UK ICO fines Reddit £14.47m over children's-privacy and age-assurance failures

On 24 February 2026 the United Kingdom's Information Commissioner's Office (ICO) announced a £14,470,000 monetary penalty against Reddit, Inc. for failures in protecting the personal data of children using the platform. The regulator concluded that Reddit had no lawful basis to process the data of users under 13, and that the platform's reliance on simple self-declaration of age was an inadequate safeguard against children accessing the service and having their information collected.

The ICO's findings covered conduct over a multi-year period, from May 2018 — the date the UK General Data Protection Regulation and Data Protection Act 2018 framework took effect — through July 2025, when Reddit introduced age-verification measures in response to the UK's Online Safety Act regime. During that window, the regulator found, Reddit's terms of service nominally prohibited under-13 users but did nothing meaningful to enforce that limit, allowing children to register and use the platform while their personal data was processed without a valid legal basis.

A central element of the decision was the absence of a data-protection impact assessment (DPIA) before January 2025. Under UK data-protection law, organisations are required to assess and mitigate risks to individuals — and especially to children — before processing that is likely to result in a high risk to their rights. The ICO determined that Reddit had not carried out such an assessment for the relevant processing, leaving children exposed to what the regulator described as inappropriate and potentially harmful content and data uses.

The penalty was among the larger children's-data fines the ICO had issued and formed part of a broader regulatory push, distinct from the Online Safety Act's content-focused obligations enforced by Ofcom, that targeted how platforms handle minors' personal information specifically. The case underscored a recurring theme in Reddit's regulatory history: that pseudonymous, low-friction sign-up — long central to the platform's identity — sits in tension with statutory duties to keep young children off adult-oriented services and to protect the data of those who slip through.

The fine was a regulatory penalty rather than a private lawsuit, and it represented a finding by the regulator rather than a court verdict after trial. As an administrative decision under the UK data-protection regime, it was in principle subject to appeal to the First-tier Tribunal. The action illustrated how data-protection authorities, separate from speech and content regulators, can impose substantial financial consequences on Reddit over the mechanics of who is allowed onto the platform and how their information is handled.