Meta has ended support for end-to-end encryption in Instagram direct messages. The change took effect on May 8, 2026, and was justified by the company due to the low adoption of the feature, which had previously been optional for users.

End-to-end encryption is a layer of protection that prevents third parties, including the platform itself, from accessing the content of messages exchanged between sender and recipient. With the end of this feature in Instagram DMs, communications are now protected by conventional encryption, under which the platform maintains greater technical control over the messaging environment.

This scenario does not mean that messages are public or automatically accessible by external third parties. However, it represents a relevant change in the level of confidentiality of conversations held through the app, especially when compared to channels that adopt end-to-end encryption by default.

For companies, the issue should be analyzed from the perspective of data governance and information security. Instagram is widely used as a channel for institutional relationships, customer service, prospecting, communication with consumers, and engagement with influencers, suppliers, and business partners. In many cases, these interactions may involve personal data, contractual information, documents, service records, sensitive data, or strategic commercial details.

From the perspective of the LGPD, the choice of platforms used for corporate communication should consider the nature of the data processed, the purpose of the communication, the level of security provided, the privacy expectations of data subjects, and the risks associated with sharing information in digital environments.

The absence of end-to-end encryption may increase risks related to confidentiality, automated moderation, requests from authorities, personalized advertising, security incidents, and secondary use of data by the platform, in accordance with its applicable terms and policies.

In this context, companies are advised to review their internal digital communication policies, guide employees on the appropriate use of social media, define which information should not be shared through channels without strong encryption, and prioritize tools that are compatible with the sensitivity level of the communications.

It is also important to include messaging platforms in data-flow mapping, assess legal bases, document processing purposes, review contracts and privacy policies, and establish protocols for redirecting sensitive conversations to more secure channels.

The change reinforces an essential point for corporate governance: social media can be relevant relationship channels, but they should not automatically be treated as suitable environments for every type of business communication. Legal certainty depends on the conscious choice of channels, proper team guidance, and compatibility between technology, risk, and data protection.