MediaLab.AI, Inc – €289,680 Fine (United Kingdom, 2026)

MediaLab.AI, Inc. (the controller) operates the platform Imgur, an online image sharing and hosting platform. The UK DPA (ICO) carried out a review in 2021 of the age verification practices of the platform. The DPA contacted the controller in 2024 regarding concerns due to the absence of any such measures and requested further information about the processing of personal data relating to users of the Platform aged under 18 years old. Subsequently, the DPA launched an investigation into the controller in December 2024. The DPA found three violations of the UK GDPR and fined the controller GBP 247,590 (approximately €282,917). Firstly, the DPA found that the controller processed personal data relating to users who were under 13 years old without legal basis, in breach of the principle of lawfulness, fairness and transparency in Article 5(1)(a) UK GDPR. Secondly, the DPA found that the controller permitted children under 13 years old to access the platform under parental supervision but did not use age verification and measures to obtain parental consent, breaching Article 6(1)(a) UK GDPR and Article 8 UK GDPR. Thirdly, the DPA found a violation of Article 35(1) UK GDPR. Specifically, the DPA noted that the controller failed to carry out a DPIA in respect of prospective high-risk processing of personal data of users who were under 18 years old.