Instagram is being investigated by Europe’s lead regulator over the way it handles children’s personal information, the BBC reported Monday.
The probe, which is being carried out by Ireland's Data Protection Commissioner (DPC), was launched in response to reports that Instagram offered business accounts to kids as young as 13 years old. Regulators are concerned that children’s email addresses and phone numbers may have been displayed publicly.
“Instagram is a social media platform which is used widely by children in Ireland and across Europe,” said DPC deputy commissioner Graham Doyle. “The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination.”
The DBC is looking into whether Instagram sufficiently protects personal data of children and whether it has restrictions in place to prevent exposure of that data. Facebook, Instagram’s owner, could face a fine of as much as four percent of its annual worldwide revenue if the app is found to have broken privacy laws.
The probe stems from a 2019 complaint from David Stier, a data scientist who claimed that his analysis showed that Instagram offered “millions” of minors the option to change their profiles into business accounts in exchange for analytics information.
The offer raises privacy concerns because switching to a business account requires the owner to display their phone numbers and email addresses publicly in the app. The information was also contained in the HTML source code of web pages, meaning it could be “scraped” by hackers.
In a Medium blog post, Stier accused Instagram of refusing to mask users’ email addresses and of not assigning an anonymized phone number, which “runs counter to the practice of nearly every website and app today.”
Facebook rejects claims
A Facebook spokesperson told the BBC on Monday that it’s cooperating with the DBC, but it stated that Stier’s claims are based on a misunderstanding of its systems.
"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed. That's very different to exposing people's information.”
Facebook said it no longer embeds contact information in the source code of Instagram pages and that it has since added the option for users to opt out of including their contact information.
"We've also made several updates to business accounts since the time of Mr Stier's mischaracterisation in 2019, and people can now opt out of including their contact information entirely."