The UK’s Information Commissioner’s Office (ICO) has issued a multimillion-pound fine to Reddit for GDPR non-compliance, but experts have warned that its rules pose a risk to user security and privacy.

The UK’s data protection regulator said on February 24 that its £14.47m ($19.6m) fine was levied for two main reasons.

First, Reddit failed to put “robust” age verification measures in place, which meant it did not have a lawful basis for processing the personal information of children under the age of 13.

Second, it failed to carry out a data protection impact assessment (DPIA) to assess and then mitigate risks to children on the platform before January 2025.

The fine took into account the large number of children using the site, the degree of potential harm caused, the duration of the failings and Reddit’s global turnover, the ICO said,

Read more on ICO fines: UK ICO Fires GDPR “Warning Shot” Over Use of Children’s Data.

“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine,” said information commissioner, John Edwards. 

“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place.”

Reddit introduced age verification to access “mature content” in July 2025 and now asks users to state their age when opening an account, although the ICO noted that the latter is too easy to bypass.

Sympathy for Reddit

Reddit has defended its decision, saying in a statement that it “didn't require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety."

Some experts agreed that the ICO’s intrusive age verification checks, as per those for users of adult content sites, put user security and privacy at risk.

Paul Bischoff, consumer privacy advocate at Comparitech, said he hoped Reddit would stand firm.

“The problem with mandatory identity verification is that it places an undue burden of proof on the vast majority of people not suspected of any wrongdoing,” he added.

“It has a chilling effect on our freedoms and there's little evidence that it achieves its stated purpose. Parents need to take responsibility and stop shifting their burden onto private companies, the government, and the general public.”

Pieter Arntz, senior researcher at Malwarebytes, agreed that such checks potentially expose user data.

“Whether it’s facial age estimation relying on biometrics, open banking checks querying financial data, digital ID wallets adding new layers of infrastructure, or photo-ID matching concentrating high-value identity data, each approach introduces fresh privacy and security concerns,” he added.

“Even simpler methods, like credit card checks, email-based inference, or mobile network verification, raise issues around exclusion, profiling, or reliability.”

If the ICO supported “double-blind” verification, it could potentially allay these concerns, Arntz added.

“In this model, a trusted third party confirms a user’s age and issues a simple ‘18+’ (or similar) token to the relying site, without revealing the user’s identity or which service they are accessing,” he continued.

“This reduces data exposure, limits cross-service tracking, and avoids creating new honeypots of sensitive personal information, offering stronger privacy protections than most current approaches while still meeting regulatory objectives."

A Warning to Others

However, others were less sympathetic to Reddit’s cause.

Chris Linnell, associate director of data privacy at Bridewell, argued that when processing children’s data, a DPIA is simply not optional.

“It is a statutory requirement designed to force organizations to properly assess, document and mitigate risk before harm occurs. The absence of a robust DPIA suggests that the risks to children were not adequately identified or addressed at the outset,” he said.

“Equally, relying on terms and conditions to state that under-13s should not use the service is not, in itself, a protective measure. If no effective technical or operational controls are in place to enforce that rule, the organization cannot credibly argue that it has taken reasonable steps to prevent access. Compliance cannot sit solely in contractual wording; it must be reflected in practical safeguards.”

The Reddit fine comes just weeks after Imgur parent company MediaLab was fined over £247,000 for failing to use children’s information lawfully.

Linnell urged online service providers to avoid similar regulatory action by focusing on the basics, namely:

• Identify where children are likely to access your services – even if they are not your intended audience
• Conduct DPIAs for high-risk processing, with regular reviews
• Establish and document a lawful basis for processing children’s data
• Implement proportionate, effective controls rather than relying solely on policy statements

Image credit: Charles-McClintock Wilson / Shutterstock.com