Instagram has been fined 405 million euros (about $403 million) for violating the European Union’s privacy-focused General Data Protection Regulation (GDPR).
The penalty was handed down by the Irish Data Protection Commission (DPC) over Instagram’s handling of children’s privacy settings on the app.
The size of the fine, which is expected to be officially announced in the coming days, was leaked to news site Politico and confirmed later to TechCrunch.
The DPC’s investigation looked at Instagram’s processing of children’s data, which in some cases made information such as email addresses and phone numbers visible. It also looked into how some children’s accounts were set to public by default, instead of private.
Responding to news of the fine, a spokesperson for Meta told Politico: “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private.”
The spokesperson added that anyone under the age of 18 “automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.” We should know next week if Meta plans to appeal the fine.
Instagram has long faced criticism over the way it handles matters of privacy for its younger users, but even controlling precisely who uses the app is a big challenge. To set up an account, you have to be at least 13 years old, but it took Instagram until 2019 — nine years after it launched — to start asking users to confirm their age when setting up an account. And even then, children can simply lie about their birth date to continue the setup process.
In recent years, as Meta’s spokesperson mentioned, Instagram has made more effort to introduce measures to protect children’s privacy, as well as other features aimed at making the app safer for younger users.
Politico notes in its report that the fine is the second-biggest financial penalty to be handed down since the privacy-focused GDPR came into force in 2018 after Amazon was fined 746 million euros (about $742 million) in 2021.
It’s also the third fine that the Irish regulator has handed to a company owned by Meta, with the others involving a 225 million euros ($223M) penalty for WhatsApp and a 17 million euros ($16.9M) penalty for Facebook. The Irish DPC is also continuing to work on six other investigations into Meta-owned companies, so more fines could be coming down the track for the U.S. giant.