As part of a proposed federal court order filed by the Department of Justice on behalf of the FTC, Epic will pay a $275 million monetary penalty for violating the COPPA Rule—the largest penalty ever obtained for violating an FTC rule. Additionally, in a first-of-its-kind provision, Epic must adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default.
Under a separate proposed administrative order, Epic will pay $245 million to refund consumers for engaging in so-called “dark patterns” and billing practices, making it the FTC’s largest refund amount in a gaming case and its largest administrative order in history.
Privacy Violations
The FTC alleged in two separate complaints that Epic engaged in several unlawful practices. In one complaint, filed Dec. 19 in the U.S. District Court for the Eastern District Of North Carolina Western Division, the FTC specifically alleged that Epic:
Violated COPPA by failing to notify parents, obtain consent: The FTC alleged that Epic was aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent. The company also required parents who requested that their children’s personal information be deleted to jump through unreasonable hoops, and sometimes failed to honor such requests.
Default settings harm children and teens: Epic’s settings enable live, on-by-default text and voice communications for users. The FTC alleges that these default settings, along with Epic’s role in matching children and teens with strangers to play Fortnite together, harmed children and teens. “Children and teens have been bullied, threatened, harassed, and exposed to dangerous and psychologically traumatizing issues such as suicide while on Fortnite,” the FTC alleged.
According to the FTC’s complaint, as early as 2017, Epic employees urged the company to change the default settings to require users to opt in for voice chat, citing concern about the impact on children. “Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings,” the FTC said. “And while it eventually added a button allowing users to turn voice chat off, Epic made it difficult for users to find, according to the complaint.”
In addition to paying the record civil penalty for the COPPA Rule violations, the proposed federal court order will requires the following:
- Prohibits Epic from enabling voice and text communications for children and teens unless parents (of users under 13) or teenage users (or their parents) provide their affirmative consent through a privacy setting;
- Delete personal information previously collected from Fortnite users in violation of the COPPA Rule’s parental notice and consent requirements unless the company obtains parental consent to retain such data or the user identifies as 13 or older through a neutral age gate; and
- Establish a comprehensive privacy program that addresses the problems identified in the FTC’s complaint, and obtain regular, independent audits.
The Commission voted 4-0 to refer the civil penalty complaint and proposed federal order to the DoJ. The DoJ filed the complaint and stipulated order in the U.S. District Court for the Eastern District of North Carolina. Commissioner Christine S. Wilson issued a separate statement.
“The Justice Department takes very seriously its mission to protect consumers’ data privacy rights,” said Associate Attorney General Vanita Gupta. “This proposed order sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”
Illegal Dark Patterns
In a separate administrative complaint, the FTC alleged that Epic “deployed a variety of dark patterns” to trick players into making unintended in-game purchases and let children rack up unauthorized charges without parental involvement.
The administrative complaint further alleged that Epic charged account holders without authorization. This represents an enforcement trend, as the FTC has brought similar claims against Amazon, Apple, and Google for billing consumers millions of dollars for in-app purchases made by children while playing mobile app games without obtaining parental consent.
The FTC further alleged that Epic “locked the accounts of customers who disputed unauthorized charges with their credit card companies. Consumers whose accounts have been locked lose access to all the content they have purchased, which can total thousands of dollars. Even when Epic agreed to unlock an account, consumers were warned that they could be banned for life if they disputed any future charges,” the FTC said.
Epic ignored more than one million user complaints and repeated employee concerns that “huge” numbers of users were being wrongfully charged. In fact, Epic made the problem worse, the FTC alleged, by “purposefully” obscuring cancel features and refund features “to make them more difficult to find.”
As part of the proposed administrative order with the FTC over the company’s unlawful billing practices, Epic is prohibited from charging consumers through the use of dark patterns or from otherwise charging consumers without obtaining their affirmative consent. The order also bars Epic from blocking consumers from accessing their accounts for disputing unauthorized charges.
The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Epic related to its deceptive billing practices.
Epic Response
In a statement responding to the FTC settlement, Epic said it accepts the settlement terms, adding that it wants to be “at the forefront of consumer protection and provide the best experience for our players. Over the past few years, we’ve been making changes to ensure our ecosystem meets the expectations of our players and regulators, which we hope will be a helpful guide for others in our industry.”
“All game developers should rethink steps they’ve taken to simplify payment flows in favor of practices that provide the largest amount of clarity to players when they make purchase decisions,” Epic continued. “Saving payment information by default is a common way to streamline the checkout process, so players do not have to re-enter their payment method every time they make a purchase. We’ve agreed with the FTC to change this practice, and we now offer an explicit yes or no choice to save payment information.”
Epic added that, “since May 2018, Fortnite has had a refund token system and an undo-purchase system, but now we’ve gone further. We’ve updated our payment flows with a hold-to-purchase mechanic that re-confirms a player’s intent to buy, as an additional safeguard to prevent unintended purchases alongside instant purchase cancellations and self-service refunds.”
Epic went on to explain how it has improved its youth privacy protections. “We’ve learned from our players and have continually enhanced our features, policies, and payment mechanics since Fortnite launched in 2017, and will continue to do so.” Epic’s full statement can be found here. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.
Thanks for sharing this information. This is a lesson to those game developers and their responsibility on making appropriate content for young players. Great content.