THREATNOIR
Subscribe
Back to Feed
GDPRMar 20, 2026

ICO (UK) - Reddit, Inc

UK ICO fines Reddit £14.5M for unlawful processing of children's personal data without parental consent.

Read at source

Summary

The UK Information Commissioner's Office (ICO) issued a £14,472,500 fine to Reddit, Inc. for processing personal data of children under 13 without parental consent, failing to implement age verification mechanisms between May 2018 and July 2025, and neglecting to conduct data protection impact assessments. The violations breach Articles 5(1)(a), 6, 8, and 35 of the UK GDPR, which require lawful bases for processing, parental authorization for minors, and impact assessments for high-risk processing.

Full text

Help ICO (UK) - Reddit, Inc: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 12:34, 20 March 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators241 edits Tag: submission [1.0] (No difference) Latest revision as of 12:34, 20 March 2026 ICO - Reddit, Inc Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 35 UK GDPRArticle 5(1)(a) UK GDPRArticle 6 UK GDPRArticle 8 UK GDPR Type: Investigation Outcome: Violation Found Started: Decided: 23.02.2026 Published: Fine: 14,472,500 GBP Parties: Reddit, Inc National Case Number/Name: Reddit, Inc European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: ICO (in EN) Initial Contributor: dt The DPA fined Reddit £14,472,500 (approximately €16,756,188) for processing children’s personal data unlawfully, failing to obtain consent from parents for the processing of personal data of children under 13 years old and failing to carry out a data protection impact assessment. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Reddit, Inc. (the controller) operates the online website and mobile application Reddit (the Platform), a social news, discussion and content rating platform. Between May 2018 and July 2025, the controller had no form of age assurance that users were required to pass through in order to access the Platform. Users with an account were asked to declare whether they were over 18 years old without any age verification. Furthermore, for personal data processing via advertising and analytics cookies for children under 13 years old, the controller did not ensure that the holder of parental responsibility gave consent. In addition, between May 2018 and January 2025, the controller did not conduct any data protection impact assessment in relation to the processing of children’s personal data. Holding The DPA found that the controller breached Article 5(1)(a) UK GDPR by processing the personal data of children under 13 years old on the Platform unlawfully since the processing activities were not fair or transparent and none of the legal bases under Article 6(1) UK GDPR applied. The DPA also held that the controller could not rely on consent under Article 6(1)(a) as a lawful basis for processing the personal data of children under 13 years old on the Platform as it breached Article 8 UK GDPR which required that consent was given or authorised by the holder of parental responsibility. Finally, the DPA found that the controller failed to carry out a data protection impact assessment in accordance with Article 35(1) UK GDPR in respect of the processing of the personal data of children under 18 years old in the context of the provision of an online service. Therefore, the DPA fined the controller £14,472,500 (approximately €16,756,188). Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. PENALTY NOTICE REDDIT , NC. 23 February2026TABLE OF CONTENTS I. INTRODUCTION AND SUMMARY .................................................3 II. RELEVANT LEGAL FRAMEWORK ................................................11 III. BACKGROUND TO THE INFRINGEMENTS ...................................12 (1) The Children’s Code and the background to the Investigation ...12 (2) The In vestigation.....................................................................14 (3) Background to Reddit...............................................................18 (4) Summary of the services provided by Reddit’s Platform............20 (5) Potentially harmful content on the Platform .............................22 (6) Reddit’s processing of personal data ........................................22 (7) Child users of Reddit ................................................................27 (a) Reddit’s Privacy Policy and User Agreement .......................27 (b) The number of children using Reddit in the UK....................30 (c) Reddit’s approach to age-gating.........................................37 IV. FINDINGS OF INFRINGEMENT ..................................................39 (1) The Relevant Periods ...............................................................41 (2) Reddit’s status as a controller ..................................................41 (3) Scope of the UK GDPR and DPA ................................................42 (a) Material scope....................................................................42 (b) Territorial scope.................................................................43 (4) Specific protections required for children .................................45 (5) Infringement of Articles 5(1)(a), 6 and 8 UK GDPR...................47 (a) Legal framework................................................................49 (b) Reddit’s stated position......................................................51 (c) Findings on lawfulness, fairness and transparency: Article 5(1)(a) UK GDPR.........................................................................56 (d) Findings on consent: Article 6(1)(a) and Article 8 UK GDPR 60 (e) Findings on contractual necessity: Article 6(1)(b) UK GDPR 65 (f) Findings on legitimate interests: Article 6(1)(f) UK GDPR ...70 (g) Concl usion on Article 5(1)(a) UK GDPR...............................96 (6) Infringement of Article 35 UK GDPR .........................................96 (a) Legal framework................................................................96 (b) Findings on Article 35 UK GDPR..........................................99 V. DECISION TO IMPOSE A PENALTY .......................................... 111 (1) Legal fram ework: penalty notices..................................... 111 1 (2) Reddit’s overarching submission that the Commissioner should exercise his discretion not to impose a penalty in the circumstances of this case......................................................... 114 (3) Seriousness of the Infringements..................................... 115 (4) Relevant aggravating or mitigating factors ....................... 131 (5) Effectiveness, proportionality and dissuasiveness............. 141 (6) The Commissioner’s conclusion on whether to impose a penalty...................................................................................... 142 VI. CALCULATION OF THE PENALTY ............................................. 142 (1) Statutory Maximum Penalty ............................................. 143 (2) Step 1: Assessment of the seriousness of the Infringements 148 (3) Step 2: Accounting for turnover........................................ 149 (4) Step 3: Calculation of the starting point............................ 150 (5) Step 4: Adjustment to take into account any aggravating or mitigating factors...................................................................... 151 (6) Step 5: Adjustment to ensure the fine is effective, proportionate and dissuasive..................................................... 153 (7) Conclusion: Penalty.......................................................... 160 VII. FINANCIAL HARDSHIP ........................................................160 VIII. PAYMENT OF THE PENALTY..................................................161 ANNEX 1.........................................................................................163 ANNEX 2.........................................................................................166 ANNEX 3.........................................................................................188 2 DATA PROTECTION ACT 2018 (PART 6, SECTION 155) ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER PENALTY NOTICE To: Reddit, Inc. Of: 548