Changeflow GovPing Data Privacy & Cybersecurity ICO Fines Reddit for UK GDPR Violations
Urgent Enforcement Amended Final

ICO Fines Reddit for UK GDPR Violations

Favicon for ico.org.uk ICO Enforcement
Filed February 23rd, 2026
Detected March 19th, 2026
Email

Summary

The UK's Information Commissioner's Office (ICO) has fined Reddit, Inc. £14.4 million for violating UK GDPR. The penalty stems from failures in age assurance mechanisms and data protection impact assessments, which unlawfully processed children's data and potentially exposed them to harmful content.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has issued a £14,472,500.00 penalty to Reddit, Inc. for infringements of Articles 5(1)(a), 6, 8, and 35 of the UK GDPR. Specifically, the ICO found that Reddit failed to implement robust age verification for users under 13, lacking a lawful basis for processing their personal data. Additionally, Reddit did not conduct a data protection impact assessment before January 2025 to evaluate and mitigate risks to children's data.

These findings indicate that Reddit unlawfully processed children's data, potentially exposing them to inappropriate and harmful content. Regulated entities, particularly online platforms processing data of minors, should review their age verification processes and data protection impact assessment procedures to ensure compliance with UK GDPR requirements. Failure to comply could result in significant financial penalties and reputational damage.

What to do next

  1. Review and enhance age assurance mechanisms for users under 13.
  2. Conduct data protection impact assessments for processing children's data.
  3. Ensure lawful basis for all personal data processing activities.

Penalties

£14,472,500.00 penalty

Source document (simplified)

Reddit, Inc.

  • Date 23 February 2026
  • Type Enforcement notices

  • Sector Online technology and telecoms
    We imposed a £14,472,500.00 penalty to Reddit, Inc. for infringing Articles 5(1)(a), 6, and 8, and Article 35 of the UK GDPR. We found that Reddit, Inc.:

  • failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal information of children under the age of 13; and

  • failed to carry out a data protection impact assessment to assess and mitigate risks to children before January 2025.
    These failures meant Reddit was using children’s data unlawfully, potentially exposing children to inappropriate and harmful content.

Named provisions

Articles 5(1)(a), 6, and 8 Article 35

Related changes

Favicon for ico.org.uk Cumbria Constabulary Information Notice
Routine Mar 18, 2026 ICO Enforcement Data Privacy & Cybersecurity
Favicon for ico.org.uk Data Theft Conviction: Munro and Chipoma Sentenced
Urgent Mar 18, 2026 ICO Enforcement Data Privacy & Cybersecurity
Favicon for ico.org.uk ICO Enforcement Action Against North Tees NHS Trust
Priority review Mar 18, 2026 ICO Enforcement Data Privacy & Cybersecurity
Favicon for www.mass.gov Worcester State University Data Breach Notification
Priority review Mar 19, 2026 Massachusetts - Breach Notification Letters (Mar 2026) Government General
Favicon for www.mass.gov Hingham Municipal Lighting Plant Data Breach Notification
Priority review Mar 19, 2026 Massachusetts - Breach Notification Letters (Mar 2026) Government General
Favicon for iapp.org GDPR Article 25: Data Protection by Design and Default Factors
Priority review Mar 19, 2026 IAPP Privacy News Data Privacy & Cybersecurity

Source

Favicon for ico.org.uk
ICO Enforcement ico.org.uk/action-weve-taken/enforcement
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
ICO
Filed
February 23rd, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive
Document ID
ICO Enforcement

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Data Processing Age Verification
Threshold
Processing personal data of children under 13
Geographic scope
United Kingdom

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Children's Data GDPR

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 211 Consumer Protection 35 Courts & Legal 243 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 96 Environment 81 Government & Legislation 240 Healthcare 106 Housing 15 Immigration 8 Insurance 55 Labor & Employment 107 Pharma & Drug Safety 72 Securities & Markets 73 Tax 48 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when ICO Enforcement publishes new changes.

Free. Unsubscribe anytime.