Britain’s data protection regulator has fined the owner of image-sharing platform Imgur nearly £250,000 after finding serious breaches in the site’s handling of children’s personal data.
The Information Commissioner’s Office (ICO) has fined MediaLab.AI, Inc. £247,590, concluding that the company allowed children to access Imgur for years without even the basic age verification safeguards required by UK data protection law.
After a lengthy investigation, the regulator found that MediaLab did not determine the age of Imgur users, processed the personal data of children under 13 without parental consent, and did not conduct a data protection impact assessment to identify or mitigate risks to younger users.
Because Imgur did not have an effective way to identify who was using the platform, children were exposed to potentially harmful content, including material related to eating disorders, anti-Semitism, homophobia, and sexually explicit or violent images. The ICO said personal data was being used to shape content recommendations without any protections appropriate for children.
John Edwards, Britain’s data protection commissioner, said the company had failed in its legal duty to protect young users. He said MediaLab allowed children to use Imgur without effective age controls in the collection and processing of their data, putting them at serious risk.
He added that age controls play a critical role in protecting children’s personal information and preventing it from being used in ways that could cause harm, such as recommending age-inappropriate content. Companies that ignore the fact that children are using their services will face enforcement action, he warned.
The ICO’s investigation spanned a four-year period between September 2021 and September 2025, during which MediaLab was found to have breached the UK’s General Data Protection Regulation. Under UK law, online services can only rely on consent as a legal basis for processing data from children under 13 if that consent is given by a parent or carer.
Although Imgur’s terms stated that children under 13 required parental supervision, the ICO found that MediaLab had no mechanisms in place to enforce this or obtain parental consent.
When determining the penalty, the regulator took into account the duration of the violations, the number of children affected, the extent of the potential harm and MediaLab’s global sales. The ICO also found that MediaLab accepted its preliminary findings and committed to implementing appropriate safeguards should Imgur resume processing children’s data in the UK.
The regulator said further regulatory action could follow if these commitments are not met.
The fine is part of the ICO’s wider efforts to improve the way digital platforms protect children’s personal data online. UK data protection law offers children enhanced protection, reinforced by the Children’s Code, also known as the Age Appropriate Design Code, which sets clear expectations for online services that are likely to be accessed by minors under 18.
The ICO has stressed that platforms must either apply the Children’s Code protections to all users or implement proportionate and robust age protection measures to appropriately adapt protections.
