UK Regulator Fines Reddit £14.5 Million for Failing to Protect Children's Data
London, Wednesday 25 February 2026
On 24 February 2026, the UK’s Information Commissioner’s Office fined Reddit £14.5 million for inadequately safeguarding users under 13. The regulator determined that Reddit’s lax age verification measures allowed for the unlawful harvesting of children’s data, rejecting the platform’s counter-argument that avoiding identity checks was necessary to preserve user privacy.
Systemic Failures in Age Assurance
The penalty of £14.5 million addresses the platform’s unlawful use of personal information belonging to children, a violation identified by the regulator on Tuesday, 24 February 2026 [1][2]. The ICO’s investigation concluded that personal data of users under the age of 13 was harvested and utilised in manners they lacked the capacity to understand or consent to [2]. Although Reddit is designed exclusively for users aged 13 and older, the regulator found the company failed to implement adequate age verification controls, thereby allowing minors to bypass restrictions and generating data records in breach of the UK Online Safety Act [2].
Inadequate Mitigation Measures
Attempts to rectify these vulnerabilities were introduced in July 2025, when Reddit implemented new checks for account creation and access to adult content [3]. However, the ICO dismissed these measures as easily circumventable, noting that they failed to prevent children from accessing harmful material or having their data processed [2][3]. The regulator estimated that a significant number of underage users remained on the platform, a factor that heavily influenced the magnitude of the fine [3][4].
The Privacy Paradox and Regulatory Headwinds
Reddit has confirmed it intends to appeal the decision, challenging the regulator’s demand for more intrusive data collection [3][4]. The company argues that mandating identity checks undermines its core commitment to user privacy. In a statement following the ruling, Reddit emphasised that it does not require users to disclose identity information, regardless of age, viewing anonymity as a component of user safety [3][4]. This legal battle underscores the complex compliance landscape for SaaS and social platforms, where protecting user privacy often conflicts with regulatory mandates for definitive age assurance.
Broader Implications for the Digital Economy
The regulatory environment in the UK is becoming increasingly hostile to passive compliance strategies. Beyond this specific enforcement, the British government is currently formulating stricter protocols to safeguard children online, including considering a total ban on social media for those under 16 [3][4]. For investors and digital economy stakeholders, this case serves as a precedent: the cost of non-compliance is rising, and the expectation for “safety by design” is shifting from a best practice to a rigid legal requirement.