The United Kingdom’s Information Commissioner’s Office (ICO) has issued Reddit Inc. a £14.47 million (approximately $19.6 million) fine for unlawfully processing the personal data of children under the age of 13, one of the largest children’s privacy penalties ever imposed by the regulator.
The ICO announced its decision on February 24, 2026, following an investigation into Reddit’s handling of children’s personal information. Investigators concluded that the platform lacked any robust age assurance mechanism and therefore had no lawful basis for processing the personal data of users below 13 years of age.
The ruling is not simply a financial penalty against a single company. It is a formal statement of enforcement priority, and a direct warning to every digital platform that processes user data, regardless of where it is headquartered.
What Reddit Got Wrong
The ICO’s investigation identified two significant breaches of UK data protection law. First, Reddit failed to apply any robust age assurance mechanism and therefore lacked a lawful basis for processing the personal information of children under the age of 13. Second, the company failed to carry out a Data Protection Impact Assessment to assess and mitigate the risks to children before January 2025.
Reddit’s terms of service already prohibited users under 13. The ICO found that prohibition entirely inadequate in the absence of technical enforcement mechanisms. The platform had no meaningful way to check the age of people signing up or browsing content until mid-2025, when it introduced age verification for mature content and began asking age questions at signup.
The regulator was unimpressed. The ICO informed Reddit that relying on self-declaration presents risks to children as it is easy to bypass, and confirmed it is keeping Reddit’s processing of children’s personal information under review.
A Pattern of Escalating Enforcement
This ruling is the ICO’s highest children’s privacy fine in nearly three years, and it follows a deliberate regulatory escalation. The Reddit fine is the latest example of a more muscular regulatory approach when it comes to protecting children’s privacy, cementing a move away from a lighter touch approach of guidance and informal action.
On February 5, 2026, the ICO also fined MediaLab.AI, the owner of the image-hosting platform Imgur, £247,590 for failures in how it handled young users’ personal data. That investigation revealed similar issues relating to insufficient age verification and risk assessment obligations, ultimately leading Imgur to block UK access and withdraw from the UK market entirely.
The message from the ICO is deliberate and consistent: platforms that are “likely to be accessed by children” are held to the Children’s Code, regardless of whether they position themselves as adult services or include age restrictions in their terms. The ICO continues to reject arguments that platforms are “adult services” simply because they are not designed specifically for children, or because their terms of use state that only adults may use their services.
Why This Matters Beyond the UK
The ICO’s enforcement sits within a much larger global convergence. The EU’s Digital Services Act, the UK Online Safety Act, and comparable frameworks emerging across Africa and Asia are all pushing in the same direction: mandatory risk assessments, technical age assurance, and accountable data governance, before harm occurs, not after.
The ICO’s and EU regulators’ work in this area runs parallel to Ofcom’s enforcement of the Online Safety Act in the UK, and to enforcement of the Digital Services Act in the EU, with the ICO confirming that it continues to work closely with Ofcom to coordinate its approach to protecting children online.
For platforms operating across multiple jurisdictions, including those serving African markets where data protection legislation is rapidly maturing, the compliance implications are direct. Data Protection Authorities in Kenya, Nigeria, South Africa, and Ghana are observing the same enforcement patterns and building comparable frameworks. A platform found non-compliant in the UK faces reputational and operational exposure well beyond London.
Reddit’s Response and the Road Ahead
Reddit has stated that it plans to appeal the fine, arguing that stricter age verification could conflict with its privacy principles. That appeal will be closely watched by compliance professionals globally, both for its legal arguments and for the ICO’s likely response, which is expected to reinforce, not retreat from, the standards applied.
In setting the penalty, the ICO took into account the number of children affected, the degree of potential harm caused, the duration of the failings, and Reddit’s global annual turnover. This methodology, anchored to scale, duration, and systemic failure rather than intent, sets the precedent that ignorance and passive terms-of-service compliance are not defences.
The Compliance Standard Has Moved
Boards and legal teams managing digital platforms should treat this ruling as a structural compliance signal, not an isolated enforcement action. The ICO has made clear that it will continue to pursue changes where platforms do not conform to the Children’s Code. Any online service likely to be accessed by users under 18 must now implement demonstrable, technical age assurance, and must document that assessment formally through a DPIA.
The era of hoping children don’t find your platform is over. Regulators have found them already.
