Instagram’s $402m fine is a sign of what’s to come, say data privacy experts

The investigation, launched in 2020, sought to examine how Instagram handles the data of 13-17-year-old users – particularly those who switched to business or creator accounts (possibly to access analytics on profile visits and post engagement). Instagram business accounts previously made more personal data about the user – such as their phone number and email address – publicly available.

“We adopted our final decision last Friday and it does contain a fine of €405m [$402m],” Graham Doyle, the DPC’s deputy commissioner, said in a statement. The penalty is the largest ever issued by the DPC for a violation of Europe’s sweeping General Data Protection Regulation (GDPR). Other regulatory bodies, however, have issued more aggressive fines; last year, for example, Luxembourg regulators fined Amazon nearly $886m for data protection violations.

Per a Meta spokesperson, Instagram cooperated with the Irish regulatory body throughout the investigation. However, it disagrees with how the fine was calculated and says that the decision was made after the platform’s privacy settings had been updated. “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” the spokesperson told The Drum.

In 2019 the company made it optional for business accounts to publicly display contact information and subsequently took steps to notify teen users who operated business or creator accounts to let them know that their settings could be changed to hide their personal information. Today, users under the age of 18 automatically have their accounts set to ‘private’ in order to protect their safety, and adults are not permitted to message under-18 users who don’t follow them.

The spokesperson for Meta said the company intends to appeal the DPC’s decision.

More penalties on the horizon

The two-year investigation represents just one of a handful launched by the DPC into the data-handling practices of Meta and its properties. In the last two years, the regulatory body has fined Meta a total of some $641m, including a $223m fine issued to WhatsApp and a nearly $17m fine issued to Facebook.

“This indicates that regulators are not prepared to let companies get away with fundamental privacy breaches and that privacy is here to stay,” says Husna Grimes, vice-president of global privacy at adtech firm Permutive.

The news adds to a growing surge of crackdowns on data privacy. Late last month, the California Attorney General’s office took its first enforcement action on the far-reaching California Consumer Privacy Act in a $1.2m settlement with Sephora. Mere weeks before, the US Federal Trade Commission instigated new rulemaking plans designed to “crack down on commercial surveillance and lax data security practices.”

“While all of the events of the last few weeks aren’t coordinated or causal, they are certainly correlated – a function of many years building up to a moment where these regulations have teeth, and the market has a desire to see them used to protect consumers,” says Cory Munchbach, president and chief operating officer at customer data platform BlueConic.

As a backdrop to the spike in regulatory enforcement action, the US is closer than it’s been in decades to passing a comprehensive, federal privacy bill in the bipartisan American Data Privacy and Protection Act.

Though the consumer-data-based advertising model and ‘surveillance capitalism’ at large are under the gun, the data practices of tech titans such as Meta are attracting the most scrutiny.

“This comes at a time when the entire business model of Meta is being attacked from all fronts, with threats to privacy rife throughout Meta’s platforms,” says Paul Coggins, chief executive officer at mobile advertising platform Adludio. “The news adds fuel to the belief that social media channels are the wrong environment for advertisers. Soon, they will begin to pull ads if these environments continue to be unsafe.” He says that all major social platforms are likely worried about growing scrutiny of their data privacy practices, “as they should in the fight to maintain user trust.”

Children’s privacy at the forefront

Children’s data privacy in particular has become a hot-button issue among privacy advocates and policymakers. Just last week, California passed new safety and privacy rules for children that require online sites and services “likely to be accessed by children” to evaluate potential risks for users under the age of 18 and implement new safeguards for such users (including default ‘private’ versus ‘public’ account settings – an issue at the heart of the DPC’s decision to fine Instagram). If signed by Governor Gavin Newsom, the bill will become law.

Meanwhile, federal lawmakers are also under pressure to take action on young people’s data privacy. In his State of the Union address in March, US president Joe Biden made it clear that children’s online safety and privacy is a top priority for the administration. “It’s time to strengthen privacy protections, ban targeted advertising to children [and] demand tech companies stop collecting personal data on our children,” he said.

Experts predict that the focus on children’s privacy from lawmakers and enforcement agencies is not likely to wane anytime soon. “We can certainly expect sustained regulatory emphasis on online safety and privacy for children and teens,” says Arielle Garcia, chief privacy officer at media agency UM Worldwide. The new DPC penalty against Instagram, she says, “may serve to accelerate prioritization of these changes by Meta and other platforms.”

For more, sign up for The Drum’s daily US newsletter here.