ICO reddit gdpr fine puts age checks and children data protection under fresh scrutiny

Regulators have reignited debate over privacy, online child safety and the reddit gdpr fine after the UK watchdog sanctioned the platform over under-13s data.

ICO sanctions Reddit over child data and age checks

The UK’s Information Commissioner’s Office (ICO) has issued a £14.47m ($19.6m) penalty to Reddit for alleged GDPR breaches involving children, in a decision announced on 24 February 2026. However, privacy advocates warn that the enforcement approach could undermine user anonymity and security across online platforms.

The regulator said the ico reddit fine was based on two core failings. First, Reddit lacked “robust” age assurance measures, leaving it without a lawful basis to process the personal data of users under 13. Second, it did not complete a formal data protection impact assessment (DPIA) to identify and mitigate risks to children on the service before January 2025.

According to the ICO, the amount of the sanction reflected several factors. These included the large number of children using the site, the potential harm they could face, the length of time the failings persisted and Reddit’s global turnover. Moreover, investigators highlighted the nature of the content that children may have been exposed to.

Regulator: Reddit failed younger users

Information commissioner John Edwards said children under 13 had their personal information collected and used in ways they could not fully comprehend or control. That left them potentially exposed to content that was inappropriate for their age group, he argued in a strongly worded statement.

“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine,” Edwards said. He stressed that companies must design services with children in mind from the outset.

Edwards added that online services which are likely to attract children have a clear responsibility to protect them. To do so, they must know, with reasonable confidence, how old their users are and deploy appropriate, effective age checks. That said, he did not prescribe a specific technology, instead focusing on outcomes and risk reduction.

Reddit’s response and privacy-based objections

Reddit pushed back, arguing that its long-standing design choices prioritised user anonymity and security. In a statement, the company said it “didn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety.” However, it did not dispute that children had accessed the platform.

The platform introduced age gates for accessing “mature content” in July 2025 and began asking new users to state their age when creating an account. The ICO acknowledged these changes but said self-declaration alone was too easy to bypass and did not satisfy GDPR standards for higher-risk processing involving minors.

Privacy specialists expressed support for Reddit’s stance, arguing that stricter checks could fuel age verification concerns. They warned that mirroring the intrusive identity requirements imposed on some adult content sites might increase the attack surface for cybercriminals and weaken overall privacy protections.

Experts warn over age verification privacy concerns

Paul Bischoff, consumer privacy advocate at Comparitech, said he hoped Reddit would resist pressure to implement heavy-handed identity checks. He argued that mandatory verification regimes shift the burden of proof onto users who are not suspected of wrongdoing, raising broad civil liberties issues.

“The problem with mandatory identity verification is that it places an undue burden of proof on the vast majority of people not suspected of any wrongdoing,” Bischoff warned. Moreover, he said there was little robust evidence that such schemes deliver the claimed safety benefits, particularly at scale.

He added that coercive checks can have a chilling effect on freedom of expression and association. In his view, parents must assume more responsibility for supervising children’s online activity, rather than transferring that duty to private firms, governments or the wider public.

Pieter Arntz, senior researcher at Malwarebytes, also cautioned that age assessment technologies carry significant risks. In particular, he highlighted systems that rely on biometric analysis, financial data or centralised identity repositories, saying each option opens up fresh vectors for abuse, surveillance or data breaches.

Arntz cited facial age estimation using biometrics, open banking checks querying financial information, digital ID wallets and photo-ID matching as examples of tools that may concentrate highly sensitive identity data. Even simpler mechanisms, such as credit card checks, email-based inference or mobile network verification, can raise concerns around exclusion, profiling and reliability, he noted.

Double-blind models as a possible compromise

To reconcile age verification privacy concerns with child safety objectives, Arntz pointed to “double-blind” verification as a more privacy-preserving path. In this model, a trusted third party confirms whether a user meets an age threshold, such as 18+, and then issues an anonymised token to the relying website.

Under this approach, the site receives only a simple indication that a user is, for example, “18+”, without learning their full identity or which specific verification service they used. This can reduce data exposure, limit cross-service tracking and avoid the creation of large “honeypots” of sensitive personal information that are attractive to attackers.

According to Arntz, such architectures could offer stronger privacy protections than many current schemes while still fulfilling regulatory demands. However, they would require careful technical design, clear governance and robust oversight to ensure that they genuinely limit data collection rather than reintroducing risks through back-end integrations.

Compliance obligations and reddit gdpr fine lessons for industry

The reddit gdpr fine also underlines broader obligations around children data protection for any online service used by minors, whether or not they are the intended audience. Strategy and governance failures around DPIAs and age checks are likely to attract more regulatory attention as enforcement matures.

Chris Linnell, associate director of data privacy at Bridewell, said that when processing children’s data, conducting a DPIA is not optional. Instead, it is a statutory requirement intended to ensure organisations assess, document and mitigate risks before harm occurs, particularly where profiling or content targeting is involved.

Linnell argued that the absence of a robust DPIA suggests risks to children were not properly identified or addressed at the outset. Moreover, he said relying solely on terms and conditions that state under-13s should not use the service does not constitute an effective protection if there are no technical controls to back it up.

“If no effective technical or operational controls are in place to enforce that rule, the organization cannot credibly argue that it has taken reasonable steps to prevent access,” he said. “Compliance cannot sit solely in contractual wording; it must be reflected in practical safeguards.” His comments signal that paper-based policies will not be enough in future enforcement actions.

Recent enforcement and guidance for online platforms

The Reddit decision follows another UK case involving children’s data. Just weeks before, MediaLab, parent company of image-sharing platform Imgur, received a fine of more than £247,000 for failing to use children’s information lawfully. Taken together, the cases show that the ICO is intensifying scrutiny on how social and content platforms treat young users.

Linnell urged online service providers to act now to avoid similar outcomes. First, they should identify where children are likely to access their services, even if those users are not their target audience. Second, they must carry out DPIAs for high-risk processing and ensure those assessments are regularly reviewed and updated.

He also advised firms to establish and document a clear lawful basis for processing children’s data and to implement proportionate, effective controls rather than relying purely on policy statements. That said, these controls should be balanced with privacy-by-design principles to avoid excessive data capture, which itself could create new risks.

Outlook for platforms balancing safety, privacy and compliance

The ICO’s action against Reddit signals a tougher era of enforcement around children and data protection in 2026 and beyond. Platforms that depend heavily on user-generated content will face growing pressure to reconcile safety, privacy and legal duties, while still maintaining viable business models and community trust.

In practice, that means building age-aware designs, running meaningful DPIAs and exploring privacy-preserving verification models, rather than defaulting to blanket identity checks. As regulators and industry test these approaches, the outcome of the reddit gdpr compliance debate is likely to shape global standards for protecting minors online.

Overall, the Reddit case serves as a high-profile warning that child-focused data protection is moving from guidance to enforcement, pushing platforms to strengthen safeguards while defending user privacy.