EU Commission Accuses Meta of DSA Violations for Allowing Under‑13 Users on Instagram and Facebook
What Happened — The European Commission has issued preliminary findings that Meta’s Instagram and Facebook platforms fail to enforce the minimum‑age requirement of 13 years, breaching the Digital Services Act (DSA). The Commission says Meta’s age‑verification, risk‑assessment, and reporting mechanisms are ineffective, allowing a measurable share of under‑13 users to remain active.
Why It Matters for TPRM —
- Regulatory non‑compliance can trigger fines up to 6 % of global turnover and damage brand reputation.
- Third‑party risk assessments must consider platform‑specific child‑safety obligations when evaluating Meta‑owned services.
- Ongoing legal scrutiny may lead to additional enforcement actions, affecting contractual and service‑level expectations.
Who Is Affected — Social media platforms (Instagram, Facebook); advertisers and brands that rely on Meta’s ad ecosystem; any organization that processes data of EU residents, especially those targeting younger audiences.
Recommended Actions —
- Review contracts with Meta for DSA‑related clauses and enforce compliance warranties.
- Verify that your organization’s marketing and data‑collection practices do not target users under 13.
- Monitor EU regulator updates and be prepared for potential fines or service restrictions.
Technical Notes — The issue stems from inadequate age‑verification (no robust ID checks), weak reporting tools, and incomplete risk‑assessment processes for minors. No specific CVE or malware is involved; the risk is regulatory and reputational. Source: Security Affairs