Social media giants slapped with over 3 billion in fines over GDPR violations, Meta tops the list

Data breaches and similar violations have sent social media giants to court several times so far. But how much did they actually have to pay for their actions? Cybersecurity firm Surfshark recently analyzed it, and the results are staggering. According to the study, since the General Data Protection Regulation (GDPR) was established in 2018, half of the top 10 social media platforms have incurred fines totaling €2.9 billion ($3.1 billion) for GDPR violations. What’s more, one-third of these fines were linked to children’s data!

Methodology

Surfshark’s study drew information from the GDPR Enforcement Tracker. They examined the ten most popular social media platforms based on active user count, including Facebook, Instagram, TikTok, WhatsApp, and X (formerly Twitter).

In assessing fines, the research included individual platform names and their parent companies, such as “Meta Platforms, Inc.” For each violation, the study meticulously recorded the fine amount, the issuing country, and analyzed relevant legal documents. They mainly focused on breaches related to children’s data.

The key insights

Among the scrutinized platforms, European data protection authorities imposed 13 fines. It’s probably not surprising that Meta’s platforms (Facebook, Instagram, and WhatsApp) accounted for the major share of these fines. These sum up to €2.6 billion. TikTok followed, with fines amounting to €360 million, while X (formerly Twitter) received a single fine of €450k.

A deep concern: Children’s data protection

As I mentioned, one-third of these fines were related to children, which is particularly concerning. Surfshark’s study revealed that €765 million of penalties directly related to inadequate protection of children’s data.

TikTok and Instagram were the most notable violators in this category. TikTok faced three separate fines for failing to adequately protect children’s data, including issues with privacy policy transparency, enforcement of age restrictions, and default public settings for accounts. Instagram was fined for default public settings in business accounts created by children, compromising their data privacy.

Infringements and their consequences

The first significant fine in this category was against TikTok in 2021 for a non-comprehensive privacy policy in Dutch. A hefty fine against Instagram followed in 2022, where the platform inadvertently exposed children’s data by setting their business accounts to public by default. TikTok faced further scrutiny in 2023 with two more fines: one for not effectively preventing underage users from accessing the platform and another for their default public account settings and lax verification of parental consent.

A wake-up call

This Surfshark study is a stark reminder of social media platforms’ responsibilities in safeguarding user data, particularly children’s. The fines imposed over the past five years underline the critical need for these platforms to reassess and strengthen their data protection measures, ensuring compliance with GDPR.

You can read the full study here and find the complete research material here.

---