Users between the ages of 13 and 17 were permitted to operate business accounts on Instagram, which displayed their phone numbers and email addresses. The DPC also discovered that the platform featured a user registration process wherein accounts of 13 to 17-year-old users were automatically set to public.
This is not the first violation of the social metaverse company, Meta.
The Data Protection Commission fines Meta because the company has its headquarters in Ireland. If we take into consideration Amazon, who paid €746m for breaking GDPR, Instagram's violation is the second largest fine under GDPR.
Following disclosures concerning Instagram's effects on teen mental health, Meta paused the development of a version of the social media platform for kids last year.
In order to address issues brought up by parents, professionals, and authorities, Instagram announced it was "pausing" work. The action was taken in response to disclosures made by whistleblower, Frances Haugen, that Facebook's own research indicated Instagram could have an impact on girls' mental health with regard to topics like body image and self-esteem.
According to Instagram, the user contact information was added to business accounts before September 2019, and users were informed during the setup process. Now, when a user under the age of 18 joins the platform, their account is automatically set to private.
This was a serious violation that may actually hurt kids who use Instagram and had serious safeguarding implications.
While reading today's headlines will be difficult for Meta, TikTok - another social media company - will probably be keenly monitoring events as it is currently under investigation by the DPC for its own management of children's data. However, the DPC only started that investigation a year ago, so it probably still has some time to go before a conclusion is made.