ICO’s age assurance expectations and the £14.5m Reddit fine: what organisations need to know

Last month, the Information Commissioner’s Office (ICO) issued a fine of £14.47m to social media platform Reddit for failures related to the processing of children’s data. The formal Monetary Penalty Notice published last Thursday (19 March) details the technical and systemic failings that led to this fine. 

The Reddit fine represents the highest fine by the ICO since the £14.5 million issued to TikTok back in April 2023, also for children’s privacy breaches (see our article here). The message to any organisation providing online services likely to be accessed by children is clear: simply stating in your terms and conditions that children are not allowed to use your service and relying on users to self-declare their age is not sufficient where children may be exposed to harmful content. Organisations must have effective technical measures in place to prevent children from accessing services that are not designed for them.

What went wrong at Reddit?

No effective age assurance

Reddit is the UK’s sixth most visited online organisation among 18-24 year olds (Ofcom). The ICO’s estimates of the number of children accessing the platform are approximately 537,000 in 2024, with around 226,000 of these being under 13 years old. 

Whilst Reddit's terms of service have long prohibited children under 13 from using the platform, the ICO found that Reddit had no measures in place to verify or check user ages until July 2025. During the relevant period, the platform was freely accessible to anyone who visited the site. Users who opted to set up an account, in order to post content or to access content that was designated as only being appropriate for adults, were asked simply to declare whether they were over 18 years old, without any sort of age verification being applied.

Only in July 2025 did Reddit introduce age verification for mature content and require users to self-declare their age when opening an account. The ICO makes it clear that these steps are insufficient, noting that a self-declaration mechanism was too "easy to bypass". 

The ICO rejected Reddit’s argument that it would have been disproportionate for Reddit to have introduced age assurance, given that children under 13 years old were a small minority of the platform’s users and that the platform was not designed to appeal to children. Reddit considered that its approach struck the correct balance between the competing rights of children under 13 years old and of the majority of its users. 

The ICO disagreed. The ICO emphasised that irrespective of what proportion of users of the platform they comprise, the absolute number of children and young children accessing the platform was substantial and therefore Reddit should have taken steps, under the UK GDPR, to protect their rights and interests.

Unlawful processing of children’s data

The ICO’s investigation found that due to a lack of effective age assurance mechanisms, Reddit processed the personal data of a large number of users under the age of 13 (around 226,000 according to the ICO’s estimates) without a valid lawful basis to do so under the UK GDPR.

In particular, Reddit was not able to rely on consent as its lawful basis for processing the personal data of children under 13 years old on the platform in accordance with Article 6(1)(a) UK GDPR. Reddit failed to ensure that consent was given or authorised by the holder of parental responsibility over these children, and/or was failing to make reasonable efforts to verify in such cases that consent was given or authorised by the holder of parental responsibility, taking into consideration available technology, as required under Article 8 UK GDPR.

Failure to carry out a DPIA

The investigation also found that Reddit had failed to carry out a data protection impact assessment (DPIA) before January 2025. A DPIA is required under Article 35(1) UK GDPR whenever processing is likely to pose a high risk to individuals, and a platform hosting largely unmoderated, user-generated content accessible to children is a clear case in point. Furthermore, the ICO’s Children’s Code (see below) requires organisations offering online services that children are likely to access to carry out a DPIA focused specifically on risks to children.

The ICO highlighted that this processing occurred in a setting where a substantial amount of content was available on the platform that was unsuitable for children and potentially harmful to them, including pornography, and discussions of subjects such as suicide, self-harm, substance abuse, and eating disorders.  As a result of Reddit’s failure to conduct a timely impact assessment, and/or to introduce appropriate age assurance measures, children, including very young children, were potentially exposed to this content.

Enforcement and penalty

In determining the penalty, the ICO took into account:

• the number of children affected;
• the degree of potential harm;
• the duration of the failings; and
• Reddit's global turnover. 

The ICO has confirmed that it will continue to assess whether Reddit’s operation of the platform following the introduction of age assurance measures in July 2025 complies with its obligations under the UK GDPR.

Reddit has confirmed that it intends to appeal the decision.

Broader enforcement context

In relation to Reddit, Information Commissioner John Edwards was clear on the ICO’s stance in relation to age self-declaration:

"Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. [Organisations must] take note, reflect on their practices and urgently make any necessary improvements to their platforms."

This message is further reinforced by the ICO’s open letter published on 12 March urging platforms to act today to keep children safe online. It is clear that the ICO expects platforms with a minimum age to move beyond relying on children to self-declare their ages, which they can easily bypass. Instead, the expectation is that platforms should make use of the technology that is now readily available to enforce their own minimum ages and prevent these children from accessing their services.

The Reddit fine comes off the back of the ICO’s £247,590 fine to MediaLab.AI, Inc. (owner of image-sharing platform Imgur) for similar children’s privacy failings. It is clear that safeguarding children’s privacy and online safety continues to be a key regulatory focus, as highlighted by the Information Commissioner at the IAPP conference in London last month.

Protection of children’s data

The Data (Use and Access) Act 2025 (“DUAA”) provides that online services which are likely to be accessed by children must consider ‘children’s higher protection matters’ when determining what measures are appropriate to ensure data protection by design and default. The ICO’s DUAA guidance for organisations provides that organisations will satisfy this requirement if they conform with its ‘Age Appropriate Design Code,’ more commonly known as the Children's Code. 

The Children’s Code is a statutory code of practice setting out 15 standards that online services must follow when processing children's data. It applies to any online service likely to be accessed by children in the UK, whether children are the target audience or not. At its core, the Children’s Code requires organisations to prioritise children’s best interests in service design and to provide a high level of privacy by default.

The ICO expects organisations to use age assurance measures as a "guardrail" to prevent children from accessing services they should not be using, or to “tailor their online experience accordingly”. Organisations must match the age assurance method they use to the level of risk on their platform: those that host user-generated content, social features, or mature material (e.g., Reddit) will face correspondingly higher expectations. 

Where children below a certain age are prohibited from using a service, organisations must enforce that prohibition. Reddit's failure to do so for over seven years is precisely the kind of non-conformance the Children’s Code is designed to address, and the ICO has confirmed it will continue to push for further changes where platforms do not comply with the law or conform to the Children’s Code. 

There is also significant overlap with Ofcom's enforcement of the Online Safety Act. The two regulators are working closely together, and businesses now face a dual regulatory environment where the consequences of non-compliance are substantial. 

Practical takeaways

Given the ICO’s continued focus on children’s privacy, organisations providing online services for children should consider the following steps:

• Assess age assurance mechanisms – self-declaration is unlikely to be sufficient. Services featuring user-generated content or mature material will face higher expectations.
• Conduct DPIAs (or review/update existing DPIAs) – organisations should assess the risks of any online service that is likely to be accessed by children. Reddit's failure to carry out a DPIA was a standalone ground for enforcement action.
• Go beyond terms of service – contractual age prohibitions or terms of service, without technical enforcement, are unlikely to satisfy UK data protection requirements where there is a risk of children interacting with harmful content.
• Assess compliance against the Children's Code – review your policies and processes against the Children’s Code.

For queries or advice on the content of this article, please contact Hamish Corner, Lucy Pegler, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Ben Randall and Amanda Leiu.