On 24 February 2026, the UK Information Commissioner's Office (ICO) issued Reddit with a £14.47 million fine the largest penalty ever issued under its children's privacy enforcement programme. The reasons are stark and instructive: no robust age assurance mechanism, no lawful basis for processing children's data, and no Data Protection Impact Assessment (DPIA) conducted before January 2025. The result? A large number of children under 13 exposed to content they could not understand, consent to, or control.

What Went Wrong at Reddit?

Despite prohibiting under-13s in its terms of service, Reddit failed to enforce this with any meaningful technical safeguard. The platform processed children's personal data for years without a lawful basis, a breach of Articles 5, 6, 8 and 35 of the UK GDPR. Even when age verification measures were introduced in July 2025, the ICO deemed self-declaration insufficient, warning that it is far too easy to bypass. The fine took into account the number of children affected, the degree of potential harm, the duration of the failings, and Reddit's global turnover.

Why This Matters for Your Organisation

The Reddit case is not an outlier,  it is part of a deliberate and expanding ICO enforcement strategy. The regulator is actively monitoring at least 17 platforms popular with UK children, including Discord, Pinterest, and X. If your organisation offers any service that could be accessed by children, the Children's Code requirements apply to you. That means robust age assurance, DPIAs completed before processing begins, and a demonstrable commitment to children's best interests by design.

How Privacy Culture Can Help

At Privacy Culture, we equip organisations to get ahead of exactly these challenges, not scramble to catch up after a fine. Our platform and services directly address the gaps that led to Reddit's downfall:

• Operational Assessments (DPIA/LIA): We guide your teams through mandatory DPIAs before processing commences, ensuring your risk assessments are proportionate, documented, and defensible.
• Privacy Risk & KPI Management: Proactively identify and track risks relating to children's data and age assurance controls with real-time visibility across your organisation.
• Privacy Training: Role-specific and organisation-wide training ensures your teams understand their obligations under the UK GDPR and the Children's Code.
• DPO as a Service (DPOaaS): Expert Data Protection Officer support to provide strategic oversight and regulatory confidence, without the cost of a full-time hire.
• ROPA & Third Party Assessments: Maintain a comprehensive record of processing activities and scrutinise third-party suppliers who touch children's data.
• Maturity & Benchmarking: Understand where your privacy programme stands today, and measure progress against industry standards before the regulator comes knocking.

The ICO has made its intent clear. Enforcement is broadening, fines are significant, and self-declaration is no longer an acceptable standard. The question is not whether regulators will look at your organisation - it is whether you will be ready when they do.

Is your organisation prepared for children's data scrutiny? Speak with a Privacy Culture today.