Contact us

Search

The Information Commissioner’s Office steps up efforts to protect children’s personal data online

read time: 3 mins read time: 3 mins
12.05.26 12.05.26
<a href="/our-people/hannah-elliott">Hannah Elliott</a>, <a href="/our-people/chirag-patel">Chirag Patel</a> Hannah Elliott, Chirag Patel

Following recent enforcement action against MediaLab, the Information Commissioner’s Office (ICO) has continued to prioritise regulatory intervention aimed at improving the protection of children’s personal data online.

Most recently, the ICO imposed a £14.47m fine on Reddit after concluding that the platform had failed to implement adequate age assurance measures and had breached fundamental requirements under UK data protection law. In particular, the ICO found that Reddit had been processing personal data of children under the age of 13 without a valid lawful basis.

This article examines the ICO’s decision to fine Reddit and considers the wider regulatory focus the ICO is placing on safeguarding children’s privacy online.

The ICO’s initial findings

The ICO identified a number of serious compliance failings:

  • Although Reddit’s terms of service prohibited users under the age of 13 from using the platform, it did not operate sufficiently robust age‑assurance mechanisms to verify users’ ages in practice.
  • There were an estimated significant number of users under the age of 13 using the platform, and Reddit did not have a lawful basis for processing their personal data.
  • Reddit had not carried out a data protection impact assessment to identify and mitigate the risks associated with processing children’s personal data, despite allowing users aged between 13 and 18 to access the service.
  • Children were at risk of exposure to inappropriate and harmful content because of the above failings.
  • Children’s personal data was collected and used in a way that they could not understand, consent to or control.

How did the ICO calculate the fine?

In setting the fine, the ICO took into consideration the following:

  • the number of children affected by the infringement;
  • the degree of potential harm caused;
  • the duration of the failings; and
  • Reddit’s global turnover.

Regulatory message from the ICO

The ICO has been clear that there is a duty on companies such as Reddit to protect the personal data of children. The UK Information Commissioner, John Edwards, stated that companies operating online services which are likely to be accessed by children have a responsibility to protect those children by ensuring that they are not exposed to risk through the use of their personal data.

While Reddit introduced age-assurance measures in July 2025, such as age verification through self-declaration, the ICO considers these measures to be insufficient, noting that self-declaration is easily circumvented and does not adequately mitigate risks to children.

The ICO open letter

On 12 March 2026, the ICO published an open letter to social media and video sharing platforms calling for the strengthening of age assurance measures and effective age gates, to ensure young children are not accessing services which are not designed for them. The ICO’s open letter sets out the following key messages:

  • Platforms should make use of new and viable age assurance technologies that are readily available. These include facial age estimation, digital ID or one-time photo matching.
  • Platforms with a minimum age must move beyond reliance on self-declaration which is easily circumventable and may result in children’s personal data being unlawfully collected and used without the protection children are entitled to.

What's next?

The ICO is committed to protecting children online and will continue its regulatory focus on children’s privacy.

Organisations that operate online services which are likely to be accessed by children should consider:

  1. Reviewing age assurance measures and, where necessary, ensuring robust mechanisms are in place beyond self-declaration.
  2. Conducting data protection impact assessments early and updating them regularly.
  3. Proactively applying the ICO’s Age Appropriate Design Code, a statutory code of practice which applies to online service likely to be accessed by children in the UK.
  4. Ensuring that real world practices align with privacy policies.

For more information on this topic, please contact our privacy and data team.

Related services

Legal Services
Privacy & Data

Related news & insights

View all
Cans Of Graffiti
Event (Starts Thursday 16 Apr 2026)

Ashfords Connect: graffiti networking workshop

Data And Machine Learning Concept
Article

The extra-territorial reach of the UK GDPR - Clearview AI is permitted to appeal
Cybersecurity And Data Protection Concept
Article

MediaLab fined over children’s data protection failings: what can organisations learn from this?

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up