ICO issues Reddit with £14.47m fine for children’s privacy failures

The UK’s Information Commissioner’s Office (ICO) has fined Reddit £14.47m after finding the company failed to use children’s personal information lawfully. 

Serious failures in age assurance under UK data protection law 

The ICO’s investigation found that Reddit: 

• Failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal information of children under the age of 13. 

• Failed to carry out a data protection impact assessment (DPIA) to assess and mitigate risks to children before January 2025. 

These failures meant Reddit was using children’s data unlawfully, potentially exposing them to inappropriate and harmful content.  

In July 2025, Reddit introduced age assurance measures that include age verification to access mature content and asking users to declare their age when opening an account. The ICO informed Reddit that relying on self-declaration presents risks to children as it is easy to bypass. The regulator is keeping Reddit’s processing of children’s personal information under review as part of on-going work focusing on online platforms that primarily rely on self-declaration - an area of focus for the ICO, as set out in its December 2025 children’s privacy progress update. 

John Edwards, UK Information Commissioner, said: “It's concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children. 

“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine. 

“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place. 

“Reddit failed to meet these expectations. They must do better and we are continuing to consider the age assurance controls now implemented by the platform. 

“Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.”   

Summary of findings and action 

• Reddit's terms of service prohibited children under 13 years of age using its platform, but despite that it did not have measures in place to check the age of users accessing its platform until July 2025.  

• The ICO’s estimates indicated that there were a large number of children under 13 on the platform and Reddit did not have a lawful basis for processing their personal information.  

• Reddit had not carried out a DPIA focusing on the risks of using children's personal information before January 2025, even though children between 13 and 18 were allowed to use the platform.  

• By using under 13 year olds’ personal information without a lawful basis and without having properly considered the risks to children more generally, children were at risk of exposure to inappropriate and harmful content on Reddit’s platform.  

• In setting the penalty amount, the ICO took into consideration the number of children affected by this infringement, the degree of potential harm caused, the duration of the failings, and Reddit’s global turnover. 

ICO’s role and remit in protecting children online  

The ICO is the UK’s independent regulator for data protection, and safeguarding children’s privacy online is a priority.   

UK data protection law says children should be given special treatment when it comes to their personal information. The ICO’s Age appropriate design code (also known as the Children’s code) translates the legal requirements into design standards for online services likely to be accessed by under-18s, helping organisations understand what is expected of them. That includes considering children’s best interests in all aspects of the design of online services and giving them a high level of privacy by default.  

  In December 2025, the ICO reported strong progress on its Children’s code strategy, including a proactive supervision programme to drive improvements in how social media and video sharing platforms handle children’s data.  

The ICO will continue to push for further changes where platforms do not comply with the law or conform to the Children’s code. 

It will continue to work closely with Ofcom, which has responsibility for enforcing the Online Safety Act, to ensure the efforts are coordinated. 

Age assurance advice for online services   

Age assurance tools act as a guardrail to prevent children from accessing online services they shouldn’t be using or to help platforms tailor their online experience accordingly.   

These tools can form part of a proportionate approach to reducing the data risks children face online and supporting conformance with the Children’s code.  

To support them in tailoring an age-appropriate experience, organisations should match the age assurance method they use to the level of risk on their platform. Organisations can either apply the full protections of the Children’s code to all users or use proportionate age assurance tools to tailor safeguards by age.    

Where children under a certain age are not allowed to use a service, organisations must focus on preventing access and enforce their minimum age requirements using robust age assurance methods.   

Further guidance is available in the ICO’s age assurance opinion. 

ends