Share
This article was co-authored by Sydnie Shaw, Trainee Solicitor.
The UK’s data regulator has fined Reddit, Inc. £14.47 million for processing children’s personal data unlawfully. In this article, we consider what this means for other organisations who process children’s personal data, and the increased regulatory focus on protecting children online.
The Information Commissioner's Office (“ICO”) is the UK’s data regulator, although it will be replaced in the near future by the Information Commission. The ICO has a clear focus on protecting children’s personal data. While the fine itself is noteworthy, the broader implications for online platforms, particularly those operating mixed-age services, are far more consequential.
The regulatory context
The ICO’s action sits within its wider strategy of enforcing children’s privacy standards under the UK’s data protection framework, including the Age Appropriate Design Code (Children’s Code). Over the past few years, the ICO has made clear that children’s personal data warrants enhanced protection, and that platforms cannot rely on passive or reactive compliance models where children are likely to access their services.
This decision reinforces three core regulatory expectations:
- Proactive age assurance
Platforms must take proportionate steps to understand whether children are using their services. Where a service is likely to be accessed by children, a failure to implement effective age assurance mechanisms may expose organisations to regulatory risk. - High default privacy settings
Children’s accounts must default to the most privacy-protective settings. Features that increase visibility, profiling, or behavioural advertising require particularly careful scrutiny. - Transparency and fairness
Privacy information must be concise, intelligible and tailored to younger users where appropriate. Complex, adult-oriented privacy notices are unlikely to satisfy fairness obligations.
Why this decision matters
The ICO continues to reject arguments that platforms are “adult services” simply because they are not designed specifically for children, or their terms of use state that only adults may use their services. If children are realistically likely to access a platform, the Children’s Code is engaged.
The Reddit fine is merely the latest example of a more muscular regulatory approach when it comes to protecting children’s privacy, cementing a move away from a lighter touch approach of guidance and informal action. Other examples include a £12.7 million fine for TikTok (see our article) and a recent £247,590 fine for MediaLab (see the ICO’s decision here). The ICO is willing to impose meaningful financial penalties where systemic shortcomings are identified.
Taken together, these cases demonstrate a clear and sustained shift towards firmer, more interventionist enforcement in the area of children’s privacy, with the ICO signalling that proactive compliance is now an expectation rather than an option.
A principal theme of children’s privacy enforcement is not the mere existence of risk, but the adequacy of the organisation’s data protection impact assessments, governance oversight, and mitigation strategies. The ICO can and will act where children are exposed to risks online as a result of insufficient consideration of their specific vulnerabilities and needs.
Conclusion: a clear message
Organisations must show that they have specifically considered risks to children including profiling, content exposure, contact risks, and behavioural nudging. Mitigation measures must be a core aspect of product design, and children’s privacy compliance must be demonstrable, embedded, and defensible.
The Reddit fine is not an isolated enforcement action. It is a continued signal that children’s data protection is a regulatory priority, and that tolerance for inadequate compliance is diminishing.
Insurance and reinsurance
United Kingdom