Fortnite-maker Epic Games will pay a $275 million penalty to settle Federal Trade Commission allegations that the company violated federal children’s privacy rules and another $245 to consumers for using so-called manipulative “dark patterns” in its billing practices.
The penalty and refund, totaling more than a half-billion dollars, represent the largest penalty ever for violating an FTC rule, the largest refund ever in a gaming case and the agency’s largest administrative order ever.
As part of the settlement announced between the Department of Justice, the FTC and Epic, the company will be required to adopt teen and children’s privacy settings where voice and text communications are turned off by default, a first-of-its-kind provision by the FTC.
The settlement is the largest sought by the agency to date for violations of the Children’s Online Privacy Protection Act, a 1998 law that requires online services directed to children under 13 years of age to ask for verifiable parental consent for the collection of personal information. The FTC alleges that Epic was aware that many children under 13 were playing Fortnite but that the company still collected personal data from children without first obtaining parental consent.
“As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children,” said FTC Chair Lina M. Khan. “Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”
According to the FTC complaint, Epic employees expressed concerns about the safety of voice and text communication settings for children as early as 2017, citing reports that children had been bullied, sexually harassed and exposed to self-harm and suicide through the game. While Epic eventually introduced a button to turn off voice chats, the complaint alleges the company made it difficult to find.
As part of the settlement, Epic must delete personal information collected in violation of COPPA. Epic must also establish a comprehensive privacy program addressing FTC complaints and introduce regular, independent audits.
“Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough,” Epic said in a statement about the settlement. “We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”
Monday’s settlement far exceeds Google’s 2019 $170 million settlement with the FTC over allegations it illegally collected data from children on YouTube to serve them ads, which previously held the record as the agency’s largest children’s privacy settlement.
Under Khan, the FTC has honed in on companies that use dark patterns, or deceptive advertising practices that make trick users into making decisions they want to make. The agency in September issued a report outlining the increasing pervasiveness of “dark patterns,” or design choices meant to trick customers into agreeing to purchases or giving up their data. Such design choices make it difficult for consumers to cancel subscriptions, for instance, or steer consumers towards default settings that allow consumers to share data.
Last month, the FTC brought its first major settlement against so-called “dark patterns,” which required phone service provider Vonage to pay $100 million in refunds to consumers harmed by its misleading cancellation process. The FTC has suggested it will address both children’s privacy and manipulative design patterns in a privacy rulemaking process the agency is currently exploring.
Meanwhile on Capitol Hill, there is growing interest in pushing through legislation overhauling U.S. privacy rules, though it appears unlikely such a measure will move forward in the short term. Several members of the U.S. Senate have made a last-minute push to approve children’s privacy legislation, including a “COPPA 2.0.” before the year’s end.
Updated Dec. 19, 2022: This article has been updated with additional details regarding recent FTC enforcement actions.