Instagram has been fined €405M, or around $402 million, over its handling of data belonging to kids.
The fine, the second-largest given to a company over GDPR failures, comes via the Irish Data Protection Commission and was first reported by Politico. The fine also becomes the largest ever to be given to a Meta-owned company and was handed down over Instagram’s mishandling of children’s data including their email addresses and phone numbers.
In a statement given to Politico, Meta said that the Irish inquiry and subsequent fine were based on settings that haven’t been a part of the Instagram app for more than a year. “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson told Politico. “Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”
The complaint itself relates to how children’s information was processed by business accounts on Instagram, with an inquiry finding that some accounts were being set to “public” by default, TechCrunch reports.
What will happen next remains to be seen, but despite the statement this isn’t a good look for Instagram or Meta — two companies that continue to come under pressure for their privacy and wellbeing issues, especially related to teens.
However, Instagram is right in saying that it has taken steps to protect kids and their data. It already added more robust time limits that can be controlled by parents, while people can also prevent sensitive content from being pushed into their feeds. Adults can also no longer send DMs to under-18s unless in specific circumstances, too.