The UK's data watchdog just made an example of Reddit — and the ripple effects are landing squarely on the age-verification company quietly sitting at the centre of the internet's child safety crisis.
The Information Commissioner's Office (ICO) fined Reddit £14.47 million for unlawfully processing children's personal data, citing the platform's failure to meaningfully verify how old its users actually were. Reddit relied on users simply declaring their age at signup — a method the regulator called "easy to bypass." Its own estimates found a large number of under-13s active on a platform that technically barred them. The result: Reddit had processed children's private data without any lawful basis to do so.
"It's concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children," said John Edwards, the UK Information Commissioner.
Reddit has since rolled out stricter checks and plans to appeal the fine. In its defence, the company argued it had deliberately avoided collecting user identity information out of a commitment to privacy — a framing the ICO found unconvincing.
But here's where it gets uncomfortable.
Reddit introduced Persona age verification in July 2025 to comply with the UK Online Safety Act (OSA) — the very compliance move the ICO had been pushing for. Persona, a San Francisco-based identity startup, is now the engine behind age checks on Reddit, Roblox, ChatGPT, and, until very recently, Discord.
Security researchers recently discovered a Persona frontend exposed on the open internet on a US government-authorised server. What they found went far beyond simple age-checking.
The exposed code revealed that Persona performs 269 distinct verification checks, runs facial recognition against watchlists and politically exposed persons, screens users across 14 adverse media categories, including terrorism and espionage, and can retain IP addresses, device fingerprints, government IDs, phone numbers, and biometric data for up to three years.
In other words, users handing over a selfie to prove they're 18 may have unknowingly fed a surveillance stack with reach well beyond age gating.
The Discord fallout has been severe. Discord quietly tested Persona on UK users, describing it as "an experiment," despite publicly positioning a different, more privacy-respecting vendor — k-ID — as its primary age-check partner.
When the Persona experiment became public, users noticed a second uncomfortable detail: Persona's lead investor is the Founders Fund, the venture capital firm co-founded by Peter Thiel, who also co-founded Palantir — the data analytics company that powers ICE's deportation surveillance infrastructure.
Discord has since stated it will not continue using Persona, though users remain skeptical about what comes next. A 2025 breach already exposed roughly 70,000 government-issued ID images from Discord's earlier age verification process.
For platforms scrambling to comply with the OSA — which required age checks from July 2025 — the tools available are themselves becoming the controversy. Social media expert Matt Navarra described the ICO and Ofcom's coordinated enforcement as a "UK regulator pincer movement," with the ICO pushing on children's data design expectations while Ofcom enforces real age-assurance as a baseline.
The message for platforms is clear: pointing users at a checkbox or outsourcing the problem to a third-party vendor isn't compliance — it's liability transfer. If the vendor then turns out to be running what researchers are calling a biometric surveillance engine, the reputational and legal exposure compounds fast.
For users, the more immediate question is simpler and a lot more unsettling: when you verify your age online, do you actually know what you're verifying yourself into?
If you've completed age verification on Reddit, Roblox, Discord, or ChatGPT, review the privacy policies of Persona Identities, Inc. to understand what data was collected and how long it may be retained.