Metafines & penalties
Meta Platforms, Inc.
Owner of Facebook, Instagram, and WhatsApp. Meta holds the record for the most separate major GDPR penalties and the largest GDPR fine to date, alongside record US privacy and biometric settlements.
- Penalties
- 12
- Total imposed
- ≈ $10.8Bexcludes annulled
- Largest
- $5B
- Span
- 2019 to 2025
Penalties by year
Every recorded penalty
12 penalties
Meta · 2019
Facebook's $5B FTC penalty after Cambridge Analytica
The FTC imposed a $5B penalty and sweeping new privacy restrictions after finding that Facebook deceived users about their ability to control personal data, in violation of a 2012 consent order. Third-party apps had harvested data on up to 87 million users in the Cambridge Analytica episode. It was the largest privacy penalty in history at the time.
Meta · 2024
Meta's $1.4B Texas biometric settlement
Texas settled claims that Meta captured facial-recognition data of millions of Texans through photo tag suggestions without consent, in violation of Texas biometric law. It was the largest single-state privacy settlement at the time.
Meta · Facebook · 2023
Meta's record €1.2B GDPR fine over EU-US transfers
The Irish DPC fined Meta for continuing to transfer EU users' personal data to US servers after the Schrems II ruling, exposing that data to potential US surveillance without adequate safeguards. It is the largest GDPR fine ever issued.
Meta · Facebook Marketplace · 2024
Meta fined €797M over Facebook Marketplace
The European Commission found that Meta tied Facebook Marketplace to its social network and imposed unfair conditions on rival online-classifieds services.
Meta · 2021
Facebook's $650M BIPA facial-recognition settlement
A class-action settlement resolved claims that Facebook's tag-suggestion faceprinting violated Illinois' Biometric Information Privacy Act. Roughly 1.6 million Illinois users received payouts.
Meta · Instagram · 2022
Instagram fined €405M over children's data
The DPC found that Instagram business accounts publicly exposed children's phone numbers and email addresses by default.
Meta · 2023
Meta fined €390M over the legal basis for ads
The DPC found that Facebook (€210M) and Instagram (€180M) relied on a terms-of-service contract, rather than valid consent, to justify personalised advertising. The decision forced a change in how Meta seeks a legal basis for ads.
Meta · Facebook · 2022
Meta fined €265M over data scraping
The DPC found that design failures allowed the scraping of roughly 533 million users' phone numbers and personal details, which were later leaked online.
Meta · WhatsApp · 2021
WhatsApp fined €225M over transparency
The DPC found that WhatsApp failed to properly explain to users and non-users how their data was processed and shared with other Meta companies.
Meta · 2025
Meta's €200M DMA fine over 'pay or consent'
In one of the first Digital Markets Act fines, the Commission found that Meta's pay-or-consent model forced Facebook and Instagram users to either pay a subscription or accept full data combination for personalised ads, without a genuine less-data alternative. Meta adjusted the model after the decision.
Meta · Facebook · 2022
Meta fined €17M over 2018 data breaches
The DPC fined Meta over a series of twelve data breaches in 2018, finding it had failed to have appropriate technical and organisational measures in place.
Meta · 2024
PIPC fines Meta KRW 21.6B over sensitive-data collection
South Korea's PIPC fined Meta for collecting sensitive data, including religion, political views, and sexual orientation, on roughly 980,000 users for advertising without consent.