Ireland's Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M—roughly equivalent to $402M—following an investigation on how the company handled children's data.
In the investigation that started in 2020, the DPC found Instagram had allowed children between the ages of 13 and 17 to operate business accounts. That meant their phone numbers and email addresses were made public, which is a clear violation of their privacy.
The DPC also found that some Instagram accounts owned by children were set as "public" by default, instead of "private."
A spokesperson from Meta said in a statement:
"This inquiry focused on old settings that we updated over a year ago, and we've since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can't message teens who don't follow them. We engaged fully with the DPC throughout their inquiry, and we're carefully reviewing their final decision."
A DPC spokesperson confirmed the fine with Reuters. He said that full details of the decision will be published next week.
This is the highest fine ever issued by the regulator, easily eclipsing the $267M fine to WhatsApp in 2021 and the $18.6M fine to Facebook in March 2022.
According to Politico, which first covered the story, the DPC has at least six investigations into other companies owned by Meta involving privacy violations.