The UK ICO did not fine Reddit for a missing cookie banner. It fined the company for failing to know who was under thirteen while still running a service that children could reach. That distinction is the whole story. Consent pop-ups and privacy policies never fixed the gap between “we prohibit under-13s” and “we had no robust way to enforce it until mid-2025.” Regulators are now scoring platforms on age assurance and design, not on paperwork.
Age Design Is the New Compliance Front Line
On 24 February 2026 the Information Commissioner’s Office announced a 14.47 million pound penalty against Reddit, Inc. for unlawful processing of children’s personal data. The ICO’s own statement lays out two structural failures: no robust age assurance mechanism, and no data protection impact assessment focused on children’s risks before January 2025. Reddit’s terms barred under-13s, but until July 2025 the ICO found no measures to check the age of users accessing the platform. That is not a consent-banner problem; it is a product-design and governance problem.
Legal analysis on kennedyslaw.com has already framed what the ICO’s decision means for children’s privacy in the UK: platforms that rely on self-declaration alone are on notice. The ICO told Reddit explicitly that relying on users to declare their age is easy to bypass and presents ongoing risks. kennedyslaw.com’s reading of the case aligns with the regulator’s emphasis on proportionate age assurance matched to the level of risk. In other words, the fine signals that “we asked users to tick a box” will not satisfy the Childrens Code when the service is likely to be accessed by under-18s.
The Register reported that Reddit intends to appeal, arguing that demanding more personal data collection conflicts with privacy principles. That tension will keep running through every enforcement wave: stronger age checks mean more data collection, yet weak checks mean under-13s on services that claim to exclude them. The ICO’s answer, repeated in its February 2026 release, is that companies must be confident they know the age of users and must implement effective assurance. kennedyslaw.com notes the co-authored commentary on the Reddit fine situates the penalty inside a broader UK push on children’s privacy, not as a one-off headline.
Why Brussels and Washington Will Read the Same File
Enforcement against a US-listed firm on UK soil rarely stays local. The ICO penalty follows a MediaLab fine over Imgur in the same month and sits inside a wider intervention on children’s personal information online. John Edwards, UK Information Commissioner, stated that Reddit failed its legal duty to protect UK children and that children under 13 had personal information collected and used in ways they could not understand, consent to, or control. That language is exportable: EU data protection authorities and US state AGs can cite the same factual pattern when arguing for stricter age gates or DPIA expectations.
The ICO’s December 2025 children’s code progress update already flagged self-declaration as an area of focus. Reddit’s July 2025 measures, including age declaration at account opening and verification for mature content, were deemed insufficient because self-declaration remains bypassable. Any platform still running that model is now looking at the Reddit fine as a template for what “not enough” costs in pounds and in reputational drag.
What This Actually Means
Product teams will be pushed past checkbox compliance into engineering and risk assessment. The ICO required a DPIA before January 2025 for a service that allowed 13- to 18-year-olds; Reddit had not carried one out focused on children’s risks. That omission is as actionable as the missing age gate. Expect more DPIAs, more age-assurance vendors, and more internal audits that ask not “did we show a banner?” but “can we prove we excluded under-13s?”
For readers, the practical upshot is simpler: the UK regulator is willing to levy eight-figure penalties when design and process fail children, not when a policy PDF is out of date. kennedyslaw.com’s analysis of the ICO decision underscores that children’s privacy in the UK is now being enforced through fines that reference duration of failings, number of children affected, potential harm, and global turnover. Reddit’s case is the clearest signal yet that age design, not consent theatre, is what will be tested in court and in the press.
How Does Self-Declaration Fail in Practice?
The ICO’s investigation found Reddit’s terms prohibited under-13s yet the company had no measures to check age until July 2025. Estimates indicated a large number of under-13s on the platform without a lawful basis for processing their data. Self-declaration at signup does not stop a child from typing an adult birth year; it does not stop shared devices; it does not stop parents handing over accounts. The regulator’s February 2026 narrative is that platforms must focus on preventing access and enforcing minimum age with robust methods. That shifts spend from legal copy to identity and risk tooling, and it makes every product manager responsible for how the under-18 flow actually behaves in the wild.
What Is the ICO Childrens Code?
Reddit’s appeal, if it proceeds, will test how far regulators can push age assurance before privacy advocates argue the cure is worse than the disease. Either way, the fine already does regulatory work: every board deck that still lists “age gating via self-report” as sufficient now has a counterexample priced at 14.47 million pounds and a public statement from John Edwards saying Reddit must do better. kennedyslaw.com’s breakdown of the ICO decision is explicit that the penalty is part of a wider ICO intervention, not an isolated swipe at one forum.
The Age appropriate design code, also called the Childrens Code, translates UK data protection law into design standards for online services likely to be accessed by under-18s. It expects children’s best interests in design and a high level of privacy by default. The ICO can take non-criminal enforcement including civil monetary penalties; Reddit’s 14.47 million pound fine reflects the scale of the infringement and the regulator’s priority on safeguarding children online. Platforms can either apply the full code protections to all users or use proportionate age assurance to tailor safeguards by age, but where under-13s are banned, the ICO expects robust methods to prevent access, not honour-system declarations alone.