GDPR Weekly Dispatch: UK ICO Fines Reddit £14.47 Million over Children's Privacy Violations

Feb 26, 2026

🚨 Headline Story: UK ICO Fines Reddit £14.47 Million over Children's Privacy Violations

The UK Information Commissioner's Office (ICO) has issued a significant £14.47 million fine against the social media platform Reddit for failing to adequately protect children's privacy. An investigation by the regulator revealed that Reddit relied almost entirely on user self-declaration for age verification, thereby lacking the robust age assurance mechanisms necessary to keep minors safe. Consequently, the platform unlawfully processed the personal information of users under the age of 13. Furthermore, Reddit was cited for failing to conduct adequate Data Protection Impact Assessments (DPIAs) to address and mitigate the specific risks posed to children accessing its platform.

Why it matters:
This enforcement action firmly underscores that regulators across Europe will not tolerate superficial compliance when children's privacy is at stake. The ICO explicitly reiterated that relying solely on self-declaration of age is a fundamentally insufficient mechanism. For privacy professionals and tech executives, this signals an urgent need to re-evaluate user onboarding flows and genuinely invest in age-gating technologies where relevant. The fine also emphasizes the critical importance of robust DPIAs—failing to document and mitigate foreseeable risks before launching or maintaining interactive features is a direct route to substantial regulatory penalties. Businesses operating digital platforms must operate with the assumption that regulators expect proactive, demonstrative compliance rather than reactive, nominal defenses.

⚖️ Enforcement & Fines

Free Mobile & Free Fined €42 Million by CNIL: The French data protection authority (CNIL) imposed fines totaling €42 million on Free Mobile (€27M) and Free (€15M) following a severe data security breach in October 2024 that exposed 24 million subscriber contracts. The CNIL cited multiple failings, including inadequate authentication for VPN access, insufficient monitoring of abnormal system activity, and excessive data retention practices.
Insight/Summary: Basic security hygiene, especially concerning remote access authentication and active system monitoring, remains a primary attack vector that DPAs are heavily punishing. Review your VPN security immediately!
Sources: CNIL
X (Grok AI) Investigated by Irish DPC: The Irish Data Protection Commission has legally launched an inquiry into X Internet Unlimited Company. The investigation focuses on whether X complied with its GDPR obligations following reports that its Grok large language model was used to generate and distribute potentially harmful, non-consensual intimate or sexualized images, including those of minors.
Insight/Summary: Regulators are aggressively stepping in to address the immediate harms of generative AI. Consent mechanisms and safety guardrails on generative tools must be air-tight.
Sources: Irish DPC

🏛️ Legal & Regulatory Updates

EDPB & EDPS: The European Data Protection Board and European Data Protection Supervisor issued a highly critical joint opinion on the European Commission's proposed "Digital Omnibus" Regulation. They expressed strong opposition to suggested changes to the fundamental definition of "personal data," warning that such amendments could narrow the scope of EU data protection law and weaken fundamental rights.
Sources: EDPB

🌐 Industry & Tech News

61 Global DPAs on AI-Generated Imagery: In a significant show of international regulatory alignment, 61 data protection authorities globally issued a joint statement this week highlighting the severe privacy risks associated with AI-generated imagery. The coalition stressed the need for robust safeguards against misuse, enhanced protections for minors, and greater overall transparency.
Sources: Global Privacy Authorities
EU AI Act Implementation Advances: As of February 2, 2026, the EU AI Act advanced into its next critical implementation phase. Regulations mandating continuous continuous oversight and post-market monitoring of AI systems are now fully in force, adding a compliance layer for organizations deploying AI.
Sources: European Commission

💡 Opinion & Analysis

Navigating the Intersection of AI and Privacy: As the EU AI Act moves further into its enforcement timeline and regulators sound alarms over generative AI risks (as clearly seen with the Grok inquiry and the 61-DPA joint statement), privacy professionals must systematically bridge the gap between AI experimentation and GDPR reality. It is no longer acceptable to treat privacy and AI compliance in separate silos. Organizations must begin conducting integrated assessments—combining Data Protection Impact Assessments (DPIAs) under GDPR with Fundamental Rights Impact Assessments (FRIAs) under the AI Act. Establishing unified AI and privacy governance structures now will prevent chaotic, reactive scrambles later when high-risk AI rules fully apply in August 2026.