The UK Information Commissioner’s Office (ICO) has issued a stark warning to digital businesses regarding compliance with GDPR regulations, particularly concerning the handling of children’s data. This follows an ongoing investigation into major platforms like TikTok, Reddit, and Imgur for potential violations. Commissioner John Edwards emphasized that small businesses should not view regulatory focus on larger platforms as an excuse for non-compliance1.
Regulatory Scrutiny on Children’s Data
The ICO’s investigation centers on allegations that TikTok, Reddit, and Imgur may have violated GDPR provisions by inadequately protecting minors’ data. Key concerns include the use of personal data to fuel recommendation algorithms, which could expose children to harmful content, and insufficient age-verification mechanisms2. This aligns with broader ICO efforts to enforce the UK’s Age-Appropriate Design Code (AADC), which mandates stricter privacy defaults for minors, such as disabling profiling-based ads3.
Previous enforcement actions underscore the seriousness of these violations. In 2023, TikTok was fined £12.7 million for processing data of children under 13 without parental consent4. The ICO’s current warnings signal an escalation in regulatory pressure, with penalties for non-compliance reaching up to £17.5 million or 4% of global revenue under the UK Data Protection Act 20185.
Implications for Businesses and Technical Teams
The ICO’s focus extends beyond social media giants to all organizations handling children’s data. Technical teams must ensure robust age-verification systems and data minimization practices. For instance, platforms using AI-driven recommendations should audit their algorithms to prevent unintended data exposure. The AADC’s requirements—such as default high privacy settings for minors—add another layer of compliance complexity6.
From a security perspective, this highlights the need for:
- Data flow mapping: Identify where children’s data is stored and processed.
- Algorithmic transparency: Document how recommendation systems use minors’ data.
- Incident response plans: Prepare for potential ICO audits or data breaches involving child users.
Conclusion
The UK ICO’s warnings reflect a growing global trend toward stricter enforcement of children’s data privacy. Organizations must proactively align their practices with GDPR and AADC standards to avoid penalties and reputational damage. For technical teams, this means integrating privacy-by-design principles into development cycles and staying informed about regulatory updates.
References
- “La ICO del Reino Unido lanza una advertencia sobre el RGPD por el uso de datos infantiles,” CiberSeguridad Latam, Mar. 27, 2025.
- “Reino Unido abre expediente a TikTok y Reddit por sus prácticas con datos personales de menores,” VOA, 2025.
- “El Código de Diseño Apropiado para la Edad de Reino Unido,” Aphaia.
- “Reino Unido investiga a TikTok por uso de datos de menores,” Yahoo News, 2025.
- “UK Data Protection Act 2018,” Termly.
- “El Código de los Niños de ICO ayudará a proteger a los niños en línea,” 365Trust.
