Reddit's £14.47M Fine Shows Platforms Still Can't Verify Who's a Kid

What the ICO found

On February 24, 2026, the UK Information Commissioner's Office announced a £14.47 million fine against Reddit. The investigation found that Reddit failed to implement effective age assurance mechanisms. The platform's only check was self-declaration - users typed in a birth date during signup, and Reddit accepted whatever they entered.

There was no follow-up verification. No ID checks. No behavioral analysis. No age-estimation technology. A 10-year-old could enter "1990" as their birth year and Reddit would treat them as a 36-year-old adult. The ICO found this was insufficient for protecting children, especially given that Reddit hosts content ranging from educational discussions to graphic material.

The investigation also found that Reddit had not carried out a data protection impact assessment to evaluate risks to children before January 2025. Under GDPR and the UK's Age Appropriate Design Code, platforms are required to assess and mitigate risks to children's data. Reddit simply hadn't done it.

Why "just type your age" doesn't work

Self-declaration is the most common age gate on the internet, and it's effectively useless. Every study on the topic reaches the same conclusion: kids lie about their age online. A 2023 Ofcom study found that one in three children aged 8-17 had provided a false age to access platforms or content.

The problem isn't that platforms don't know this. They do. Self-declaration persists because it's cheap to implement and creates plausible deniability. If a user says they're 18, the platform can claim it had no way of knowing otherwise. The ICO is now explicitly rejecting this defense.

Real age assurance requires actual effort: age estimation using facial analysis (Apple does this for some features), ID document verification, parental consent flows, or behavioral signals that flag accounts likely belonging to minors. None of these are perfect, but all of them are better than a text field that accepts any number.

Reddit isn't the only one

This fine is part of a broader pattern. Regulators worldwide are losing patience with platforms that collect children's data without adequate protections:

• TikTok was fined €345 million by the Irish DPC in 2023 for children's privacy violations, including making children's accounts public by default.
• Instagram received a €405 million fine from the Irish DPC for exposing children's email addresses and phone numbers through business accounts.
• YouTube paid $170 million in 2019 to settle FTC charges that it collected children's data without parental consent.
• Epic Games paid $520 million in 2022 for FTC violations related to children's privacy and deceptive design in Fortnite.

The fines keep growing, but the underlying problem remains: most platforms are designed for adults and then retroactively patched to address children's presence. The architecture doesn't change. The data collection doesn't change. A few safeguards get bolted on after regulators force the issue.

What this means for photo sharing

Photo platforms occupy a unique position in the children's privacy conversation. Family photos - birthdays, school events, holidays - are some of the most sensitive content involving minors. And photo sharing inherently involves distributing images of children to other people.

Most major photo platforms have the same age verification approach as Reddit: self-declaration during signup. Google Photos requires a Google account (minimum age 13 in most countries, but enforcement is self-declaration). iCloud requires an Apple ID with the same limitation. Social media platforms where photos are shared - Instagram, Facebook, TikTok - all rely primarily on self-declared age.

The Reddit fine establishes a clear principle: self-declaration alone is not sufficient. For photo platforms, this has specific implications. If a platform collects photos of children - whether uploaded by the children themselves or by parents - and doesn't have adequate age assurance and data protection measures, it's at risk of the same regulatory action Reddit is facing.

What good children's data protection looks like

The UK's Age Appropriate Design Code (also called the Children's Code) sets out 15 standards that online services must follow. The ones most relevant to photo platforms:

• Data minimization. Only collect what you actually need. If a platform collects GPS coordinates, device identifiers, browsing patterns, and behavioral data from accounts that might belong to children, that's a problem.
• High privacy by default. Children's accounts should have the most restrictive privacy settings by default. No public profiles. No discoverability. No data sharing with third parties.
• No profiling. Platforms shouldn't use children's data for profiling or targeted advertising. This includes using photo metadata, viewing patterns, or engagement data to build behavioral profiles.
• Transparency appropriate for the audience. Privacy policies written for lawyers don't count. If children use the service, the privacy information needs to be understandable by children.

For private photo sharing, the simplest approach is also the most compliant: don't collect unnecessary data in the first place. Viallo doesn't run AI on photos, doesn't build behavioral profiles, doesn't sell advertising, and doesn't require children to create accounts to view shared albums. When grandma shares a link to baby photos, the recipient clicks the link and sees the photos. No signup, no data collection, no tracking.

What parents can do now

While regulators work on enforcement, parents can take practical steps to protect their children's data:

• Audit your kids' accounts. Check what platforms your children use and what data those platforms collect. Many platforms provide data download tools - use them to see exactly what's been collected.
• Use private sharing for family photos. Instead of posting children's photos on social media or platforms with weak age controls, use private link-based sharing. Recipients don't need accounts, and the photos aren't indexed or discoverable.
• Check privacy settings. On every platform your child uses, set accounts to private, disable discoverability, and turn off any features that share data with third parties.
• Delete unused accounts. Old accounts on platforms your children no longer use still hold their data. Request deletion under GDPR or the platform's data deletion process.

Frequently Asked Questions