Türkiye fines Meta $330,000 for violating children's privacy on Instagram

Türkiye’s data protection authority has fined Meta, the parent company of Instagram, nearly $330,000 for privacy violations related to accounts managed by minors on the platform.

According to The Personal Data Protection Authority's (KVKK) decision, an ex officio investigation was launched following allegations that the personal data and privacy of child users were being violated.

This was due to the fact that private Instagram accounts, opened by users under the age of 18, were being converted into business accounts, making them public and allowing children's personal data to become accessible to everyone.

The investigation revealed that email addresses and phone numbers associated with Instagram business accounts were included in Instagram's HTML source code. As a result, this information could be collected by anyone, making child users "vulnerable to online risks."

Failing to ensure data security

KVKK found that Meta, as the data controller, failed to implement adequate technical measures to ensure data security. It also concluded that making children’s personal data accessible to everyone could have negative effects on children.

As a result, the KVKK imposed an administrative fine of $72,000 on Meta for failing to take the necessary technical and administrative measures to ensure data security and for failing to comply with its legal notification obligations.

An additional fine of $258,000 was imposed on Meta because the process of converting child users' private Instagram accounts into business accounts did not involve an age verification step, nor were any measures taken to ensure that this transition was carried out with parental knowledge or control.

In total, Meta, which has more than 50 million users in Türkiye, was fined $330,000.