Ireland's Data Protection Commission (DPC) confirmed the penalty following a long-running complaint that Instagram allowed teenagers to set up accounts on the platform that displayed their phone numbers and email addresses.
Some had reportedly upgraded to business accounts to access analytics tools such as profile visits but did not realise that this made more of the data public.
It was also found that the platform had operated a user registration system where the accounts of users aged from 13 to 17 were set to 'public' by default.
The regulator ruled that the company had breached the European Union's general data protection regulation (GDPR).
Instagram's owner Meta is planning to appeal against the decision, which marks the third time that the tech giant has been fined by the regulator.
Ireland's Data Protection Commissioner said: "We adopted our final decision last Friday and it does contain a fine of €405m [£349m]."
Meta argue that the investigation centred on old setting and claim that changes have been made to help users keep their information private.
An official told BBC News: "This inquiry focused on old settings that we updated over a year ago and we've since released many new features to help keep teens safe and their information private.
"Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can't message teens who don't follow them.
"While we've engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.
"We're continuing to carefully review the rest of the decision."