THREATNOIR
Subscribe
Back to Feed
UK Data ProtectionMar 25, 2026

ICO (UK) - Reddit, Inc

UK ICO fines Reddit £14.5M for unlawful processing of children's personal data.

Read at source

Summary

The UK Information Commissioner's Office (ICO) issued a £14,472,500 fine to Reddit, Inc. for breaching UK GDPR Articles 5, 6, and 8 by processing personal data of children under 13 without parental consent and failing to implement age verification between May 2018 and July 2025. Reddit also failed to conduct required data protection impact assessments for children's data processing. The violations included unfair and non-transparent processing, absence of valid legal basis, and inadequate safeguards for minors on the platform.

Full text

Help ICO (UK) - Reddit, Inc: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 12:34, 20 March 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators241 edits Tag: submission [1.0] Latest revision as of 08:35, 25 March 2026 view source Mba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators887 editsm Tag: Visual edit Line 83: Line 83: The DPA found that the controller breached Article 5(1)(a) UK GDPR by processing the personal data of children under 13 years old on the Platform unlawfully since the processing activities were not fair or transparent and none of the legal bases under Article 6(1) UK GDPR applied. The DPA found that the controller breached Article 5(1)(a) UK GDPR by processing the personal data of children under 13 years old on the Platform unlawfully since the processing activities were not fair or transparent and none of the legal bases under Article 6(1) UK GDPR applied. The DPA also held that the controller could not rely on consent under Article 6(1)(a) as a lawful basis for processing the personal data of children under 13 years old on the Platform as it breached Article 8 UK GDPR which required that consent was given or authorised by the holder of parental responsibility. The DPA also held that the controller could not rely on consent under Article 6(1)(a) UK GDPR as a lawful basis for processing the personal data of children under 13 years old on the Platform as it breached Article 8 UK GDPR which required that consent was given or authorised by the holder of parental responsibility. Finally, the DPA found that the controller failed to carry out a data protection impact assessment in accordance with Article 35(1) UK GDPR in respect of the processing of the personal data of children under 18 years old in the context of the provision of an online service. Finally, the DPA found that the controller failed to carry out a data protection impact assessment in accordance with Article 35(1) UK GDPR in respect of the processing of the personal data of children under 18 years old in the context of the provision of an online service. Latest revision as of 08:35, 25 March 2026 ICO - Reddit, Inc Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 35 UK GDPRArticle 5(1)(a) UK GDPRArticle 6 UK GDPRArticle 8 UK GDPR Type: Investigation Outcome: Violation Found Started: Decided: 23.02.2026 Published: Fine: 14,472,500 GBP Parties: Reddit, Inc National Case Number/Name: Reddit, Inc European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: ICO (in EN) Initial Contributor: dt The DPA fined Reddit £14,472,500 (approximately €16,756,188) for processing children’s personal data unlawfully, failing to obtain consent from parents for the processing of personal data of children under 13 years old and failing to carry out a data protection impact assessment. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Reddit, Inc. (the controller) operates the online website and mobile application Reddit (the Platform), a social news, discussion and content rating platform. Between May 2018 and July 2025, the controller had no form of age assurance that users were required to pass through in order to access the Platform. Users with an account were asked to declare whether they were over 18 years old without any age verification. Furthermore, for personal data processing via advertising and analytics cookies for children under 13 years old, the controller did not ensure that the holder of parental responsibility gave consent. In addition, between May 2018 and January 2025, the controller did not conduct any data protection impact assessment in relation to the processing of children’s personal data. Holding The DPA found that the controller breached Article 5(1)(a) UK GDPR by processing the personal data of children under 13 years old on the Platform unlawfully since the processing activities were not fair or transparent and none of the legal bases under Article 6(1) UK GDPR applied. The DPA also held that the controller could not rely on consent under Article 6(1)(a) UK GDPR as a lawful basis for processing the personal data of children under 13 years old on the Platform as it breached Article 8 UK GDPR which required that consent was given or authorised by the holder of parental responsibility. Finally, the DPA found that the controller failed to carry out a data protection impact assessment in accordance with Article 35(1) UK GDPR in respect of the processing of the personal data of children under 18 years old in the context of the provision of an online service. Therefore, the DPA fined the controller £14,472,500 (approximately €16,756,188). Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. PENALTY NOTICE REDDIT , NC. 23 February2026TABLE OF CONTENTS I. INTRODUCTION AND SUMMARY .................................................3 II. RELEVANT LEGAL FRAMEWORK ................................................11 III. BACKGROUND TO THE INFRINGEMENTS ...................................12 (1) The Children’s Code and the background to the Investigation ...12 (2) The In vestigation.....................................................................14 (3) Background to Reddit...............................................................18 (4) Summary of the services provided by Reddit’s Platform............20 (5) Potentially harmful content on the Platform .............................22 (6) Reddit’s processing of personal data ........................................22 (7) Child users of Reddit ................................................................27 (a) Reddit’s Privacy Policy and User Agreement .......................27 (b) The number of children using Reddit in the UK....................30 (c) Reddit’s approach to age-gating.........................................37 IV. FINDINGS OF INFRINGEMENT ..................................................39 (1) The Relevant Periods ...............................................................41 (2) Reddit’s status as a controller ..................................................41 (3) Scope of the UK GDPR and DPA ................................................42 (a) Material scope....................................................................42 (b) Territorial scope.................................................................43 (4) Specific protections required for children .................................45 (5) Infringement of Articles 5(1)(a), 6 and 8 UK GDPR...................47 (a) Legal framework................................................................49 (b) Reddit’s stated position......................................................51 (c) Findings on lawfulness, fairness and transparency: Article 5(1)(a) UK GDPR.........................................................................56 (d) Findings on consent: Article 6(1)(a) and Article 8 UK GDPR 60 (e) Findings on contractual necessity: Article 6(1)(b) UK GDPR 65 (f) Findings on legitimate interests: Article 6(1)(f) UK GDPR ...70 (g) Concl usion on Article 5(1)(a) UK GDPR...............................96 (6) Infringement of Article 35 UK GDPR .........................................96 (a) Legal framework................................................................96 (b) Findings on Article 35 UK GDPR..........................................99 V. DECISION TO IMPOSE A PENALTY .......................................... 111 (1) Legal fram ework: penalty notices..................................... 111 1 (2) Reddit’s overarching submission t