This post is also available in:
עברית (Hebrew)
Online platforms face growing pressure to protect minors from harmful content and unlawful data processing. A central challenge is verifying users’ ages in a way that is both effective and proportionate. Relying solely on self-declared dates of birth has increasingly come under scrutiny from regulators who argue that such measures are easily bypassed.
The UK’s Information Commissioner’s Office (ICO) has imposed a £14.5 million fine on Reddit after concluding that the platform’s age verification approach failed to meet legal standards. According to the regulator, the company largely depended on users stating their own age during account creation, without additional safeguards in place where risks to children were present.
According to Cyber News, the ICO found that although the platform’s terms prohibited users under 13, the restriction was not actively enforced until July 2025, when changes were introduced to comply with the Online Safety Act. The regulator also determined that a required Data Protection Impact Assessment (DPIA), which was intended to assess risks associated with processing children’s data, was not completed before January 2025. Under UK GDPR rules, such assessments are mandatory when processing poses a high risk, particularly to minors.
Because of these shortcomings, the ICO concluded that children’s personal data was collected and processed without an adequate legal basis or sufficient protective measures. The fine, the largest issued by the authority in relation to children’s privacy, took into account factors including company turnover, the duration of the failings and the number of children potentially affected.
The decision forms part of a broader regulatory focus on platforms that rely primarily on self-declaration for age verification. The ICO’s Age Appropriate Design Code sets out standards for services likely to be accessed by under-18s, requiring them to implement effective safeguards.
From a homeland security and digital governance perspective, the ruling underscores the increasing regulatory expectation for robust identity and age assurance mechanisms. As online platforms handle large volumes of personal data, particularly from minors, stronger verification frameworks are likely to become a baseline requirement rather than an optional safeguard.
