Instagram Privacy News

A database containing 17.5 million Instagram user records appeared for sale on a dark web forum, including usernames, email addresses, phone numbers, and hashed passwords. Concurrently, a password reset vulnerability was discovered that allowed attackers to enumerate valid accounts. Meta patched the vulnerability and initiated forced password resets for affected accounts.

Meta updated its privacy policy to disclose that data from user interactions with Meta AI chatbots across Instagram, Facebook, Messenger, and WhatsApp would be used to deliver personalized advertisements and content recommendations. The change meant that questions, prompts, and conversations with Meta AI could inform ad targeting, blurring the line between AI assistant usage and advertising infrastructure.

Meta began training its generative AI models on public posts, photos, and comments from EU/EEA Instagram users, relying on the 'legitimate interest' legal basis under GDPR rather than explicit consent. Privacy group noyb threatened legal action, and the Irish DPC issued a statement acknowledging the processing while monitoring compliance.

The FTC finalized the updated consent order against Meta, imposing a blanket prohibition on monetizing data from users under 18 across all Meta platforms, including Instagram. The order expanded the original 2019 $5 billion settlement and specifically targeted Instagram's ad targeting of minors. Meta was required to deploy age verification technology and delete data collected from children under 13 without parental consent.

Updated Terms of Service and a new US Regional Privacy Notice took effect. Tightened rules around third-party data sharing, requiring advertisers to obtain explicit user consent before uploading contact information for custom audience targeting. The policy also clarified Meta's content licensing rights, sparking concern about how broadly user content could be repurposed.

The Irish DPC fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext on internal systems without cryptographic protection, violating GDPR Articles 5(1)(f) and 32(1). The inquiry followed Meta's self- report of the issue in March 2019.

Instagram launched mandatory 'Teen Accounts' with built-in protections for all users under 18. For teens under 16, accounts are private by default, messaging is restricted to existing connections, sensitive content is filtered at the strictest level, and changes to settings require parental permission. Features include 60-minute daily usage reminders and 'Sleep Mode' muting notifications between 10 PM and 7 AM. Existing teen accounts were automatically migrated within 60 days.

Meta agreed to pay $1.4 billion over five years to the State of Texas to settle a lawsuit alleging that Meta's 'tag suggestions' feature across Facebook and Instagram collected facial geometric biometric data from millions of Texans without consent, violating the Texas Capture or Use of Biometric Identifier Act (CUBI). This is the largest privacy settlement ever obtained by a single US state. Meta had shut down the facial recognition feature in November 2021 and deleted over 1 billion biometric templates.

Meta announced a policy update allowing EU users' public posts, comments, and photos to train generative AI models. Following complaints from noyb to 11 EU data protection authorities, Meta paused the policy before its effective date. It was later rescheduled for May 2025 with updated compliance documentation.

In response to GDPR enforcement, Meta introduced a 'pay or consent' model for EU users: accept personalized ads for free, or pay €9.99/month for an ad-free experience. Privacy advocacy group noyb filed complaints immediately, arguing this amounted to a 'privacy fee' that monetizes the fundamental right to data protection.

A bipartisan coalition of 33+ state attorneys general filed a federal lawsuit against Meta, alleging Instagram and Facebook were designed with features that knowingly harmed children and teens. The complaint cited addictive design patterns (infinite scroll, push notifications, like counts), failure to enforce minimum age requirements, and evidence from the Haugen disclosures showing Meta's internal research confirmed Instagram worsened body image issues and mental health in teenage girls.

Meta launched consumer-facing generative AI assistants (Meta AI) and established that public posts, photos, and content — but not private messages — could be used to train Meta's AI models. Users were given opt-out mechanisms, though the process was not straightforward.

A federal judge granted preliminary approval for a $68.5 million class-action settlement specifically for Instagram's use of facial recognition on Illinois users, separate from the earlier $650M Facebook BIPA settlement. Approximately 4 million Illinois residents who used Instagram's face-scanning features were eligible for payouts under the state's Biometric Information Privacy Act.

The FTC proposed amending its 2020 consent order with Meta after finding the company failed to comply with privacy commitments, including misleading parents about Messenger Kids controls. The proposed changes would impose a blanket prohibition on Meta — including Instagram — from monetizing data of users under 18, and would require written third-party assessor approval before launching new products or features affecting children. Meta called the proposal 'a political stunt.'

Meta filed a federal lawsuit against Voyager Labs, a surveillance company that had created over 38,000 fake Instagram and Facebook accounts to scrape data from more than 600,000 users. Voyager Labs sold the scraped data to law enforcement agencies and private clients for social media monitoring and predictive policing purposes.

The Irish DPC fined Meta €390 million (€210M for Facebook, €180M for Instagram) for relying on 'performance of a contract' as the legal basis for behavioral advertising, which the EDPB ruled was not a valid GDPR basis. Meta was ordered to bring processing into compliance within three months.

The Irish DPC fined Meta €265 million for failing to protect user data 'by design and by default' under GDPR, after data of hundreds of millions of users was scraped via a vulnerability in Instagram's Contact Importer feature. The scraped data, which included phone numbers and profile information, was subsequently published online.

The Irish DPC fined Instagram €405 million for GDPR violations related to children's data processing — the largest GDPR fine by the DPC at the time. The investigation found that Instagram allowed teens aged 13–17 to operate business accounts that publicly displayed their phone numbers and email addresses, and personal accounts of children were set to public by default. The case went through the EU's Article 65 dispute resolution process before the final decision.

Meta rolled out a consolidated privacy policy covering Facebook, Instagram, and Messenger (WhatsApp retained its own). Meta stated this did not authorize new data collection but provided more detailed explanations of existing practices, including how information is shared with third parties. A new Privacy Center was launched alongside the update.

Meta shut down its Face Recognition system across both Facebook and Instagram, deleting the facial recognition templates of more than 1 billion users. The shutdown came amid mounting legal liability from the $650M Illinois BIPA settlement, the $5B FTC fine, and growing societal concerns about biometric surveillance.

Former Facebook employee Frances Haugen testified before the Senate Commerce Subcommittee after leaking internal research documents to the SEC and The Wall Street Journal. The documents showed Facebook's own studies found Instagram worsened suicidal thoughts in 13.5% of teen girls and body image issues in 32% of teen girls. The disclosures triggered a bipartisan coalition of 44 state attorneys general to launch a formal investigation into Instagram and prompted Instagram to pause its planned 'Instagram Kids' app indefinitely.

A federal judge approved a $650 million class-action settlement under the Illinois Biometric Information Privacy Act (BIPA) for Facebook's 'Tag Suggestions' facial recognition feature, which operated across both Facebook and Instagram. The feature collected biometric faceprint data from approximately 1.6 million Illinois users without obtaining the written consent required by BIPA.

Business Insider revealed that Hyp3r, an official Instagram advertising partner, had been secretly scraping millions of users' location data, Stories, and profile information from Instagram for up to a year. Hyp3r built detailed location-based profiles of users without their knowledge or consent. Instagram revoked Hyp3r's access and sent a cease-and-desist letter, calling the scraping unauthorized.

The FTC imposed a record $5 billion civil penalty on Facebook for violating its 2012 consent decree, with the settlement's requirements applying to all Facebook-owned products including Instagram. The order established a board-level privacy committee, required a designated compliance officer, mandated privacy reviews of all new products, and imposed 20-year reporting requirements across the company.

Security researcher Anurag Sen discovered an unprotected AWS database belonging to Mumbai-based influencer marketing firm Chtrbox, containing personal records of approximately 49 million Instagram users. The exposed data included contact information, profile details, location data, and a calculated 'worth' metric for each account. The database was taken offline after TechCrunch reported the exposure.

Facebook disclosed that millions of Instagram passwords had been stored in plaintext on internal systems since as early as 2012, accessible to over 20,000 employees via internal search tools. The initial disclosure mentioned Facebook passwords only; Instagram was added in an update weeks later, with the number of affected Instagram accounts eventually revised upward to millions.

In the wake of the Cambridge Analytica scandal, Instagram deprecated its legacy Platform API and dramatically restricted third-party access to user data. Apps were limited to basic profile information and user-owned media only, eliminating the ability to access followers' data or public content at scale. The changes mirrored Facebook's broader platform lockdown.

A bug in Instagram's developer API exposed the phone numbers and email addresses of approximately 6 million high-profile accounts, including celebrities and politicians. An attacker exploited the flaw to build 'Doxagram,' a dark web database that sold celebrity contact information for $10 per search. Instagram confirmed the vulnerability and patched the endpoint.

Instagram's revised privacy policy took effect, enabling broader data sharing with parent company Facebook for ad targeting and analytics purposes. The policy allowed Instagram to share user information including browsing activity and location data with Facebook's advertising infrastructure, laying the foundation for cross- platform behavioral ad targeting.

Instagram announced updated Terms of Service granting the company broad rights to use, modify, and sell users' photos in advertisements without compensation or notification. The backlash was massive and immediate, with National Geographic and other major brands threatening to leave the platform. Instagram reverted the changes within three days, with co-founder Kevin Systrom calling the language a mistake.

Facebook announced the acquisition of Instagram for approximately $1 billion in cash and stock, marking Facebook's largest purchase to date. The FTC cleared the deal in August 2012 after a five-month review, concluding it did not substantially lessen competition. The acquisition placed Instagram's user data under Facebook's control, raising immediate concerns about cross-platform data sharing.