FTC Fines Epic Games For Children’s Online Privacy Violations and Deceptive Dark Patterns
On December 19, 2022, the Federal Trade Commission (“FTC”) announced two settlements with Epic Games, the developer behind the popular Fortnite video game, for privacy and consumer protection violations. In addition to changing default privacy settings, Epic Games will be required “to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (“COPPA”) and deployed design tricks, known as dark patterns, to trick millions of players into making unintentional purchases.”
The first settlement is a result of a federal court order filed by the Department of Justice on behalf of the FTC. The complaint alleged that Epic Games violated COPPA by failing to “comply with the COPPA Rule’s parental notice, consent, review, and deletion requirements.” Independent of COPPA, the FTC also alleged that the game’s default settings related to in-game voice and text communications were harmful, violating the FTC Act’s prohibition against unfair and deceptive practices. That default settling allegedly led to children being linked up with teens and strangers online, who, in some cases, exposed the children to bullying, harassment and, “psychologically traumatizing issues.” The Department of Justice noted that employees allegedly expressed concerns over the default privacy setting dating back to at least 2017, and that despite those concerns, Epic Games refused to the change the in-game voice and text communication to an opt-in status.
The federal court order requires Epic Games to pay a $275 million monetary penalty, which is the largest ever obtained for an FTC rule violation. Additionally, Epic Games is required to adopt strong “default privacy settings for children and teens,” and delete personal information collected from Fortnite users in violation of COPPA.
Websites directed toward children under 13 must comply with rigorous COPPA requirements, including obligations to obtain verifiable parental consent before any personal information is collected from users. Non-compliance can lead to fines for each violation, injunctive relief, including deletion of unlawfully collected data, audit and oversight orders, and other legal and business consequences.
Under the second settlement, Epic Games agreed to pay an additional $245 million to refund customers who the FTC says fell victim to manipulative, unfair billing practices that fall under the category of “dark patterns.” Fortnite allegedly deployed a, “counterintuitive, inconsistent, and confusing button configuration,” that led players to incur charges with a single press of a button. The FTC claims that the single press of a button meant users were charged while sitting in a loading screen or while trying to wake the game from sleep mode. The complaint alleges that users collectively lost hundreds of millions of dollars to the single press of a button practice. Further, Epic Games allegedly “ignored more than one million user complaints.” The $245 million payout from Epic Games will be used to refund customers.
The FTC has shown a recent trend of cracking down on the use of dark patterns, which aligns with regulatory attention emerging at the state level – including restrictions under California privacy laws regarding the use of dark patterns in the context of privacy choices.