Full Report
Social media giant retorts it doesn't want to collect 'private' data, and plans to appeal The UK's data protection regulator has fined social media giant Reddit £14.47 million ($19.5 million) over its use of children's data.…
Analysis Summary
# Regulation/Compliance: Protection of Children's Personal Data Online (UK Focus)
## Overview
This summary details enforcement action taken by the UK's data protection regulator against a social media platform (Reddit) concerning the processing of children's personal data, highlighting failures in age assurance mechanisms and mandatory compliance procedures like Data Protection Impact Assessments (DPIAs).
## Key Details
- Issuing Authority: Information Commissioner's Office (ICO)
- Effective Date: Rules related to the enforcement appear linked to the Online Safety Act, with new enforcement rules taking effect on **July 25** (year not explicitly stated for the act's effect, but enforcement escalated around March/July 2025). Reddit's failure occurred prior to July 2025 for implementing age assurance.
- Jurisdiction: United Kingdom (UK)
- Status: Fine issued, subject to appeal.
## Requirements
### Mandatory Requirements
1. **Age Assurance/Verification:** Organizations operating online services "likely to be accessed by children" must implement appropriate and effective age assurance measures to ensure children (particularly those under 13) are not exposed to risks through the way their data is used.
2. **Lawful Basis for Processing:** Personal data for users under the age of 13 must not be collected or processed without a demonstrable lawful basis.
3. **Data Protection Impact Assessments (DPIAs):** Organizations must carry out mandatory DPIAs for processing activities that present a risk, especially when dealing with children's data. Failure to conduct a required DPIA is a breach in itself.
4. **Protection of Children's Data:** Companies have a legal duty to protect the personal information of children, ensuring it is not collected and used in ways children cannot understand, consent to, or control.
### Recommended Practices
1. **Transparency and Control:** Provide mechanisms (like age verification/consent) so that children can understand and control how their personal information is used.
2. **Cooperation with Regulators:** Compliance efforts should align with expectations from both the ICO (data protection) and Ofcom (Online Safety Act jurisdiction).
## Affected Organizations
- Industries: Online services, particularly social media platforms, apps, and websites likely to be accessed by children.
- Organization Size: Large companies operating internationally within the UK jurisdiction are explicitly targeted.
- Geographic Scope: Organizations serving users within the UK.
## Compliance Timeline
- **Prior to January 2025:** Reddit had not carried out a required DPIA concerning the risks of using children's data (13-18 users present).
- **Prior to July 2025:** Reddit did not introduce an age assurance mechanism, despite having users under 13.
- **July 8, 2025:** ICO issued provisional findings to Reddit.
- **July 25 (Year implied 2025):** New Online Safety Act rules took effect, increasing enforcement activity.
- **February 24, 2026 (Date of Fine):** ICO finalized the £14.47 million fine.
- **Post-Fine:** Full compliance action timeline is delayed due to the intended appeal by Reddit, which could take years to resolve.
## Implementation Guidance
### Assessment Phase
- **Risk Profiling:** Immediately assess if the service is "likely to be accessed by children."
- **Data Mapping & Age Review:** Determine the volume and nature of personal data being processed specifically for users whose age is unknown or under the statutory consent age (e.g., under 13).
- **DPIA Review:** Verify if DPIAs were completed for high-risk processing activities involving children's data as required under UK GDPR.
### Implementation Phase
1. **Implement Age Assurance:** Deploy effective, appropriate age assurance mechanisms immediately, especially before allowing users access to accounts or sensitive platform features.
2. **Conduct Required DPIAs:** Conduct and document comprehensive DPIAs for all relevant processing activities, prioritizing those involving minors, to establish risk mitigation strategies.
3. **Review Terms of Service vs. Practice:** Align terms of service (e.g., minimum age requirements) with actual data processing practices and technical controls.
### Validation Phase
- **Auditing:** Conduct internal audits post-implementation to confirm new age assurance controls prevent underage access effectively.
- **Regulatory Review:** Prepare documentation for potential audits by the ICO demonstrating the efficacy of new age verification and data minimization practices.
## Technical Requirements
- **Age Assurance Mechanisms:** Implementation of controls (potentially third-party verification, as demonstrated by Reddit's move to use identity verification for mature content) to reliably determine user age.
- **Data Minimization:** Techniques must be employed to ensure data collected from verified minors is strictly limited to what is necessary for the service, especially concerning identifying information.
## Penalties & Enforcement
- **Fines:** **£14.47 million ($19.5 million)** was imposed for failures related to children's data protection. This signifies that fines can be substantial even if the regulator is not Ofcom (who handles the main Online Safety Act duties).
- **Other Consequences:** Potential for ongoing regulatory scrutiny, reputational damage, and requirement to remediate compliance failures. The ICO continues to investigate 17 other platforms.
- **Enforcement:** Enforced by the ICO under data protection legislation (UK GDPR), with regulatory scrutiny increasing under the new Online Safety Act framework (which involves coordination with Ofcom).
## Related Standards
- **UK GDPR (General Data Protection Regulation as enacted in the UK):** The basis for the ICO's power to issue the fine, particularly relating to lawful processing and DPIAs.
- **Online Safety Act (OSA):** While the fine stemmed partly from GDPR, the context involves the OSA, which places duties on platforms regarding child safety and risk exposure.
## Resources
- Official Documentation: Seek current ICO guidance on Age Appropriate Design Code requirements and DPIA mandates under UK GDPR.
- Guidance Documents: Review ICO guidance regarding children's data processing and age verification standards.
- Tools: Consider utilizing recognized industry frameworks for risk management and DPIA templates.
## Practical Recommendations
1. **Prioritize DPIAs:** Immediately review and execute any outstanding DPIAs, treating processing involving minors as a high-priority risk area.
2. **Adopt Robust Age Verification:** Do not rely solely on self-declaration for age. Invest in or adopt industry-accepted age assurance technology, even if adoption is costly or viewed as "counterintuitive" to privacy philosophies.
3. **Monitor Enforcement:** Track the outcome of Reddit's appeal closely, as this may set precedents for the enforceability and interpretation of new statutory duties regarding age verification.