ICO fines Reddit £14M for failing to enforce under-13 age restrictions

On 24 February 2026 the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for processing children’s data that violated Reddit’s own terms of service. 

Privacy regulators are pushing for more accountability, especially when it comes to children’s data. Many companies may have the right privacy policy disclosures, but most companies lack privacy controls to enforce their policies internally. Without a solution to regularly audit user-facing websites and apps and assess actual data flows, privacy teams lack both compliance risk visibility and the evidence to push for tighter controls.   

What you need to know:

• Reddit is a social media platform available on web and mobile app and is used by over 35 million people in the UK and over 450 million people globally 
• On 24 February 2026, Reddit, Inc. was fined £14.47 million by the UK’s ICO after the regulator said Reddit used children’s personal data unlawfully.
• The ICO found Reddit failed to implement a robust age assurance mechanism to enforce Reddit’s terms of service which prohibit children under 13 from using Reddit’s platform, meaning Reddit lacked a lawful basis for processing the personal data of children under 13.
• The ICO also said Reddit failed to carry out a data protection impact assessment (DPIA) to assess and mitigate children’s risks before January 2025.
• This fine follows a similar penalty imposed on MediaLab (Imgur’s owner), and the ICO framed it as part of a wider intervention to improve the safety of children’s personal data online.
• The key takeaway is if privacy practices on websites and mobile apps don’t match disclosed privacy policies, regulators can easily audit web and app properties to identify privacy violations.

Facts of the UK ICO Reddit fine:

Event date: 24 February 2026

What happened: The UK Information Commissioner’s Office (ICO) issued a £14.47 million fine against Reddit.

Why was the fine so high?

UK GDPR fines can be up to £17.5 million or 4% of an organisation’s annual worldwide turnover, whichever is higher.

A £14.47 million monetary penalty was applied to Reddit. In setting the penalty amount, the ICO said it considered the number of children affected, the degree of potential harm, the duration of the failings, and Reddit’s global turnover.

Stated violations (as described by the ICO):

The ICO said Reddit’s failings included:

• Reddit’s terms of service prohibited children under 13 from using its platform, but it did not have measures in place to check the age of users accessing the platform until July 2025.
• The ICO said Reddit failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal data of children under 13.
• The ICO said Reddit had not carried out a DPIA focusing on the risks of using children’s personal data before January 2025, even though children between 13 and 18 were allowed to use the platform.

How did Reddit fail UK GDPR expectations?

Timeline:

• GDPR came into force on 25 May 2018. In parallel, UK online safety and children’s design expectations have continued to rise.
• Reddit’s terms prohibited under-13s from using the platform.
• The ICO said Reddit did not have measures in place to check the age of users accessing its platform until July 2025.
• The ICO issued provisional findings to Reddit on 8 July 2025.
• The ICO said Reddit failed to conduct a children-risk DPIA before January 2025.
• July 2025: Reddit introduced age assurance measures, including age verification to access mature content, and asked users to declare their age when opening an account. Despite this change by Reddit, the ICO has said relying on self-declaration of age isn’t sufficient because it is too easy to bypass.
• The ICO said it is keeping Reddit’s processing of children’s personal data under review as part of on-going work focusing on online platforms that primarily rely on self-declaration

What to audit this week: Practical test plan for companies with children’s privacy risk

Below is a quick audit checklist you can use to pressure test your age controls.

5-point age-based test matrix:

• Geo-location: UK (via a VPN, or use in-market testing) and your largest EU market (optional).
• User states: unknown age, under-13 attempt, 13 to 17, and 18+.
• Flows to test: account creation, onboarding, browse and search, and a mature-content access path.
• Auth: logged-out and logged-in (new vs returning users).
• Surfaces: web (Chrome and Safari), plus iOS and Android (include in-app webviews if used).

What to capture as evidence:

• Screenshots of age prompts and outcomes.
• Web HAR files and network logs, plus app proxy captures (endpoints, timestamps, and payload samples).
• Vendor firing list by state (tag manager plus server-side routes).
• SDK inventory and versions (mobile).
• Proof of “state propagation” (where age flag exists: cookie, local storage, header, payload field).

Pass/fail criteria:

• No persistent identifiers or third-party calls firing before the age state is established (or documented, with minimized exceptions).
• Age state consistently suppresses disallowed vendors across web, app, and server-side.
• Under-13 attempt path handled according to policy plus data handling expectations (block plus rollback or deletion workflow where applicable).
• DPIA controls are testable and matched to observed behavior (risk to control to evidence).
• Evidence pack is reproducible (date, geo, device, version, steps).

Retest cadence (automate re-running tests for every release):

Re-run on every release and any time tag manager rules, SDKs, server-side forwarding, or onboarding flows change. Alert on new endpoints or vendors on unknown-age and youth paths.

Need web and app privacy auditing that scales?

Privado AI can produce an evidence-backed view of what trackers and SDKs fire across real user journeys and states (geo, logged-in/out, unknown vs known age) and monitor for regressions when tags and SDKs change.

Request a free website privacy audit today

Take App Auditor product tour