The last two weeks have seen a flurry of activity in the UK concerning the processing of children’s data by certain online services. Not only have we seen the government launch of a pilot including blocks, time limits and curfews but we also saw the ICO and Ofcom publish a joint position paper on age assurance and 4Chan receive a fine for enabling child access to pornography.

Of particular interest was the ICO’s release of its full monetary penalty notice in relation to the £14.7 fine it imposed on Reddit for children’s privacy failures. The 200-page notice provides some helpful insight into what the ICO considers “robust” age assurance, and the renewed focus on restrictions on access by children to services where they are younger than the limit set in the service terms. A few key takeaways below:

• Age assurance required for adult content: Reddit operated its platform from May 2018 until July 2025 with no meaningful age verification at sign-up or access and only required self-verification in order to access NSFW (not safe for work) content. The ICO found that, as a result, children were exposed to potentially harmful adult content. Reddit has now introduced verification by uploading ID or by uploading a selfie to access NSFW content.  This part is unlikely to be a surprise to companies given the Online Safety Act requirements but the fine covers a period predating that. Remedial measures introduced by Reddit after the investigatory period, or driven by OSA compliance rather than proactive data protection steps, were afforded neutral mitigating value
• Restricting age in terms insufficient: Reddit argued that U13s were prohibited from the platform (as set out in its terms) and represented only approximately 1% of its user base, and that the platform was not designed to appeal to children generally. The ICO rejected both submissions, noting that the absolute number of children affected was substantial and that U13s were foreseeably and actually accessing the platform in significant numbers. The terms also clearly permitted child users over the age of 13.
• Legitimate interest is not enough: The ICO found that, accordingly, Reddit had no legitimate interest in processing data of users its own terms restricted from the services. The processing was not necessary for any service offered to those users and, in any event, the fundamental rights and freedoms of U13s overrode any legitimate interest. Readers may recall that the ICO imposed a similar fine in 2023, in which it said that consent and performance of a contract were not appropriate legal bases for processing data of underage users, but was silent on legitimate interest.
• DPIAs are a must: Reddit was sanctioned for not having a data protection impact in place relating to children’s data processing. A reminder that this is a must for online services under the UK Age Appropriate Design Code.