The UK’s data protection regulator has fined social media giant Reddit £14.47 million ($19.5 million) over its use of children’s data.
The Information Commissioner’s Office (ICO) says Reddit’s terms of service prohibited children under the age of 13 from using the platform, yet it claims the company did not introduce an age assurance mechanism until July 2025.
Prior to that point, the ICO suspects “a large number of children under 13” were using the website, all while Reddit did not have a lawful basis for processing their data.
The regulator claims that before January 2025, Reddit had not carried out a data protection impact assessment (DPIA) on the risks of using children’s data, despite having users between the ages of 13 and 18 on the site.
A DPIA is a mandatory process that must be completed in order for any organization to comply with European data protection laws (including UK GDPR).
The ICO’s insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users’ online privacy and safety. We intend to appeal …
The ICO added that by failing to carry out the required assessments, Reddit was potentially exposing these users, and those under the age of 13, to inappropriate or harmful content.
John Edwards, UK Information Commissioner, said: “It’s concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children.
“Children under 13 had their personal information collected and used in ways they could not understand, consent to, or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine.
“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place.
“Reddit failed to meet these expectations. They must do better, and we are continuing to consider the age assurance controls now implemented by the platform.”
The Register asked Reddit to comment and a spokesperson said: “Reddit doesn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety. The ICO’s insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users’ online privacy and safety. We intend to appeal the ICO’s decision.”
The platform says that when users in the UK now try to access mature content, they will be asked to provide their birth date and then go through third-party identity verification to validate that.
It states that it uses Peter Thiel-backed Persona to carry out this process, and can usually be resolved by providing a government ID or a self-submitted headshot.
Persona itself has come under scrutiny in recent days after security researchers claimed the company performs extensive surveillance on the individuals who submit their data, prompting Discord to drop it as a partner.
The ICO issued its provisional findings to Reddit on July 8, 2025, and the fine announced today is a reflection of these findings and Reddit’s response.
The regulator, together with Ofcom – the communications regulator – are tasked with enforcing the Online Safety Act, and the ICO has been hot on its enforcement since new rules took effect on July 25.
Since March 2025, when the probes into Reddit and TikTok began, the data regulator has fined Imgur parent MediaLab for its lack of age assurance mechanisms, prompting the picture-sharing platform to withdraw from the UK.
The ICO is also investigating 17 other platforms, including Discord, Pinterest, and X, and has begun ironing out issues with Meta and Snapchat over how they use children’s location data in their user map features.
As of October 2025, the regulator believes its work has positively impacted more than 3 million children online across several platforms.
Jon Baines, senior data protection specialist at Mishcon de Reya LLP, told The Register: “Any UK GDPR fine of £14.4 million is going to be significant, but given that ICO fines are increasingly rare these days, this one will stand out.
“It’s notable that this fine, which arose in part from inadequate age checks, was by the ICO, and not by Ofcom, who arguably also have regulatory jurisdiction under the Online Safety Act.”
Baines also said that, given Reddit’s likelihood of appealing the decision, the time between issuing the fine and whatever enforcement action is ultimately taken could be years.
“This is an inevitable result of the regulatory scheme in place, but it leaves other data controllers in some uncertainty, whilst the process plays out.
“One part of the fine though, is likely – one assumes – to be relatively uncontroversial: the ICO tells us that there was a failure by Reddit to conduct a data protection impact assessment (DPIA) when one was required. Assuming that is factually correct, it is a simple takeaway for other data controllers: DPIAs are a relatively simple way to both assess data protection risk, and to insulate the controller from aspects of regulatory enforcement.” ®