The UK Information Commissioner's Office (ICO) has fined Reddit £14.47 million after finding serious failings in how the platform handled children's personal information.
The ICO found Reddit did not apply robust age assurance measures and therefore could not be confident about the ages of users. As a result, the regulator concluded that personal data of children under 13 was processed without an appropriate lawful basis.
The ICO also found Reddit failed to complete a data protection impact assessment (DPIA) to assess and mitigate risks to children before January 2025. The regulator highlighted that relying on self-declared age is easily bypassed and is not sufficient where children may be at risk.
The decision forms part of a wider ICO intervention aimed at improving the protection of children's personal information online.
Acompli perspective: Where children are likely users, regulators expect evidence of age assurance decisions, a DPIA, and controls that work in practice — not just policy statements. Understanding what children's data is being collected requires comprehensive data mapping, while data handling practices should be fully documented. The scale of GDPR enforcement in this area underlines the urgency.