ICO hits Reddit with £14.5M fine for not implementing robust age assurance

UK regulator Ofcom has taken plenty of heat for the perception that it’s not coming down hard enough in enforcing the Online Safety Act (OSA) and related Children’s Codes. While it continues to issue fines to noncompliant pornographic websites, new enforcement measures by the Information Commissioner’s Office (ICO) suggest that the privacy regulator is the entity primed to make the biggest punitive impact – at least on a financial level.

To wit: the ICO has fined Reddit 14.47 million pounds (about $19.55 million) after finding the company failed to use children’s personal information lawfully, according to a release. Citing “serious failures in age assurance under UK data protection law,” the ICO says the popular online message board “failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal information of children under the age of 13.” Moreover, it “failed to carry out a data protection impact assessment (DPIA) to assess and mitigate risks to children before January 2025.”

As such, according to the law, Reddit was using children’s data unlawfully, and putting them at risk of encountering harmful content.

UK Information Commissioner John Edwards has some stern words for Reddit and its peers.

“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place.”

“Relying on users to declare their age themselves is not enough when children may be at risk and we are focusing now on companies that are primarily using this method. I therefore strongly encourage industry to take note, reflect on their practices and urgently make any necessary improvements to their platforms.”

Earlier this month, the ICO fined MediaLab, which runs the image hosting and sharing platform Imgur, £247,590 (about $334,595) for failing to use children’s personal information lawfully, in breach of the UK GDPR.

Lusty doles out tough love with £1.35M spanking for porn firm

Ofcom, meanwhile, continues to try and satisfy its promise to prosecute all violators of the OSA equally. Its latest target is 8579 LLC, which runs several pornographic websites of sufficient size to warrant scrutiny.

The regulator has issued the company a fine of £1.35 million ($1.82 million) for failing to comply with age check requirements. “The company must immediately implement highly effective age assurance or face a daily penalty of £1,000 ($1350),” says a release.

8579 LLC also gets a £50,000 fine ($67,570) for failing to answer an information request, and a daily penalty of £250 ($338) until it responds, or for 60 days, whichever is sooner.

The porn company, which is not based in the UK but otherwise hails from parts unknown thanks to hidden IP addresses, was among the first batch of firms to feel Ofcom’s whip after the OSA’s age verification measures took effect in July 2025.

Earlier this month, Ofcom slapped a fine of £800,000 (roughly $1.1 million) on Kick Online Entertainment SA, also from the first cohort of porn sites to get probed.

George Lusty, director of enforcement for Ofcom, says “we’ve been clear that adult sites must deploy robust age checks to protect children in the UK from seeing porn. Those that fail to do this – or ignore legally binding requests from us – should expect to face fines.”

Article Topics

age verification  |  Information Commissioner’s Office (ICO)  |  Ofcom  |  Online Safety Act  |  Reddit