Skip to content

Metafines & penalties

Meta Platforms, Inc.

Owner of Facebook, Instagram, and WhatsApp. Meta holds the record for the most separate major GDPR penalties and the largest GDPR fine to date, alongside record US privacy and biometric settlements.

Penalties
12
Total imposed
≈ $10.8Bexcludes annulled
Largest
$5B
Span
2019 to 2025

Penalties by year

2019
$5B
2021
$893M
2022
$741.4M
2023
$1.7B
2024
$2.3B
2025
$216M

Every recorded penalty

12 penalties

Meta · 2019

Facebook's $5B FTC penalty after Cambridge Analytica

Paid

The FTC imposed a $5B penalty and sweeping new privacy restrictions after finding that Facebook deceived users about their ability to control personal data, in violation of a 2012 consent order. Third-party apps had harvested data on up to 87 million users in the Cambridge Analytica episode. It was the largest privacy penalty in history at the time.

FTC · US$5B

Meta · 2024

Meta's $1.4B Texas biometric settlement

Paid

Texas settled claims that Meta captured facial-recognition data of millions of Texans through photo tag suggestions without consent, in violation of Texas biometric law. It was the largest single-state privacy settlement at the time.

Texas AG · US (Texas)$1.4B

Meta · Facebook · 2023

Meta's record €1.2B GDPR fine over EU-US transfers

Under appeal

The Irish DPC fined Meta for continuing to transfer EU users' personal data to US servers after the Schrems II ruling, exposing that data to potential US surveillance without adequate safeguards. It is the largest GDPR fine ever issued.

DPC · Ireland / EU€1.2B$1.3B

Meta · Facebook Marketplace · 2024

Meta fined €797M over Facebook Marketplace

Under appeal

The European Commission found that Meta tied Facebook Marketplace to its social network and imposed unfair conditions on rival online-classifieds services.

EC · EU€797.7M$861.5M

Meta · 2021

Facebook's $650M BIPA facial-recognition settlement

Paid

A class-action settlement resolved claims that Facebook's tag-suggestion faceprinting violated Illinois' Biometric Information Privacy Act. Roughly 1.6 million Illinois users received payouts.

Illinois · US (Illinois)$650M

Meta · Instagram · 2022

Instagram fined €405M over children's data

Final

The DPC found that Instagram business accounts publicly exposed children's phone numbers and email addresses by default.

DPC · Ireland / EU€405M$437M

Meta · 2023

Meta fined €390M over the legal basis for ads

Final

The DPC found that Facebook (€210M) and Instagram (€180M) relied on a terms-of-service contract, rather than valid consent, to justify personalised advertising. The decision forced a change in how Meta seeks a legal basis for ads.

DPC · Ireland / EU€390M$421M

Meta · Facebook · 2022

Meta fined €265M over data scraping

Final

The DPC found that design failures allowed the scraping of roughly 533 million users' phone numbers and personal details, which were later leaked online.

DPC · Ireland / EU€265M$286M

Meta · WhatsApp · 2021

WhatsApp fined €225M over transparency

Final

The DPC found that WhatsApp failed to properly explain to users and non-users how their data was processed and shared with other Meta companies.

DPC · Ireland / EU€225M$243M

Meta · 2025

Meta's €200M DMA fine over 'pay or consent'

Final

In one of the first Digital Markets Act fines, the Commission found that Meta's pay-or-consent model forced Facebook and Instagram users to either pay a subscription or accept full data combination for personalised ads, without a genuine less-data alternative. Meta adjusted the model after the decision.

EC · EU€200M$216M

Meta · Facebook · 2022

Meta fined €17M over 2018 data breaches

Final

The DPC fined Meta over a series of twelve data breaches in 2018, finding it had failed to have appropriate technical and organisational measures in place.

DPC · Ireland / EU€17M$18.4M

Meta · 2024

PIPC fines Meta KRW 21.6B over sensitive-data collection

Final

South Korea's PIPC fined Meta for collecting sensitive data, including religion, political views, and sexual orientation, on roughly 980,000 users for advertising without consent.

PIPC · South Korea₩21.6B$15M