GDPR fines for mishandling children’s data exceed €1 billion

The General Data Protection Regulation (GDPR), an EU privacy regulation, has been in force for seven years already. It seems companies had a vast amount of time to redefine the ways they handle personal data to comply with new rules. However, some organizations have more trouble doing so than others, and continue getting fined. This week, we look at the 10 most popular social media platforms by monthly active users¹ and whether they’ve been issued any fines for GDPR violations since the regulation came into effect in 2018². In particular, we investigate how many of these fines relate to inadequate protection of the most vulnerable children's data.

However, it's important to remember that fines alone don't reflect the full picture of privacy adherence by social media platforms. Not all enforcement actions result in a monetary penalty, as authorities may instead order companies to modify a product or halt certain practices. Still, the absence of fines in certain cases may point to a lack of action. As Felix Mikolasch, a Data Protection Lawyer at NOYB, noted in a comment provided to Surfshark, "the current enforcement efforts by data protection authorities are rather reactive, sometimes they are non-existent at all."

Key insights

• Of the ten most popular social media platforms analyzed, half have been fined by European data protection authorities. A total of 15 fines have been issued to five platforms — Facebook, Instagram, TikTok, LinkedIn, and X, formerly Twitter — adding up to €3.9 billion. Meanwhile, the remaining five — YouTube, Snapchat, Pinterest, Reddit, and Threads — have not received any GDPR fines to date.
• Compared to the study conducted in October 2023, which included WhatsApp among the most popular social media platforms but excluded Threads, the total financial amount of fines has increased by nearly 30%. Four additional fines were imposed: Meta (2) and LinkedIn (1) in 2024, and TikTok (1) in 2025.
• Facebook and Instagram accounted for €2.7 billion in GDPR fines, making Meta the most heavily penalized company. TikTok followed with €890 million in fines. X and LinkedIn faced one fine each — €450,000 in 2020 and €310 million in 2024, respectively.
• Notably, one-third of all fines issued to social media platforms (5 out of 15) are related to the mishandling of children’s data. TikTok received three of these fines (€360 million), while Instagram and Facebook received one each — €405 million and €251 million, respectively. The fines add up to more than €1 billion or nearly a quarter of the total amount fined to the social media platforms since the regulation came into effect in 2018.
• The first GDPR fine related to the mishandling of children’s data was imposed on TikTok in 2021 for failing to have an understandable privacy policy in Dutch.³ It was followed by a fine to Instagram in 2022, when business accounts made by children were set to public by default, exposing children's information without informed consent.⁴ Two additional fines were issued to TikTok in 2023. The first was for failure to enforce its own policy prohibiting children under 13 from using the platform.⁵ The second — for setting accounts to public by default, exposing children's data without consent, and for allowing adults to register as parents of child TikTok users without verifying legal guardianship.⁶ In late 2024, Meta was fined for a Facebook security breach that also impacted children's personal data.⁷

Methodology and sources

This study is a follow-up to a previous analysis⁸ that used information provided by the GDPR Enforcement Tracker. As before, we identified the ten most popular social media platforms by active user count¹ and looked for any associated fines on the Tracker. In the case of Meta, both individual platform names and “Meta Platforms, Inc.” were included in the search. For each company found to have received fines, we recorded the date, fine amount, issuing country, and links to relevant legal documents. These documents were then reviewed to identify whether the fines were related to the handling of children’s data.

Data was collected from:

References: