Are online platforms failing children? The UK’s stance on online privacy

Child Protection issues originating from online platforms has once again hit the media spotlight. The Information Commissioners Office (ICO) has made children’s privacy online a top priority over the last few years, this is part of a wider UK initiative to improve the safety of children’s personal information across digital services.

What is the law?

Under the UK GDPR, even though obligations relating to adults’ personal data is very strict, organisations have more stringent protection obligations when handling children’s personal data. As with adults’ data, an organisation must identity a lawful basis for processing children’s personal data and where it seeks to rely on consent as this lawful basis, UK GDPR imposes a much higher threshold. For online platforms which offer services directly to children under 13, this means seeking verifiable parental consent and ensuring that such request is presented in clear, age-appropriate language.

The Online Safety Act 2023 (OSA) has also imposed tighter regulations for online services that are likely to be accessed by children, the key feature of the OSA reflects a broader shift to proactive preventative measures. Platforms must now implement age-verification measures to establish which of their users are children before granting access to features or content that may pose risks. The ICO has recently highlighted that a platform can no longer rely on self-declaration alone to verify the age of a user. In addition, where it is likely that a child will access a platform online service, a Data Protection Impact Assessment (DPIA) must be carried out to identify risks to children arising from the processing of their data.

What are the consequences?

The recent ICO fine against Reddit, Inc (Reddit) illustrates the serious consequences of failing to comply with child‑data protection laws. The ICO found that Reddit was in breach of its data processing obligations using children’s personal information unlawfully. This decision focused on a number of key points, notably that Reddit:

• “Failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal information of children under the age of 13.”
• “Failed to carry out a data protection impact assessment (DPIA) to assess and mitigate risks to children before January 2025”.

Since January, Reddit has introduced age-assurances measures, including age verification procedures, not before being slapped with a £14.47 million fine. This fine was based on the number of affected children, degree of potential harm, duration of the failings and global turnover. Although an appeal is likely, the fine highlights the risks organisations take when using self-declaration measures to verify age. You can read the ICO press release here.

Separately, on 5 February 2026, the ICO took enforcement action against MediaLab.AI, Inc (Media Lab). A total fine of £247,590 was imposed on the image-sharing platform ‘Imgur’ for also failing to lawfully process children’s personal information between 2021 and 2025. Key details of the breach include:

• “Failing to implement any measures to check the age of users.”
• “Processing the personal information of children under 13 without parental consent or any other lawful basis when offering online services”; and
• “Failing to carry out a data protection impact assessment to identify and reduce privacy risks to children.

You can read the ICO press release here.

What do I need to do to prevent a breach?

It is clear from the fines above, that self-declaration of age is no longer a viable method for online platforms when dealing with age-restricted content. Regulators are increasingly treating breaches of children’s data as a serious operational failure, rather than a technical oversight. Organisations should look to update their age-assurance procedures ensuring that the method they use is proportionate to the level of risk to children on their platform. It is advised to:

• carry out a DPIA before offering access to any service that is likely to be accessed by children;
• ensure that your website has privacy built into it, ensuring that stringent privacy settings are on by default;
• review internal policies and ensure all staff are trained on child data protection issues;
• avoid using self-declaration without secondary age verification methods where appropriate;
• audit parental‑consent controls to ensure that you are not inadvertently breaching UK GDPR or the OSA; and
• implement systems to detect and prevent age-restricted or harmful content on your platforms.

The ICO’s enforcement actions clearly show an intention to strictly uphold the law on child protection issues. Even if you accidently breach the rules, there could be significant risks to your organisation.

If you have any questions regarding data protection, please get in touch with the Geldards Commercial Team.