Reddit Faces £14.47 Million Penalty for Children's Data Protection Violations
The Information Commissioner's Office (ICO) has imposed a substantial £14.47 million fine on social media giant Reddit for serious breaches of children's data protection laws. The regulatory investigation revealed that the platform unlawfully processed personal information belonging to children under 13 years old while failing to establish proper age verification systems.
Regulatory Investigation Uncovers Systemic Failures
The UK data protection regulator determined that Reddit did not implement robust age assurance measures, meaning the company lacked any lawful basis for processing the sensitive data of children using its platform. These critical shortcomings left young users potentially exposed to inappropriate and harmful content that should have been filtered through proper safeguards.
Under UK data protection legislation, companies must establish a lawful foundation for processing personal data and are required to provide enhanced protections specifically designed for children. Services likely to be accessed by individuals under 18 must comply with the ICO's Age Appropriate Design Code, commonly known as the children's code.
Inadequate Age Verification Mechanisms
Although Reddit's terms of service explicitly prohibit children under 13 from using the platform, the ICO investigation found that until July 2025, the company had no effective mechanisms to verify users' ages. Regulatory estimates indicate that a significant number of under-13s were actively using the service during the period under investigation.
In July 2025, Reddit introduced age verification measures for accessing mature content and began requiring users to declare their age when creating new accounts. However, the ICO emphasized that relying solely on self-declaration carries substantial risks because such systems can be easily bypassed by determined users.
Regulatory Commentary and Ongoing Scrutiny
UK Information Commissioner John Edwards expressed serious concerns about Reddit's failures, stating: "It's deeply troubling that a company of Reddit's scale neglected its legal duty to protect the personal information of UK children. Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. This left them potentially exposed to content they should never have encountered. Such negligence is completely unacceptable and has resulted in today's substantial fine."
Edwards further emphasized that companies operating online services likely to be accessed by children must ensure they implement effective age assurance measures. The regulator confirmed it continues to review Reddit's current controls as part of broader work focusing on platforms that depend primarily on self-declared age information.
Determining the Penalty and Broader Context
In determining the £14.47 million penalty, the ICO considered multiple factors including:
- The substantial number of children affected by the data protection failures
- The potential harm caused to young users
- The extended duration of Reddit's compliance shortcomings
- The company's significant global turnover
This enforcement action follows separate regulatory measures against MediaLab and forms part of a comprehensive intervention by the ICO aimed at improving how online platforms handle children's sensitive data. The regulator has highlighted that Reddit also failed to conduct a mandatory data protection impact assessment (DPIA) to evaluate and mitigate risks to children before the January 2025 deadline, representing another serious compliance failure.
