IEConsent ViolationTechnologyDecision: 2022-09-05

Meta Platforms (Instagram)

€405.0M

Issued by Data Protection Commission (DPC) on 2022-09-05

What happened

The DPC fined Instagram €405 million for violating children's privacy. The investigation found that Instagram's business account feature allowed children aged 13-17 to make their accounts public by default, exposing their email addresses and phone numbers. Instagram also relied on legitimate interest as a legal basis for processing children's data, which the DPC deemed inappropriate.

Articles violated

Art. 6(1) GDPRArt. 8 GDPRArt. 12 GDPRArt. 24 GDPR

Lessons learned

Processing children's personal data requires explicit parental consent under Art. 8 GDPR. Default settings for minors must be privacy-protective (privacy by default). Companies cannot rely on legitimate interest as a legal basis when processing data of minors — consent is the appropriate basis.

Source

View original decision

Disclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.

Get enforcement alerts for Technology

We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.

Related enforcement actions

IE€345.0M

TikTok

Data Protection Commission (DPC) · Data Subject Rights

Read case

FR€40.0M

Criteo SA

Commission Nationale de l'Informatique et des Libertés (CNIL) · Consent Violation

Read case

SE€5.0M

Spotify AB

Integritetsskyddsmyndigheten (IMY) · Data Subject Rights

Read case