The Information Commissioner’s Office (ICO) has fined Reddit £14.47 million for failing to protect children’s personal data properly.
According to the ICO, Reddit:
- Allowed under-13s onto the platform without effective age assurance
- Processed children’s personal data without a lawful basis
- Failed to properly assess risks to children before using their information
You can read the full ICO announcement here:
The regulator’s message is straightforward: if your service is likely to be accessed by children, you must know their age and you must protect their personal data properly. Simply asking someone to type in their date of birth is not enough.you must understand their age and you must protect their personal data properly. Simply asking someone to type in their age is not enough.
What this means for children’s activity providers
If you run clubs, classes, camps, tutoring, coaching or online groups for children, this applies to you.
Children’s data protection in the UK requires:
- A clear lawful basis for processing children’s personal data
- Extra care with medical or special category information
- A proper Data Protection Impact Assessment (DPIA) where risk is higher
- Systems that actively reduce risk — not just policies sitting in a folder
And if you’re a Virtual Assistant supporting a children’s provider, this applies to you too. If you manage booking systems, payment platforms, email lists, photo storage or online groups, you are handling children’s data.
The ICO is actively enforcing in this area. The Reddit fine shows that regulators expect organisations to take children’s data protection seriously — and to be able to prove what they’ve done.
If you work with children’s data and you’re not completely confident your systems meet UK GDPR requirements, now is the time to check.
You can read more about our GDPR support here:
Or talk to us. We can help you review your systems before the ICO does.
