In the five and a half years since GDPR (General Data Protection Regulation) came into force in the UK, the most popular social media platforms (Facebook, Instagram, TikTok, Whatsapp, and X, formerly Twitter) were fined over €2.9bn (£2.5bn) for data breaches, out of which more than a quarter (€765m, or four of the 13 fines) was for inadequate protection of children’s data, according to a new study from online security firm, Surfshark. Three of these were given to TikTok (totalling €360m), and one to Instagram (€405m). These cases include issues such as unclear privacy policies; setting accounts to public by default; and failing to enforce age restrictions.

The first fine related to mishandling children’s data was issued to TikTok in 2021 for failing to have an understandable privacy policy in Dutch. It was followed by a fine to Instagram in 2022, when business accounts made by children were set to public by default, exposing children’s information without informed consent. The remaining two fines were issued to TikTok in 2023. The first was for failure to enforce its own policy prohibiting children under 13 from using the platform. The second was for setting accounts to public by default, exposing children’s data without consent, and for allowing adults to register as parents of child TikTok users without verifying legal guardianship.

Out of the top 10 investigated social media platforms, half were fined by European data protection authorities. In total, there have been 13 fines levied on these platforms, totalling €2.9bn. Meta-owned social media products (Facebook, Instagram, Whatsapp) feature prominently amongst platforms that have received fines under GDPR, adding up to €2.6bn. TikTok received the third highest amount in fines (€360m), while X (received the lowest and only one fine in late 2020, totalling €450,000. The remaining five social media platformscovered by the study (YouTube, Snapchat, Pinterest, Reddit, and LinkedIn) did not receive any fines.

“Half of the most popular social media platforms examined have received GDPR fines from European data protection authorities, with a third of these fines linked to privacy issues concerning children,” said Agneska Sablovskaja, Lead Researcher at Surfshark. “Such penalties demonstrate the imperative to hold major social media players accountable for their data handling practices, ensuring that the privacy and safety of all users, especially children, is given the utmost consideration and care.”

The figures in the report came from information provided by the GDPR Enforcement Tracker. SurfShark identified the 10 most popular social media platforms by active user count, and checked them for fines on the Tracker. In the case of Meta, both individual platform names and “Meta Platforms, Inc.” were queried. For companies that were found to have received fines, data relating to the date, fine amount, issuing country, and links to relevant legal documents were recorded. The relevant legal documents were looked into to identify whether the fines were related to the handling of children’s data.