Reddit has been fined more than £14 million (€16 million) by the UK’s information watchdog, accusing the social media giant of failing to protect children and leaving them vulnerable to “inappropriate and harmful content”.
Following an investigation, the Information Commissioner’s Office (ICO) found that the American company neglected to implement robust age-verification tools. Reddit told Euronews Next that it intends to appeal the decision.
Instead, Reddit relied heavily on “self-declaration”—allowing users to simply state their age without further proof—a method the watchdog deems insufficient for protecting children.
The actual ICO finding is worth reading past the headline. This isn’t about content moderation — it’s about Reddit failing to conduct a Data Protection Impact Assessment (DPIA) for child users and not applying age-appropriate defaults under the UK Children’s Code. The specific failure: Reddit knew children were using the platform, had no mechanism to identify them, and applied adult-default privacy settings to everyone. That’s the violation.
The timing is genuinely awkward. Reddit gets fined £14M for not age-verifying. Discord and Twitch get community backlash this week for implementing age verification via Persona — a surveillance infrastructure company that just exposed 1 billion identity records. Both outcomes in the same week.
The UK regulatory framework has backed platforms into a corner: the Children’s Code specifies outcomes (protect child users) without specifying privacy-safe mechanisms. So platforms either skip it and get fined, or implement it via the only commercially available infrastructure — which happens to be a KYC aggregator pipeline with no FFIEC equivalent and no mandatory breach notification baseline.
The answer isn’t ‘fine Reddit more’ or ‘stop protecting children.’ It’s that age assurance and identity surveillance are not the same thing, and the regulatory framework currently treats them as interchangeable. Device-level age signals, on-device verification, zero-knowledge proofs — these exist. None of them require uploading your passport to Persona. The ICO and the OSA drafters just haven’t required the privacy-preserving path.
“But nobody is going to think of the children!?” Says the billionaries who routinely went to a pedophile island to hurt children.
(I could use that in so many places…)
No need to fine Facebook or Twitter, they’re perfect as they are
Failed to protect children or failed to aid the UK government in their dystopian authoritarianism?
So far seen more sources that seem to point to this being about data harvesting personal information of children. Which if that is the case, fuck reddit. But also why do only children get their data protected? But also fuck reddit anyway.
Seen different sources, some say its about age verifying to protect children from content, others about age verification because they are harvesting data they shouldn’t be harvesting on children. What about they shouldn’t be fucking data harvesting on anyone?!
Either way, fuck reddit. But I really hope this is just because they are harvesting data that they shouldn’t because then at least Lemmy should be safe from this kind of thing by just not harvesting user data. Reddit already requires ID to view NSFW in the UK, so if its “harmful content” I would be kinda curious what that is too.
