Irish regulators have fined Instagram €405m for violating children's privacy.
The long-running complaint concerned children's data - particularly their phone numbers and email addresses.
Some reportedly upgraded to business accounts to access analytics tools such as profile visits, without realising this made more of their data public.
Instagram's owner, Meta, said it planned to appeal against the decision. It is the third fine handed to the company by the regulator.
"We adopted our final decision last Friday and it does contain a fine of €405m [£349m]," Ireland's Data Protection Commissioner (DPC) said.
A Meta official told BBC News: "This inquiry focused on old settings that we updated over a year ago and we've since released many new features to help keep teens safe and their information private.
"Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can't message teens who don't follow them.
"While we've engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.
"We're continuing to carefully review the rest of the decision."
The DPC regulates large technology companies with European headquarters in the Republic of Ireland.
It has never given such a large fine for a breach of the European Union's General Data Protection Regulation.
National Society for the Prevention of Cruelty to Children (NSPCC) child-safety-online policy head Andy Burrows said of Instagram's fine: "This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram.
"The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.
"It's now over to the new prime minister to keep the promise to give children the strongest possible protections by delivering the Online Safety Bill in full and without delay."