UK Information Commissioner issues first financial penalty under the Children’s Code
The UK’s Information Commissioner’s Office (ICO) has fined MediaLab, owner of image-sharing platform Imgur, £247,590 for misusing children’s data, in a long-overdue enforcement action under the Age Appropriate Design Code.
The ICO’s decision to fine Imgur is a significant milestone for children’s rights online. It is the first fine issued under the Age Appropriate Design Code, sending a clear signal that the rules designed to protect children and their rights online are not optional.
The ICO found that Imgur’s parent company, MediaLab, broke the law by failing to implement age assurance measures, subsequently processing the personal data of children under 13 without parental consent or another lawful basis, and failing to assess the risks its service posed to children. These are exactly the kinds of failures the Code was designed to prevent.
This case underlines the vital role that data protection and the ICO plays in keeping children safe online. When platforms collect excessive data, enable profiling, or fail to build in safeguards, children are exposed to real harm. Enforcement of the Age Appropriate Design Code is a frontline defence against those risks.
“This action is welcome and long overdue. Age-appropriate design and strong default safeguards for all children under 18 are not optional – they are legal requirements and fundamental to children’s safety and privacy. But this enforcement has taken far too long to arrive, leaving children exposed during years of regulatory hesitation. The ICO must act decisively and consistently, so every digital service builds respect for children’s privacy and rights in from the start.”
Colette Collins Walsh, Head of UK Affairs at 5Rights
However, it has taken four years since the Code came into effect for the first financial penalty to be issued. The ICO’s findings show these breaches have been happening since 2021, raising serious questions about how long children were left exposed before action was taken.
This action must be the start of faster, more consistent enforcement from the ICO across the digital environment – not a one-off. Only then can we ensure that online services deliver safe, privacy preserving, and age‑appropriate experiences for children by default.