s in its terms but lacked effective age verification until July 2025.
  • Reddit did not carry out a mandatory DPIA before January 2025 despite hosting teenage users, breaching UK GDPR obligations.
  • Failure to assess and mitigate risks may have exposed under-13s to harmful or inappropriate content.
  • Reddit plans to appeal and now uses Persona for identity checks when accessing mature content; Persona has faced scrutiny.
  • The ICO, working with Ofcom under the Online Safety Act, is aggressively enforcing age-assurance rules and is investigating multiple platforms.
  • Legal experts note the DPIA failure is a clear takeaway for other data controllers: do DPIAs to assess risk and reduce regulatory exposure.

Why should I read this?

Because this isn’t just another fine — it signals the regulator means business on kids' safety online. If you run, build or advise online services (or just worry about where kids end up online), this one affects you. TL;DR: age checks, DPIAs and the Online Safety Act are now things you can't ignore — and Reddit says it will fight the ruling.

Context and relevance

The ruling sits within a broader push by the ICO and Ofcom to enforce the Online Safety Act since July 2025. Regulators have opened probes into several major platforms and already fined other services for weak age-assurance, prompting at least one platform to withdraw from the UK market. The decision underlines two trends: regulators are expecting concrete technical and procedural safeguards for children, and DPIAs remain a straightforward, mandatory control that organisations frequently get wrong.

For product teams, legal counsel and privacy officers, the case is a reminder to prioritise age assurance design, document DPIAs where required, and consider the reputational and financial risks of non-compliance. Expect appeals to drag on — but also expect increased scrutiny across the sector in the near term.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/24/ico_fines_reddit/