A third of GDPR fines for social media platforms linked to child data protection

It’s been a little over five years since the GDPR came into effect and fines keep amassing — especially for social media platforms.

New research by Dutch VPN company Surfshark has found that, since 2018, five of the most popular social media (Facebook, Instagram, TikTok, Whatsapp, and X/Twitter) have been fined over €2.9bn for violating the EU’s data protection law.

Facebook alone accounts for nearly 60% of the total amount, with €1.7bn in penalties. Adding to Zuckerberg’s woes, Meta’s platforms combined have reached €2.5bn. TikTok has received the third highest amount in fines, at €360mn, while X (formerly Twitter) has only amassed €450k. Meanwhile, YouTube, Snapchat, Pinterest, Reddit, and LinkedIn have not been charged.

Most alarmingly, one-third (4 out of 13) of these fines are linked to insufficient protection of children’s data — adding up to €765mn of the total amount.

Specifically, TikTok was first fined in 2021 for failing to introduce its privacy statement in Dutch, so that minors in the Netherlands could fully understand the terms. Two more fines were issued in 2023. One was for TikTok not enforcing its own policing restricting access to children under 13. The other was for setting accounts to public by default, and for not verifying legal guardianship for adults registering as parents of child users. These fines combined resulted in a total of €360mn.

The second social media to be charged for violating children’s privacy is Instagram. The Meta platform received its one and only fine in 2022 (€405mn), when business accounts created by minors were set to public by default.

“Such penalties demonstrate the imperative to hold major social media players accountable for their data handling practices, ensuring that the privacy and safety of all users, especially children, is given the utmost consideration and care,” said Agneska Sablovskaja, lead researcher at Surfshark.

Apart from being caught in the crosshairs of GDPR enforcers, Facebook, Instagram, TikTok, and X also need to comply with the Digital Services Act (DSA). Among other requirements, the EU’s landmark content moderation rulebook prohibits the use of targeting advertising that’s based on the profiling of minors.