Surfshark's latest study finds that five out of the ten most popular platforms have racked up a combined €3.9 billion in fines since 2018. Meta's Facebook and Instagram top the league of shame, accounting for €2.7 billion of that total. TikTok, which is rapidly becoming the GDPR authorities' favourite punching bag, follows with €890 million.
The rest of the offenders' club includes LinkedIn, now €310 million lighter, and X (formerly Twitter), which was caught with a €450,000 fine in 2020. Meanwhile, YouTube, Snapchat, Pinterest, Reddit, and Threads somehow remain untouched, though that might say more about lazy regulators than squeaky-clean data practices.
NOYB Data protection lawyer Felix Mikolasch said: "The current enforcement efforts by data protection authorities are rather reactive, sometimes they are non-existent at all."
A particularly ugly detail is that one third of the fines concern the mishandling of children’s data. TikTok has already chalked up three GDPR violations in this area, starting with a 2021 fine for failing to provide a Dutch-language privacy policy a child could understand.
It got worse from there. In 2023, TikTok was fined twice more, first for letting under-13s roam freely without enforcement of its own policies, then for allowing adult accounts to pose as guardians with zero proof. That earned them a solid €360 million spanking.
Instagram received its own roasting in 2022, when it was revealed that children’s business accounts were set to public by default. This brilliant feature gave away personal data without asking for consent. Facebook followed in 2024 with a security breach that exposed children’s data and resulted in a €251 million fine.
Child-related GDPR fines total more than €1 billion, nearly a quarter of the entire social media GDPR fine haul.
Since the last Surfshark report in October 2023, which swapped WhatsApp for Threads, the total value of GDPR fines has surged by nearly 30 per cent. That jump was fuelled by four new fines issued in 2024 and 2025, including two more for Meta and one each for LinkedIn and TikTok.
But fines are just one part of the picture. Often, regulators simply wag their finger, tell companies to behave, and call it a day. As Surfshark points out, the absence of fines might not mean a platform is innocent. It might just mean no one’s bothered to look.
The data came from the GDPR Enforcement Tracker, with Surfshark digging into legal documents to verify whether the fines were connected to children's data. When they were, the details were grim, the violations glaring, and the regulators just about catching up.
