When Terms of Service Are Not Enough: The ICO’s Reddit Fine and WhatNigeria Must Learn

On 24 February 2026, the UK Information Commissioner’s Office (ICO) issued a £14.47 million fine against Reddit. The largest children’s privacy penalty in its history. The enforcement action exposed two systemic failures viz: Reddit’s prolonged absence of any meaningful age assurance mechanism, and its failure for years to conduct a mandatory Data Protection Impact Assessment (DPIA) for child users. The case is instructive not only for global platform operators but for Nigeria’s rapidly maturing data protection ecosystem.
What did Reddit Do Wrong
Reddit’s terms of service have long prohibited children under 13 from using the platform. Yet until July 2025, Reddit deployed no technical mechanism to enforce that prohibition. The ICO estimated that approximately 226,000 children under 13 out of about 537,000 children accessed Reddit in the UK in 2024 alone. Since Reddit could not identify these users as children, it had no lawful basis under UK law GDPR for processing their personal data. The platform was, in effect, collecting and processing children’s information without consent, without safeguards, and without legal authority.
The second failure is arguably more straightforward. Processing children’s data on a large-scale platform is a paradigmatically high-risk activity. UK GDPR Article 35 mandates a DPIA before such processing commences. Reddit conducted no DPIA until January 2025, nearly seven years after the UK GDPR took effect. The ICO’s message is unambiguous when it said it is a statutory risk governance instrument, and its absence is an independent, enforceable breach.
The ICO’s fine calibrated against 537,000 affected UK child users, seven years of persistent non- compliance, and Reddit’s USD 2.2 billion annual turnover sends a signal the privacy community cannot ignore. Also, its contractual prohibitions that are technically unenforceable provide no regulatory defence. Compliance lives in system design, not in boilerplate.
Why Nigeria Should Pay Close Attention
Nigeria’s data protection framework is, in structural terms, well-positioned to apply the Reddit lessons. The Nigeria Data Protection Act 2023 (NDPA) and the NDPA- General Application and Implementation Framework places an affirmative obligation on data controllers to ‘apply appropriate mechanisms to verify age and consent, taking into consideration available technology’ before processing a child’s personal data.
The NDPA further requires parental or guardian consent as the primary lawful basis for processing children’s information. The GAID reinforces these obligations, mandating documented risk assessments and periodic compliance audits for Data Controllers and Processors of Major Importance. The parallel to Reddit is Nigerian-market platforms, including social networks, edtech applications, fintech apps, and gaming services that cater to child users without any age verification mechanism. If a platform cannot identify its child users, it cannot obtain parental consent. If it cannot obtain parental consent, it has no lawful basis for processing children’s data. That is not an interpretive grey area. It is the text of the NDPA.

The NDPC has already demonstrated that it is not a passive regulator. Its $220 million fine against Meta Platforms and ₦766.2 million penalty against Multichoice Nigeria establish that large-scale enforcement is within institutional appetite. Nigeria has over 100 million internet users, a median age of approximately 18, and extremely high rates of digital platform adoption among youth. Every major global platform processing data of Nigerian users is, almost certainly, processing Nigerian children’s data. The NDPA’s extraterritorial provisions mean foreign platforms are not insulated from this risk.

What Needs to Happened
For the NDPC, the Reddit enforcement action is a ready-made template. The Commission should expedite its anticipated that subsidiary regulations on children’s data, prescribing concrete age assurance standards, DPIA requirements for child-facing platforms, and design obligations analogous to the ICO’s Age Appropriate Design Code. The NDPA authorises these regulations, and the Reddit case makes the case for urgency.
For platform operators, the practical obligations are clear. First, audit your likely child user base and do not assume that because your platform is not designed for children, children are not using it. Second, conduct and document DPIAs for any high-risk processing activity involving potential child users. This obligation is mandatory and time-sensitive. Third, implement proportionate age assurance mechanisms. It is urgent to note that terms of service are not age assurance. Technical controls, however designed, must accompany contractual prohibitions.
Conclusion
The ICO’s Reddit fine is a landmark ruling, but its significance extends well beyond the United Kingdom. The core propositions it advances are that children deserve robust data protections. Age restrictions in terms of service must be technically enforced, and DPIAs are non-negotiable for high-risk processing. This is a universal obligations that sit at the heart of Nigeria’s own data protection law. Nigeria’s data protection community, regulators and practitioners alike should treat the Reddit case not as a foreign cautionary tale but as a domestic compliance imperative.