The ICO has recently issued two significant enforcement actions against MediaLab.AI, Inc. (Imgur) and Reddit, both centred on unlawful processing of children’s data and weak or non‑existent age‑assurance controls. Together, these fines send a powerful message: platforms can no longer turn a blind eye to children using their services.
The MediaLab / Imgur Fine
The ICO fined MediaLab £247,590 for unlawfully processing children’s data and failing to introduce even basic protections. The ICO’s investigation found that, between September 2021 and September 2025, children could freely access Imgur without age checks, parental consent, or robust risk assessments, despite the presence of sensitive content..
What went wrong at MediaLab
1. No age verification
MediaLab had no mechanism to identify user ages, leaving children exposed to high‑risk content.
2. Unlawful processing of under‑13s’ data
Under UK GDPR, parental consent is required for online services directed at or used by under‑13s. Imgur claimed parental supervision was required but provided no mechanism to obtain parental consent.
3. No Data Protection Impact Assessment (DPIA)
MediaLab failed to assess or mitigate the risks posed to children by user‑generated content.
The Reddit Fine: A larger penalty for the same core issues
Shortly after the Imgur fine, the ICO fined Reddit £14.47 million — the largest children’s privacy fine to date — again for failing to implement meaningful age‑assurance measures and unlawfully processing the data of under‑13s.
The ICO found that a large number of under‑13s were using Reddit and that Reddit:
- Had no robust age‑assurance mechanism until July 2025, relying primarily on user self‑declaration (easy for children to bypass).
- Had no lawful basis for processing under‑13s’ personal data.
- Failed to carry out a DPIA on risks to children before January 2025.
The ICO stressed that self‑declared age prompts do not meet UK data‑protection standards and continue to present risks to children.
Why these fines matter
Children’s personal data determines what content they are exposed to. Without meaningful age checks:
- Algorithms can amplify harmful material.
- Children can be profiled for ads or content they should never encounter.
- They may be exposed to adult themes, violence, and online grooming risks.
These failures run directly counter to the Age‑Appropriate Design Code, which requires services likely to be accessed by children to adopt high‑privacy defaults and prioritise children’s wellbeing.
Key takeaways for organisations
The ICO has now fined two major platforms in the same month for nearly identical failings:
- No meaningful age assurance
- Unlawful processing of under‑13s’ data
- Missing or inadequate DPIAs
The ICO has been explicit that this is part of a wider strategic intervention to force digital platforms to improve their treatment of children’s data, particularly those relying on self‑declared age.
If platforms wish to operate in the UK, they must demonstrate they can protect children — and regulators will continue escalating enforcement where they do not.
If children might use your service, you must:
- Know their age using proportionate and effective age‑assurance measures.
- Build child‑safety into your design, including safe defaults and minimised data use.
- Obtain verifiable parental consent for under‑13s.
- Complete robust DPIAs that identify and mitigate risks to children.
These are not optional: they are strict legal requirements, backed by increasingly assertive enforcement.
How Hope & May Can Help
If you want to strengthen your approach to:
- Children’s data
- DPIAs and risk assessments
- UK GDPR or Children’s Code compliance
Hope & May offers outsourced DPO services with practical, hands‑on expertise to help you meet regulatory expectations and implement real safeguards.
To find out more contact us below
