Children under 13 are being allowed onto Reddit’s forums where often adult discussions take place.
An investigation uncovered multiple failings to provide comprehensive age verification measures right across the platform. Whilst one technology provider partners with Reddit for age verification, they do not provide all identity services proportional to the amount of open forums, where anyone including children can have different discussions.
Reddit’s fine of £14.47m was unnecessary, some experts have said, had they fulfilled all of the safety obligations to protect children’s personal information and blocked them from the platform. They failed to apply robust age assurance mechanisms and did not have grounds for possessing the personal information of children under the age of 13.
Moreover, checks were overlooked including carrying out a data protection impact assessment to mitigate the risks to children before January 2025.
Several experts have waded in commenting on how avoidable this crisis is for a company of this size that would have very reasonable costs to undergo the regulator-approved certification process under the UK GDPR. The investment to certify as an identity provider would have been well within their resources.
Children can declare their age when opening an account, bypassing good intended measures including the point of age verification which they implemented in July 2025. Despite warnings about how easy it is to bypass, the concerning lack of legal duty that Reddit has shown flags this company for a review into their possession and use of children’s personal information.
“Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today’s fine”.
“Let me be clear. Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they’re not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place”.
