Ireland’s Data Protection Commission (Commission) has fined Meta (Facebook) approximately $400 million for contravening the General Data Protection Regulation’s (GDPR) privacy laws relating to the protection of children’s privacy online.
The fine was centred on the treatment of children’s data on Meta’s app Instagram. The Commission began its investigation into Instagram back in 2020 and discovered that children aged between 13 and 17 were able to create and post to business or creator accounts on the app. These account types offer less privacy, for promotional purposes, and as such, children’s private email addresses and phone numbers were publicly displayed. Moreover, children’s accounts were set to public by default, breaching article 8 of the GDPR and the processing of personal data of children.
Meta has already contended that it will appeal the decision and claimed that the settings investigated by the Commission were updated over a year ago. According to Meta, accounts held by individuals under the age of 18 are now automatically set to private, although there is still an option to publicly display phone numbers and email addresses.
Despite being previously viewed as a lax regulator, the Commission is following a series of steps set by international authorities to crack down on how data is shared and collected online, especially as it pertains to people under the age of 18.