Meta, the parent company of Instagram, has been fined a record $402 million for letting teenagers set up accounts that publicly displayed their phone numbers and email addresses.
Irish privacy regulator, The Data Protection Commission (DPC) confirmed the penalty on Monday after a two-year investigation into Instagram’s potential breaches of the European Union’s data protection regulation (GDPR).
The investigation, which started in 2020, focused on how Instagram had allowed users aged between 13 and 17 to operate business accounts on the platform, which facilitated the publication of the user’s phone number and email address.
The DPC also found the platform had operated a user registration system whereby the accounts of 13-to-17-year-old users were set to “public” by default.
“We adopted our final decision last Friday and it does contain a fine of 405 million euros,” A spokesperson for the Irish DPC tells Reuters.
The spokesperson for the Irish data watchdog adds that full details of the decision will be published next week.
Meanwhile, Meta says it disagrees with how the fine was calculated and plans to appeal the decision. According to the company, Instagram updated its settings over a year ago and has since released new features to keep teens safe and their information private.
“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson tells Politico.
“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”
The DPC regulates Facebook, Apple, Google and other technology giants due to the location of their EU headquarters in Ireland. It has opened over a dozen investigations into Meta companies, including Facebook and WhatsApp.
This is the third and largest fine the DPC has handed out to Meta, eclipsing the 225 million euros (about $267 million at the time) the company faced after the Irish privacy regulator found that WhatsApp did not properly inform EU citizens about how it collected and used their data, particularly regarding how it shared that data back with Meta.
The DPC also has dozens of other investigations underway against Big Tech companies, including several more involving Meta’s data practices.
Meta’s ability to collect data faced further questions last month. Privacy researcher, Felix Krause revealed Meta injects code into websites its users visit through Instagram and Facebook so that the company can track them across the internet after they click links in its apps.
Image credits: Header photo licensed via Depositphotos.