New GDPR Investigations into the Use of Children’s Data

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has recently announced investigations into three companies in connection with the use of children’s personal information. In a statement on March 3rd , the ICO said that, as part of its focus on the use of children’s data by social media and video sharing platforms, it was investigating:

  • TikTok, the Chinese-owned video-sharing platform, over its use of the personal information of 13–17-year-olds to promote content to them.
  • Two US platforms, the image-sharing site Imgur and the forum site Reddit, in connection with their assessment of the age of child users.

The announcement illustrates the ICO’s continuing prioritisation of what it calls “children’s information rights”, and specifically its concern with the potential for information about children’s online activity being used to generate recommendations for content that may be harmful. Age assurance measures are an important control in this context, as they will trigger restrictions on access and the tailoring of content.    

The ICO’s focus on these themes can be traced back to the publication of its Children’s Code in 2021. The Code sets out a number of standards for tech companies processing the personal data of UK children, including in the areas of age verification, and the use of personal data collected from child users.

ICO actions since 2021 include the imposition of a fine of over £12m on TikTok itself in 2023 for the misuse of children’s data. That enforcement related to the widespread use of the TikTok service by children under 13. The UK GDPR requires consent to be provided by a parent, rather than the child himself or herself, where the child is below that age – a requirement that the ICO alleged TikTok had breached. TikTok is reportedly in the process of appealing this penalty.

Although the ICO is clearly concerned about online child safety, primary responsibility for the enforcement of the UK’s Online Safety Act 2023, including in relation to children’s safety, lies with another agency, Ofcom, the UK’s communications regulator. The ICO’s remit in this context is specifically related to data privacy considerations, although in practice there will be an inevitable degree of overlap between the two agencies, which have committed to a coordination of efforts.

UK regulatory scrutiny in these areas is consistent with an increasing concern with online harms on the part of the EU in recent years. The Digital Services Act (DSA), which since February 2024 has applied to all platforms, regulates sites including marketplaces, social networks, content-sharing platforms, app marketplaces, and online travel and accommodation platforms. Its purpose is to prevent illegal and harmful activities online, as well as the spread of disinformation. It includes measures aimed at improving child online safety, including requirements around parental controls and age verification, and tools for children to signal abuse and obtain support.

UK and EU enforcement in the context of online harms therefore appears set to continue. As the ICO’s new investigations show, companies operating online platforms, particularly where users may include children, should be aware of the requirements arising under the GDPR, the UK’s Online Safety Act, and the EU’s DSA, as well as the substantial body of regulatory guidance that applies here, including:

  • The ICOs’ guidance on ‘Children and the UK GDPR’.
  • The European Data Protection Board’s collected guidance on Children.

Related Locations

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

New GDPR Investigations into the Use of Children’s Data

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has recently announced investigations into three companies in connection with the use of children’s personal information. In a statement on March 3rd , the ICO said that, as part of its focus on the use of children’s data by social media and video sharing platforms, it was investigating:

  • TikTok, the Chinese-owned video-sharing platform, over its use of the personal information of 13–17-year-olds to promote content to them.
  • Two US platforms, the image-sharing site Imgur and the forum site Reddit, in connection with their assessment of the age of child users.

The announcement illustrates the ICO’s continuing prioritisation of what it calls “children’s information rights”, and specifically its concern with the potential for information about children’s online activity being used to generate recommendations for content that may be harmful. Age assurance measures are an important control in this context, as they will trigger restrictions on access and the tailoring of content.    

The ICO’s focus on these themes can be traced back to the publication of its Children’s Code in 2021. The Code sets out a number of standards for tech companies processing the personal data of UK children, including in the areas of age verification, and the use of personal data collected from child users.

ICO actions since 2021 include the imposition of a fine of over £12m on TikTok itself in 2023 for the misuse of children’s data. That enforcement related to the widespread use of the TikTok service by children under 13. The UK GDPR requires consent to be provided by a parent, rather than the child himself or herself, where the child is below that age – a requirement that the ICO alleged TikTok had breached. TikTok is reportedly in the process of appealing this penalty.

Although the ICO is clearly concerned about online child safety, primary responsibility for the enforcement of the UK’s Online Safety Act 2023, including in relation to children’s safety, lies with another agency, Ofcom, the UK’s communications regulator. The ICO’s remit in this context is specifically related to data privacy considerations, although in practice there will be an inevitable degree of overlap between the two agencies, which have committed to a coordination of efforts.

UK regulatory scrutiny in these areas is consistent with an increasing concern with online harms on the part of the EU in recent years. The Digital Services Act (DSA), which since February 2024 has applied to all platforms, regulates sites including marketplaces, social networks, content-sharing platforms, app marketplaces, and online travel and accommodation platforms. Its purpose is to prevent illegal and harmful activities online, as well as the spread of disinformation. It includes measures aimed at improving child online safety, including requirements around parental controls and age verification, and tools for children to signal abuse and obtain support.

UK and EU enforcement in the context of online harms therefore appears set to continue. As the ICO’s new investigations show, companies operating online platforms, particularly where users may include children, should be aware of the requirements arising under the GDPR, the UK’s Online Safety Act, and the EU’s DSA, as well as the substantial body of regulatory guidance that applies here, including:

  • The ICOs’ guidance on ‘Children and the UK GDPR’.
  • The European Data Protection Board’s collected guidance on Children.

Related Locations

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026

Publications

In Employee Relations Law Journal: What Happens When ERISA Disability Deadlines Slip

Partner Joseph Torres along with Associates Emma O'Connor and Christopher LeWarne, authored an article for the Employee Relations Law Journal analyzing a significant Fourth Circuit decision with substantial consequences for ERISA disability plan administrators.

June 23, 2026

Publications

In Law360, Partner Samuel Feder Analyzes the Supreme Court's Ruling in FCC v. AT&T

Partner Sam Feder authored an article in Law360 examining the Supreme Court's June 4 decision in Federal Communications Commission v. AT&T Inc., which rejected AT&T's and Verizon's argument that the FCC's forfeiture process violates the Seventh Amendment right to a jury trial.

June 16, 2026