⅓ of social media's GDPR fines linked to children

The General Data Protection Regulation (GDPR), an EU privacy regulation, has not only redefined the way organizations handle personal data but has also established a framework for enforcing compliance, including the imposition of fines. This week, we look at the 10 most popular social media platforms by monthly active users¹ and whether they’ve been issued any fines for GDPR violations since the regulation came into effect in 2018². Additionally, we investigate how many of these fines relate to inadequate protection of children's data.

Key insights

• Out of the top 10 investigated social media platforms, half were fined by European data protection authorities. In total, there have been 13 fines levied on these platforms (Facebook, Instagram, TikTok, Whatsapp, and X, formerly Twitter), totaling €2.9B. The remaining 5 social media platforms (YouTube, Snapchat, Pinterest, Reddit, and LinkedIn) did not receive any fines.
• Meta-owned social media products (Facebook, Instagram, Whatsapp) feature prominently amongst platforms that have received fines under GDPR, adding up to €2.6 billion. TikTok received the third highest amount in fines (€360 million), while X (formerly Twitter) received the lowest and only one fine in late 2020, totaling €450k.
• Notably, a third (4 out of 13) of all fines handed out to social media platforms are related to mishandling children’s data. Three of these were given to TikTok (€360M), and one was received by Instagram (€405M). The fines add up to €765M or more than a quarter of the total amount fined to the social media platforms over the 5 years of GDPR.
• The first fine related to mishandling children’s data was issued to TikTok in 2021 for failing to have an understandable privacy policy in Dutch.³ It was followed by a fine to Instagram in 2022, when business accounts made by children were set to public by default, exposing children's information without informed consent.⁴ The remaining two fines were issued to TikTok in 2023. The first was for failure to enforce its own policy prohibiting children under 13 from using the platform.⁵ The second — for setting accounts to public by default, exposing children's data without consent, and for allowing adults to register as parents of child TikTok users without verifying legal guardianship.⁶

Methodology and sources

This study used information provided by the GDPR Enforcement Tracker. We identified the 10 most popular (by active user count1) social media platforms, and checked them for fines on the Tracker. In the case of Meta, both individual platform names and “Meta Platforms, Inc.” were queried. For companies that were found to have received fines, data relating to the date, fine amount, issuing country, and links to relevant legal documents were recorded. The relevant legal documents were looked into to identify whether the fines were related to the handling of children’s data.

Data was collected from:

References: