There never seems to be an end to the amount of work that Facebook (NASDAQ:FB) needs to do to improve user privacy. The social networking conglomerate has faced a continuous stream of privacy scandals and transgressions over the past few years, with the company invariably vowing to do more. Except the controversies keep coming.

This time around, the issue involves Instagram instead of the core Facebook platform. The photo- and video-sharing service is wildly popular among younger demographics -- 72% of users age 13 to 17 use the service, according to Sprout Social -- and it may be mishandling children's data.

Three iPhones displaying different aspects of Instagram's interface

Image source: Instagram.

All they wanted was analytics 

Ireland's Data Protection Commission (DPC) announced this week that it was opening two investigations into how Instagram handles children's data following reports that the company allowed kids as young as 13 years to convert their accounts to business accounts, which previously had the subsequent effect of exposing personal contact information. It's worth noting that many online platforms have poor age verification controls, and many users are under the legal age limit of 13 that is generally required to open online accounts.

Business accounts offer deeper analytics to the account owner, and anyone can convert a personal account to a business account. Users under the age of 18 might try to leverage those analytical insights in order to grow their followings on the platform without realizing the privacy trade-off, since business accounts were required to provide contact information such as a phone number or email address.

Data scientist David Stier published a study back in June 2019 that described his findings. Stier found that Instagram did not use anonymized addresses or phone numbers to relay communications -- a process that any Craigslist user is familiar with -- but instead displayed the information directly. As a result, the researcher estimated that "millions" of children have inadvertently had their information displayed or harvested.

"In today's digital world in which vast numbers of children are prevalently active on social media, it is vital that data controllers are compliant with their obligations under the [General Data Protection Regulation] and the Data Protection Act 2018 in relation to their processing of children's personal data on their platforms," the DPC wrote in a release. "Instagram is a social media platform which is used widely by children in Ireland and across Europe."

The DPC is opening two different but related inquiries. The first will gauge whether the tech giant "has a legal basis" for processing children's data and whether it has implemented adequate protections on Instagram for its most vulnerable users. The second will examine profile and account settings and determine if those settings are appropriate for kids, which appears to refer to the business account situation.

In a statement to the BBC, Facebook said that it made updates to business accounts shortly after Stier's initial study and notes that those accounts are now able to opt out of providing contact information. The statement did not acknowledge that Facebook has more work to do.