UK ICO Fines Reddit £14.5M for Unlawful Children’s Data Collection
Reddit fined £14.47M by UK ICO for illegally processing children’s personal data under 13 without proper safeguards. Learn the details and compliance implications.
The UK Information Commissioner’s Office (ICO) has imposed a £14.47 million (approximately $19.5 million) fine on Reddit for unlawfully collecting and processing the personal data of children under the age of 13. The enforcement action underscores the platform’s failure to implement adequate safeguards to protect minors’ data, in violation of the UK General Data Protection Regulation (UK GDPR) and the Children’s Code (Age Appropriate Design Code).
Key Findings and Violations
The ICO’s investigation revealed that Reddit’s practices between 2016 and 2021 did not comply with data protection laws, particularly concerning children’s privacy. Under UK GDPR, organizations must ensure that personal data processing is lawful, fair, and transparent—especially when handling data belonging to minors. The Children’s Code, introduced in 2020, further mandates that digital services likely to be accessed by children must prioritize their best interests, including default privacy settings and data minimization.
Reddit’s violations included:
- Lack of age verification: The platform did not implement robust mechanisms to prevent children under 13 from creating accounts or accessing its services.
- Inadequate privacy safeguards: Default settings and data collection practices did not align with the high privacy standards required for children’s data.
- Failure to obtain valid consent: For users under 13, parental consent is legally required, which Reddit did not consistently secure.
Impact and Regulatory Response
The ICO’s fine reflects the severity of the violations and serves as a warning to other platforms about the consequences of non-compliance with children’s data protection laws. John Edwards, the UK Information Commissioner, emphasized that children’s privacy cannot be compromised, stating:
"Protecting children’s data isn’t optional—it’s a legal requirement. Organizations must take their responsibilities seriously or face significant penalties."
Reddit has not publicly disputed the fine but has reportedly taken steps to enhance its age verification and data protection measures since the investigation.
Compliance Recommendations for Organizations
Security and privacy professionals should note the following takeaways:
- Implement robust age verification: Use technical measures (e.g., age gates, third-party verification) to prevent underage access where prohibited.
- Enforce high-privacy defaults: Ensure settings for children’s accounts prioritize data minimization and opt-in consent.
- Review Children’s Code compliance: Align practices with the 15 standards outlined in the UK’s Age Appropriate Design Code, including transparency and parental controls.
- Conduct regular audits: Proactively assess data processing activities to identify and mitigate risks to minors’ privacy.
The ICO’s action highlights the growing global focus on children’s digital rights and the need for organizations to prioritize compliance with evolving privacy regulations.