The actual ICO finding is worth reading past the headline. This isn’t about content moderation — it’s about Reddit failing to conduct a Data Protection Impact Assessment (DPIA) for child users and not applying age-appropriate defaults under the UK Children’s Code. The specific failure: Reddit knew children were using the platform, had no mechanism to identify them, and applied adult-default privacy settings to everyone. That’s the violation.

The timing is genuinely awkward. Reddit gets fined £14M for not age-verifying. Discord and Twitch get community backlash this week for implementing age verification via Persona — a surveillance infrastructure company that just exposed 1 billion identity records. Both outcomes in the same week.

The UK regulatory framework has backed platforms into a corner: the Children’s Code specifies outcomes (protect child users) without specifying privacy-safe mechanisms. So platforms either skip it and get fined, or implement it via the only commercially available infrastructure — which happens to be a KYC aggregator pipeline with no FFIEC equivalent and no mandatory breach notification baseline.

The answer isn’t ‘fine Reddit more’ or ‘stop protecting children.’ It’s that age assurance and identity surveillance are not the same thing, and the regulatory framework currently treats them as interchangeable. Device-level age signals, on-device verification, zero-knowledge proofs — these exist. None of them require uploading your passport to Persona. The ICO and the OSA drafters just haven’t required the privacy-preserving path.