The key UK statistics on how children's personal data is handled online — the reach of the ICO's Children's Code, what the regulator found when it examined platforms' age assurance and privacy settings, how many under-13s are signing up despite the minimum age, and the fines now landing for children's-data failures, with the data period stated next to every figure.

The authoritative UK numbers on children's online privacy come from a small set of official releases: the Information Commissioner's Office (ICO) publishes progress updates on its Children's Code strategy, Ofcom's annual Children and Parents: Media Use and Attitudes report measures how UK children actually use connected services, and the Department for Science, Innovation and Technology (DSIT) draws those strands together in its evidence reviews. This page pulls the headline figures from each source into one place.

It is scoped deliberately to the data-protection story — the Children's Code, age assurance and children's-data enforcement — rather than the separate online-harms and content-moderation debate that Ofcom and the NSPCC lead on. Every figure carries its data period, and every source is linked in full at the end.

Key facts and figures

  • 11.7 million children in the UK could see their online privacy improved through the ICO's Children's Code strategy work (ICO strategy update, December 2025).
  • 3 million+ child users have already been affected by platform changes made between the strategy's April 2024 launch and October 2025 (ICO, December 2025).
  • 17 platforms popular with children — including Discord, Pinterest and X — had their age-assurance practices reviewed by the ICO (ICO, December 2025).
  • 12 of 32 social-media and video-sharing platforms raised ICO concerns over children's privacy settings; 13 of the 32 let children share their geolocation (ICO, December 2025).
  • £14.47 million — the ICO fine issued to Reddit for children's-data and age-assurance failures (ICO penalty, 24 February 2026).
  • 40% of UK children under 13 have a social media profile, despite a platform minimum age of 13 (Ofcom 2025, via DSIT/CSJ).
  • 814,000 UK children aged 3–5 are estimated to use social media (Centre for Social Justice, December 2025, applying Ofcom 2025 data).
  • 98% of UK children aged 3–17 have access to the internet at home (ICO, December 2025).

These are the latest figures available as of July 2026, and this page is updated as new data is released — the ICO refreshes its Children's Code strategy progress roughly annually (the last update was December 2025), Ofcom publishes its Children and Parents report each spring, and a further joint ICO/Ofcom age-assurance statement is expected to follow.

How many UK children does the Children's Code cover?

The ICO estimates its Children's Code strategy work has the potential to improve online privacy for up to 11.7 million children in the UK, according to its Children's Code strategy progress update published in December 2025. That figure represents the ceiling of the strategy's reach — the population of children whose experience of the biggest online services the ICO is trying to shift through code-compliant design.

The Children's Code — formally the Age Appropriate Design Code — is a statutory code under the Data Protection Act 2018. It sets 15 standards that online services likely to be accessed by children must build in by default, from high-privacy default settings to switching off behavioural profiling and data-hungry “nudge” techniques aimed at children. It applies to apps, games, social media, streaming services and connected toys, and it is enforced by the ICO under the UK GDPR.

Improvements introduced from the strategy's April 2024 launch to October 2025 have already affected more than 3 million child users across several platforms (ICO, December 2025). Those are concrete changes — default settings tightened, geolocation switched off, profiling restricted — rather than the strategy's potential ceiling, and the gap between the 3 million already changed and the 11.7 million potential shows how much of the code's reach is still being worked through.

The baseline for all of this is near-universal connectivity: around 98% of UK children aged 3–17 have access to the internet at home, and about 90% play games on digital devices (ICO, December 2025). That is why the ICO opened a monitoring programme covering 10 popular mobile games from 2026 — where children are, their data follows.

What did the ICO find when it examined platforms' age assurance?

The ICO reviewed the age-assurance practices of 17 platforms popular with children — including Discord, Pinterest and X — and is carrying that work into a next-phase monitoring programme (ICO Children's Code strategy update, December 2025). Age assurance is the set of methods a service uses to establish, or estimate, how old a user is — and it is the linchpin of children's data protection, because a platform can only apply child-appropriate protections if it knows which users are children.

Alongside the age-assurance review, the ICO ran a broader assessment of how platforms handle children's privacy. Of 32 social-media and video-sharing platforms it assessed for their approach to children's privacy settings, the ICO had concerns about 12 of them, and 13 of the 32 allowed children to share their geolocation (ICO, December 2025). Location sharing is a particular flashpoint under the code, because it exposes a child's real-world whereabouts and is exactly the kind of high-risk processing the code expects to be off by default for children.

The direction of travel is toward continuous monitoring rather than one-off reviews. The 17-platform age-assurance cohort feeds a next-phase programme, and the separately announced review of 10 popular mobile games from 2026 extends the same scrutiny into gaming — the setting where roughly 90% of UK children spend time.

Why is self-declaration age assurance inadequate under UK data protection law?

The clearest signal came with the Reddit penalty: the ICO found the platform relied on self-declaration age checks that were easily bypassed, meaning it had no reliable way to identify under-13s and no lawful basis to process their data (ICO penalty, 24 February 2026). Self-declaration — a user simply typing a date of birth or ticking a box to say they are over a certain age — provides no meaningful assurance, because a child can enter any age they like.

This matters legally because the whole architecture of children's data protection depends on knowing who is a child. Under the UK GDPR and the Children's Code, services likely to be accessed by children must apply the code's protections to those children by default. If a platform cannot tell its child users from its adult users, it cannot apply those protections — and, for under-13s specifically, it has no valid basis to process the data at all, since UK data protection law does not recognise a young child's own consent to information-society services.

The wider policy backdrop reinforces the point. Ofcom's Protection of Children Codes came into force on 25 July 2025, requiring services likely to be accessed by children to use “highly effective age assurance” — a standard well above tick-box self-declaration. That online-safety duty and the ICO's data-protection duty are converging on the same conclusion: self-declaration is no longer treated as adequate age assurance for services children use. The data-protection consequence is what the ICO polices.

How many under-13s are signing up despite the minimum age?

Around 40% of UK children under 13 have a social media profile, despite the platforms' minimum age of 13 — a figure drawn from Ofcom's Children and Parents: Media Use and Attitudes 2025 report and cited in DSIT's June 2026 evidence review. That gap between the stated minimum age and actual sign-ups is the practical problem age assurance is meant to close, and the scale of it explains why the ICO treats weak age checks as a systemic data-protection failure rather than an edge case.

The pattern starts strikingly young. An estimated 814,000 UK children aged 3–5 use social media, according to the Centre for Social Justice's December 2025 analysis applying Ofcom 2025 data — with 37% of parents of 3–5s saying their child uses at least one social media app (up from 29% in 2023) and 19% of 3–5s using it independently. Among 8–9-year-olds, the proportion with an Instagram profile rose from 8% to 14% in a single year (Ofcom 2025, via a Computing at School summary).

Device access underpins the whole picture. 97% of UK teenagers aged 13–15 own a mobile phone, and almost one-fifth — around 20% — of children aged 3–5 own a phone (Ofcom 2025, via DSIT, June 2026). When a very young child has independent access to a connected device, the point at which their personal data starts being processed moves earlier — which is precisely why the Children's Code frames its protections around services children actually reach, not the ages platforms nominally set.

Age groupMeasureFigureData period / source
3–5Estimated using social media~814,000 childrenCSJ, Dec 2025 (Ofcom 2025 data)
3–5Parents saying child uses a social app37% (up from 29% in 2023)Ofcom 2025
3–5Own a mobile phone~20%Ofcom 2025, via DSIT (June 2026)
8–9Have an Instagram profileRose from 8% to 14% in a yearOfcom 2025
Under 13Have a social media profile~40%Ofcom 2025, via DSIT/CSJ
13–15Own a mobile phone97%Ofcom 2025, via DSIT (June 2026)
3–17Have internet access at home~98%ICO, Dec 2025

What fines have UK platforms received for children's data failures?

The ICO fined Reddit £14.47 million for children's data protection failures on 24 February 2026 — the platform had no lawful basis for processing under-13s' data and relied on easily-bypassed self-declaration age checks. It is the clearest children's-data enforcement action to date and sets the benchmark for how the regulator now treats inadequate age assurance as a data-protection breach in its own right.

Reddit is not the only case in train. The ICO issued a notice of intent to fine MediaLab, the owner of Imgur, over its handling of UK children's personal information and age assurance on 10 September 2025, and in February 2025 it opened an investigation into how TikTok processes the personal data of 13–17-year-olds in its recommender systems (ICO Children's Code strategy update, December 2025). Together these show enforcement moving beyond a single headline penalty into a sustained programme focused specifically on children's data and age assurance.

This page deliberately does not restate the site's full penalty tables — for the fine-by-fine detail, including TikTok's earlier £12.7 million penalty for misusing children's data, see our GDPR fines and penalties guide, and for the wider enforcement trend our ICO fine and enforcement statistics page. What the numbers above establish is narrower and more specific: children's-data failures are now producing eight-figure penalties, and age assurance is the common thread running through them.

Frequently asked questions

What does the ICO Children's Code require of platforms handling children's data?

The Children's Code (Age Appropriate Design Code) is a statutory code under the Data Protection Act 2018 that sets 15 standards for online services likely to be accessed by children. Services must apply high-privacy settings by default, switch off behavioural profiling and geolocation for children unless there is a compelling reason not to, avoid data-hungry nudge techniques, and act in the best interests of the child. The ICO enforces it under the UK GDPR, and its December 2025 strategy update reports the code's work could improve privacy for up to 11.7 million UK children.

How many UK children have been affected by Children's Code platform changes?

More than 3 million child users had been affected by platform changes made between the strategy's April 2024 launch and October 2025, according to the ICO's December 2025 progress update. That is the number of children already touched by concrete changes; the strategy's full potential reach is estimated at up to 11.7 million children.

Why is self-declaration age assurance considered inadequate under UK data protection law?

Because it provides no reliable way to tell which users are children. A user can type any date of birth, so a platform relying on self-declaration cannot apply child-appropriate protections to its actual child users, and for under-13s it has no valid basis to process the data at all. The ICO made this explicit in fining Reddit £14.47 million in February 2026, and Ofcom's Protection of Children Codes, in force since 25 July 2025, separately require “highly effective age assurance” rather than tick-box checks.

What fines have UK platforms received for children's data protection failures?

The ICO fined Reddit £14.47 million in February 2026 for children's-data and age-assurance failures. It also issued a notice of intent to fine MediaLab (Imgur) in September 2025 and opened a February 2025 investigation into TikTok's processing of 13–17-year-olds' data in its recommender systems. TikTok was separately fined £12.7 million in an earlier case — see our GDPR fines and penalties guide for the full penalty detail.

How many under-13s are on social media in the UK?

Around 40% of UK children under 13 have a social media profile despite a platform minimum age of 13 (Ofcom 2025, via DSIT/CSJ). The pattern begins far younger: an estimated 814,000 children aged 3–5 use social media, and 37% of parents of 3–5s say their child uses at least one social app.

Sources & references

Protecting children's data starts with teams that understand the Children's Code and the UK GDPR — train yours to handle personal data safely and lawfully.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.