ICO Fines MediaLab Over Children’s Privacy Failures

Information Commissioner's Office has fined MediaLab.AI, Inc., the owner of the image-sharing platform Imgur, £247,590 for serious failures related to the protection of children’s personal data.

MediaLab is a U.S.-based technology holding company that owns and operates a portfolio of well-known digital platforms, including:

➡️ Imgur (image sharing and hosting),

➡️ Genius (music lyrics platform),

➡️ other online and community-driven services.

Grafika: Freepik

Imgur is a large, globally accessible platform with user-generated content and advertising-driven business models, making data protection and age-appropriate design obligations particularly relevant.

Following its investigation, the ICO concluded that between September 2021 and September 2025, MediaLab processed children’s personal data in breach of UKGDPR.

Key failures included:

No Age Verification

MediaLab did not implement any measures to check users’ age, despite Imgur being accessible to children.

No Parental Consent

Children under 13 were allowed to use the platform without parental consent, even though UK GDPR explicitly requires this when relying on consent as a lawful basis.

No DPIA

MediaLab failed to conduct a DPIA to identify and mitigate risks to children.

Exposure to Harmful Content

Because MediaLab did not know which users were children, minors were potentially exposed to:

➡️ sexual and violent content,

➡️ eating disorder-related content,

➡️ hate speech and discriminatory material.

The ICO made it clear that stating age restrictions in terms of service is not enough without technical and organizational enforcement.

Children Require Special Protection

Under UK GDPR:

➡️ children’s personal data requires enhanced protection,

➡️ online services accessible to children must follow the Children’s Code,

➡️ age assurance must be proportionate to risk,

➡️ and parental consent is required for children under 13.

For organizations operating online, this case is a strong reminder that most privacy laws include explicit protections for children.

Typically, this means:

➡️ age thresholds,

➡️ parental consent requirements,

➡️ higher default privacy settings,

➡️ and additional transparency obligations.

If an online service is accessible to children, the organization must:

➡️ implement appropriate age-verification or age-assurance mechanisms,

➡️ maintain privacy policies clearly addressing children’s data,

➡️ prepare DPIA,

➡️ and define lawful bases for such processing.

From my experience advising organizations on personal data protection, processing children’s data always brings additional obligations and risks. If children’s data is not essential for the business model, I often recommend not processing it at all, especially for the youngest age groups, where regulatory requirements are the strictest.

Link

Author: Sebastian Burgemejster