ICO fines MediaLab.AI £247,590 for failing to protect children’s data on Imgur

The Information Commissioner’s Office (ICO) has issued a financial penalty against MediaLab.AI, Inc., owner of Imgur, for unlawfully handling children’s personal information. The breach centers on letting children use Imgur without the safeguards required by UK data protection law.

What happened

• Between September 2021 and September 2025, MediaLab processed children’s personal data on Imgur in ways that breached the UK GDPR.
• Imgur’s terms allowed under-13s only with parental supervision, but MediaLab did not implement age checks or obtain parental consent where required.
• The company failed to carry out a data protection impact assessment (DPIA) to identify and mitigate privacy risks to children.

Key breaches identified

• No age-verification measures to determine a user’s age.
• Processing data of children under 13 without parental consent or any other lawful basis for online services.
• Absence of a DPIA to assess and reduce risks to children’s privacy.

Why this matters

• Personal information often underpins the content children see online. Without age checks, MediaLab could not know who was using Imgur, increasing the risk that young users would encounter harmful content—such as material related to eating disorders, homophobia, antisemitism, or explicit or violent imagery.

ICO’s response and statements

• John Edwards, the ICO Commissioner, condemned the company for failing to protect children and for collecting and processing their data while exposing them to inappropriate material.
• The ICO highlighted that age checks are essential to keep children’s data safe and to prevent recommendations of age-inappropriate content.
• The action is part of a broader effort to improve how digital platforms handle children’s personal data.

Enforcement findings and penalty details

• The ICO considered factors including the number of children affected, potential harm, duration of the contraventions, and MediaLab’s global turnover when setting the penalty.
• The maximum possible penalties under the law are either up to £17.5 million or 4% of worldwide annual turnover, whichever is higher.
• MediaLab accepted the provisional findings outlined in the ICO’s Notice of Intent (September 2025) and committed to addressing the infringements if access to Imgur in the UK is restored. If MediaLab resumes processing children’s data in the UK without implementing the agreed measures, further action may be taken.
• The ICO indicated it may redact some personal or confidential information before publishing the monetary penalty notice.

Background on the ICO and protections for children online

• The ICO is the UK regulator for data protection, with safeguarding children’s privacy online as a priority.
• UK data protection law provides enhanced protections for children, which the ICO translates into practical standards through the Age Appropriate Design Code (the Children’s code). The code requires prioritizing children’s best interests and ensuring strong default privacy protections.
• In December 2025, the ICO reported progress on its Children’s code strategy, including proactive supervision to improve how social media and video-sharing platforms handle children’s data.

Age assurance guidance for online services

• Age assurance tools help prevent underage access and tailor experiences to users’ ages.
• Organisations should align their age assurance approach with the level of risk on their platform—either providing full protections for all users or applying proportionate safeguards based on age.
• When services restrict access for younger users, emphasis should be on robust age verification and access prevention.
• Additional guidance is available in the ICO’s age assurance opinion.

If you’d like, I can tailor this into a shorter news brief, a longer feature, or convert it into a Q&A style explainer.