ICO (UK) - MediaLab.AI, Inc

Summary

The UK Information Commissioner's Office (ICO) issued a penalty notice to MediaLab.AI, Inc. on 4 February 2026, fining the company £247,590 (approximately €282,917) for violations of the UK GDPR related to the processing of children's personal data on the Imgur image-sharing platform. The DPA found three violations: unlawful processing of data from users under 13 without a legal basis, failure to implement age verification and obtain parental consent as required by the Children's Code, and failure to conduct a Data Protection Impact Assessment (DPIA) for high-risk processing of users under 18. The investigation was launched in December 2024 following a 2021 review and 2024 inquiry into the platform's age verification practices.

Full text

Help ICO (UK) - MediaLab.AI, Inc: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:38, 3 March 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators369 editsmTag: Visual edit← Older edit Latest revision as of 14:51, 23 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators369 editsmTag: Visual edit Line 63: Line 63: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 14:51, 23 April 2026 ICO - MediaLab.AI, Inc Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: 35(1) UK GDPRArticle 5(1)(a) UK GDPRArticle 6(1)(a) UK GDPRArticle 8 UK GDPR Type: Investigation Outcome: Violation Found Started: Decided: 04.02.2026 Published: Fine: 247,590 GBP Parties: MediaLab.AI, Inc National Case Number/Name: MediaLab.AI, Inc European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: ICO (in EN) Initial Contributor: dt The DPA fined a platform operator GBP 247,590 (approximately €282,917) for the unlawful processing of children’s personal data, the lack of age verification and measures to obtain parental consent, and a failure to carry out an impact assessment. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts MediaLab.AI, Inc. (the controller) operates the platform Imgur, an online image sharing and hosting platform. The UK DPA (ICO) carried out a review in 2021 of the age verification practices of the platform. The DPA contacted the controller in 2024 regarding concerns due to the absence of any such measures and requested further information about the processing of personal data relating to users of the Platform aged under 18 years old. Subsequently, the DPA launched an investigation into the controller in December 2024. Holding The DPA found three violations of the UK GDPR and fined the controller GBP 247,590 (approximately €282,917). Firstly, the DPA found that the controller processed personal data relating to users who were under 13 years old without legal basis, in breach of the principle of lawfulness, fairness and transparency in Article 5(1)(a) UK GDPR. Secondly, the DPA found that the controller permitted children under 13 years old to access the platform under parental supervision but did not use age verification and measures to obtain parental consent, breaching Article 6(1)(a) UK GDPR and Article 8 UK GDPR. Thirdly, the DPA found a violation of Article 35(1) UK GDPR. Specifically, the DPA noted that the controller failed to carry out a DPIA in respect of prospective high-risk processing of personal data of users who were under 18 years old. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. PENALTY NOTICE MEDIALAB.AI, INC. Penalty Notice to MediaLab.AI, Inc. under Section 155(1) Data Protection Act 2018 4 February 2026 CONTENTS I. INTRODUCTION AND SUMMARY ..............................................3 II. RELEVANT LEGAL FRAMEWORK................................................7 III. BACKGROUND TO THE INFRINGEMENTS..................................8 (1) The Children’s Code and the background to the Investigation.....................................................................8 (2) Corporate background .................................................... 10 (3) The Platform ................................................................... 12 (4) MediaLab’s processing of personal data.......................... 15 (5) Child users of the Platform.............................................. 18 (a) The Platform’s Terms of Service and MediaLab’s approach to children using the Platform .......................19 (b) The number of children using the Platform in the UK ...21 IV. FINDINGS OF INFRINGEMENT ............................................... 23 (1) The Relevant Period ........................................................ 24 (2) MediaLab’s status as a controller .................................... 24 (3) Scope of the UK GDPR and DPA 2018 .............................. 25 (a) Material scope .................................................................25 (b) Territorial scope ..............................................................25 (4) Special protections for children....................................... 26 (5) The Lawful Basis Infringements...................................... 28 (a) Legal framework .............................................................29 (b) MediaLab’s stated position .............................................30 (c) Findings on Article 5(1)(a), Article 6 and Article 8 UK GDPR ...............................................................................31 (6) The DPIA Infringement ................................................... 34 (a) Legal framework .............................................................35 (b) Findings on Article 35 UK GDPR .....................................38 V. DECISION TO IMPOSE A PENALTY ......................................... 40 (1) Legal framework: penalty notices ................................... 40 (2) Seriousness of the Infringements ................................... 43 (3) Relevant aggravating or mitigating factors ..................... 58 (4) Effectiveness, proportionality and dissuasiveness .......... 66 1 (5) The Commissioner’s conclusion on whether to impose a penalty............................................................................ 68 VI. CALCULATION OF THE PENALTY ............................................ 68 (1) Statutory Maximum Penalty ............................................ 69 (2) Step 1: Assessment of the seriousness of the Infringements ................................................................. 73 (3) Step 2: Accounting for turnover ...................................... 74 (4) Step 3: Calculation of the starting point.......................... 75 (5) Step 4: Adjustment to take into account any aggravating of mitigating factors........................................................ 76 (6) Step 5: Adjustment to ensure the penalty is effective, proportionate and dissuasive .......................................... 79 (7) Conclusion - Penalty........................................................ 82 VII. FINANCIAL HARDSHIP........................................................... 82 VIII.PAYMENT OF THE PENALTY.................................................... 83 IX. RIGHTS OF APPEAL................................................................ 84 ANNEX 1......................................................................................... 85 ANNEX 2......................................................................................... 87 ANNEX 3......................................................................................... 99 2 DATA PROTECTION ACT 2018 (PART 6, SECTION 155) ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER PENALTY NOTICE To: MediaLab.AI, Inc. FAO: th Of: 1222 6 Street Santa Monica California CA 90401 I. INTRODUCTION AND SUMMARY 1. Pursuant to section 155(1)(a) of the Data Protection Act 2018 (“DPA 2018”), by this written notice (“Penalty Notice”), the Information Commissioner (the “Commissioner”) requires MediaLab.AI, Inc. (“MediaLab”) to pay the Commissioner a penalty of £247,590. 2. This Penalty Notice is issued in respect of the Commissioner’s findings of infringement of the following provisions of the UK General Data Protection Regulation (“UK GDPR”): a) Articles 5(1)(a), 6 and 8 UK GDPR (the “Lawful Basis Infringements”); and b) Article 35 UK GDPR (the “DPIA Infringement”), together, the “Infringe

Entities