The European Commission has issued a preliminary finding that Meta may have breached the Digital Services Act (DSA) by failing to adequately prevent children under the age of 13 from accessing its platforms, including Instagram and Facebook.

In a statement, the Commission said Meta’s existing safeguards do not effectively enforce its own minimum age requirement of 13 and raised concerns about minors being exposed to inappropriate content online.

According to the preliminary findings, children can easily bypass age restrictions by entering false birth dates during sign-up, with no robust verification mechanisms in place to validate this information. Regulators also criticised the company’s reporting tools, describing them as difficult to access and ineffective. In some cases, even when underage users have been reported, there appeared to be little or no follow-up action.

The Commission added that Meta’s risk assessments underestimate the scale of the issue. Evidence from across the EU suggests that between 10 and 12 per cent of children under 13 are using Instagram and Facebook, contradicting the company’s internal analysis. Officials also pointed to a failure to adequately consider scientific research indicating that younger users are more vulnerable to online harms.

As a result, the Commission has called on Meta to overhaul its risk assessment processes and introduce stronger systems to detect, prevent and remove underage users. It also emphasised the need for more effective safeguards to ensure a high level of privacy, safety and security for minors across both platforms.

The case forms part of wider ongoing proceedings launched in May 2024 under the DSA. The legislation places strict obligations on large online platforms to assess and mitigate risks, particularly those affecting children and vulnerable users.

Meta now has the opportunity to respond to the findings and review the evidence gathered by the Commission. The company can also propose measures to address the concerns, in line with updated EU guidelines on protecting minors online.

If the preliminary conclusions are upheld, the Commission could impose significant penalties. Under the DSA, fines can reach up to six per cent of a company’s global annual turnover, alongside additional periodic penalties to enforce compliance.

“Meta’s own general conditions indicate their services are not intended for minors under 13,” said Henna Virkkunen, executive vice-president for tech sovereignty, security and democracy at the Commission. “Yet, our preliminary findings show that Instagram and Facebook are doing
very little to prevent children below this age from accessing their services.

“The DSA requires platforms to enforce their own rules: terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users – including children.”

---