The Irish Data Protection Commission (DPC) fined Meta, the owner of the social network Instagram, EUR405M for what it labeled a violation of child privacy statutes under the GDPR.
DPC mentioned three issues with Instagram’s privacy settings that led to the penalty:
- Users under 17 can open business accounts.
- Business accounts for minors still display user contact information.
- Underage accounts are not private by default.
Meta responded, saying they had resolved many issues last year. A primary concern was accounts were not set to private by default for minor users. Meta, which owns both Instagram and Facebook, declared that they are active in protecting child privacy online.
Child privacy has always been an issue with online enterprises, especially on social media. And, with the platforms’ growth in recent years, primarily among the younger populations, these issues have only worsened.
Child Privacy Is More Critical than Ever
Many child online safety and privacy regulations focus on physical and emotional protection and safeguarding minors from sexual predators. But, these are not the main motivators for many cybercriminals who want children’s private information.
These scammers are either after money held by kids or their parents. Epic Games sustained lawsuits against predatory practices, such as loot boxes, deemed gambling for children.
Additionally, individuals and groups inside such games focused on even more sinister approaches. These include scams committed by entities, like Team Valure, that had children pay for false opportunities.
The resources children have access to today are enticing to exploit for scammers and cybercriminals. And, with Instagram’s business accounts, the allure of quick-and-easy money and private information access makes scams more alarming.
Mostly Focused on Money and Data
Financial scams do not make the news as often as other predatory practices involving minors because parents don’t see it as a large potential problem. Children, however, have access to their funds and their parents’ too, through phones and access codes.
On most devices, including connected ones, it is possible to make payments or share private information without the parents’ permission. Kids setting up Instagram accounts with their private information could share it with strangers.
Parents rarely keep up with cybersecurity or practice cyber hygiene. Consequently, they only become aware of their child’s online purchases when the bill arrives.
Cultural Changes Are Necessary
In cybersecurity circles, including those connected with the media, the focus is often on top cybercrime cases that cost companies and governments millions of dollars in theft or damages.
But, individual cybercrime cases, where a single person is affected in one instance, and nothing but their private information is stolen, are much more frequent. Individual attacks don’t yield much gain for cybercriminals, but they can add up owing to careless and vulnerable users.
While not everyone’s devices may need specific vulnerability assessments, people must adopt certain precautionary measures to prevent regular cybersecurity attacks.
Regular maintenance is vital for everyone. Users must check what information they share online and decide if they want to continue sharing it.
Inquiry Focused on Old Settings
Meta told the BBC that it is assisting the authorities and complying with the European GDPR policies.
For the current charges against the company, Meta pointed out that it has updated and changed the privacy issues in question. Meta will appeal the DPC’s judgment because of how they calculated it.
September 2021 saw Meta fined USD225M for their subsidiary WhatsApp’s GDPR violations. The regulators have also fined Amazon a record USD746M in July of 2021, a ruling that a Luxembourg court later upheld.
Currently, Instagram automatically sets accounts of those under 18 to private. This setting prevents adults from sending messages to minors they do not follow.
But, it is not clear if such restrictions also apply to minor-operated business accounts. These accounts don’t require additional documentation; anyone can set them up. Unaware of these gaps, minors may share private contact information, which cybercriminals might misuse.
If companies don’t ensure the safety of minors on their platforms, we might witness more of these penalties in the future.
EU Will Not Tolerate GDPR Infringements
Several tech giants have complained that the finer details in the GDPR are impossible to comply with on a larger scale. EU legislators, however, have asserted multiple times that they will grant no leeway to anyone when enforcing child protection.
In the UK, the National Society for the Prevention of Cruelty to Children (NSPCC)–founded in 1884 to protect children from forced labor–has joined the fight for children’s safety online.
Peter Wanless, NSPCC’s CEO, commented that the protection of children needs to be a national priority in 2022. This is to protect children from predatory practices and safeguard the current generation from being defined by the pandemic and its associated issues.