The European Commission has issued preliminary findings that Meta's Instagram and Facebook have breached the Digital Services Act over inadequate age enforcement.
Despite Meta's own terms of service setting the minimum access age at 13, the Commission found that the measures in place to enforce this restriction are not effective. When creating an account, users under 13 can enter a false date of birth to bypass the age requirement, with no meaningful checks applied to self-declared age data. The tool available for reporting underage users was found to require up to seven clicks to access, is not pre-filled with user information, and frequently results in no follow-up action, allowing reported minors to continue using the services unimpeded.
Risk assessment gaps and regulatory context
The preliminary findings also identify shortcomings in Meta's risk assessment methodology. The Commission concluded that the assessment inadequately identifies the risks posed by minors under 13 accessing Instagram and Facebook, and that Meta appears to have disregarded scientific evidence on the heightened vulnerability of younger children to platform-related harms. This is set against evidence from across the EU suggesting that roughly 10–12% of children under 13 are actively using Instagram and/or Facebook.
The formal proceedings underpinning these findings were launched against both platforms on 16 May 2024, following an in-depth investigation that drew on risk assessment reports, internal documents, data requests, and input from civil society organisations and child protection experts across the EU.
The DSA imposes obligations on very large online platforms to assess and mitigate systemic risks, including those relating to minors. The Commission used its 2025 DSA Guidelines on the protection of minors as the benchmark for evaluation, identifying age estimation and age verification as proportionate methods for ensuring a high standard of privacy, safety, and security for underage users. The Commission has also developed a blueprint for an EU age verification application as a reference framework for privacy-preserving compliance.
What comes next
Meta now has the right to examine the investigation file and submit a written response to the preliminary findings. The European Board for Digital Services will be consulted in parallel. If the Commission's preliminary position is confirmed, it may issue a non-compliance decision. Any resulting fine would be proportionate to the infringement and capped at 6% of the provider's total worldwide annual turnover. Periodic penalty payments may also be imposed to compel compliance.
The Commission has stated that investigations are continuing into additional potential breaches, including Meta's compliance with DSA obligations concerning the physical and mental well-being of users of all ages, and the design of platform interfaces that may exploit the vulnerabilities of minors, potentially contributing to addictive behaviour and so-called 'rabbit hole' effects.
These findings are preliminary and do not prejudge the final outcome of the proceedings.
