In two record-breaking settlements with the Federal Trade Commission (FTC), the maker of popular video game Fortnite has agreed to pay a total of $520 million in penalties for violating children’s privacy and using deceptive design practices to trick players into making unwanted in-game purchases. In addition to the half-billion-dollar fines imposed on Epic Games Inc., the settlements require the company to make significant changes to the game’s privacy and consent controls, the FTC announced on Dec. 19, 2022.
Epic Games introduced Fortnite in 2017 and the online multiplayer video game currently has an estimated 400 million users worldwide. Fortnite is free to download in most modes but players can make in-game (in-app) purchases of items such as costumes to customize characters and tools.
In This Alert:
- Two Record-Breaking Settlements
- COPPA Violations
- Expanding COPPA
- Dark Patterns Claims
- Illuminating New Dark Pattern Practices
Epic agreed to pay a $275 million penalty for violating the Children’s Online Privacy Protection Act (COPPA) and adopt new privacy default settings to protect children and teens. The fine is the largest ever obtained for violating an FTC rule, the agency said.
Under a separate settlement, the game maker will pay another $245 million in consumer refunds for using consumer interface design tricks known as “dark patterns” to manipulate players into making unintentional purchases. The settlement amount is both the FTC’s largest refund amount in a gaming-related action and its largest administrative order in history, according to the agency.
The complaint was filed by the U.S. Department of Justice on the FTC’s behalf in a North Carolina federal court.
Specifically, the FTC alleged that Epic:
- Collected personal information from Fortnite players under age 13—including by directly collecting the children’s full names, email addresses and usernames and by allowing the children to participate in the real-time interactive features of the game—without first obtaining their parents’ consent, which is illegal under COPPA. Fortnite is a “child-directed” service as defined by COPPA. Epic further had actual knowledge that particular Fortnite players were under 13. The game maker was well aware through surveys of Fortnite users, licensing and marketing of Fortnite toys and merchandise, and player support communications that many children under 13 played Fortnite. Further, Epic required parents who requested that their children’s personal information be deleted to jump through extraordinary hoops to “verify” their parental status, according to the complaint. In some cases, Epic failed to honor parents’ requests.
- Enabled by default, the game’s real-time voice and text chat communications for children and teens were alleged to violate Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. Epic’s default settings enabled live text and voice communications for all users (including those the game maker knew were children). These default settings, along with the game maker’s role in matching strangers to play Fortnite together, harmed children and teens, the agency alleged. As a result, children and teens have been bullied, threatened, harassed and exposed to traumatizing issues, including suicide and self-harm, while playing Fortnite.
In addition to paying a $275 million penalty for alleged COPPA violations, Epic must:
- Cease enabling voice and text communications for children and teens unless the parents of users under 13, or teen users or their parents, affirmatively give their consent.
- Delete personal information previously collected from Fortnite players in violation of COPPA—unless the game maker obtains parental consent to retain such data or players identify themselves as 13 or older through a neutral age gate mechanism.
- Establish a comprehensive privacy program that addresses the issues identified in the FTC’s complaint and that is subject to regular, independent audits.
Now that the FTC has deemed Fortnite a child-directed website, brands must be careful when conducting promotions or activations on Fortnite. Even though brands may not be collecting Personal Information as defined by COPPA through their Fortnite promotions, the interactive features, which are inherent to Fortnite, may implicate COPPA. Any brand that has an ongoing or future activation on Fortnite should view the activation as being child directed and determine whether the collection of any personal information by the brand could violate COPPA.
It also must be noted that the FTC asserted a key argument that falls outside COPPA’s scope. The complaint alleges Fortnite’s permissive default communication settings can lead to psychological harm when children are exposed to traumatic issues while talking with strangers. The agency’s allegations of mental damage in children resemble the provisions and obligations included in the recently enacted California Age-Appropriate Design Code Act, which takes effect on July 1, 2024. The new California law is modeled after the U.K.’s Age Appropriate Design Code.
In addition, the settlement prohibits Epic from disclosing “covered information” collected from both children and teens, and the provision requires Epic to receive affirmative express consent from a parent for a child or from a teen or the teen’s parents to use the interactive game features. These provisions reach beyond COPPA because the definition of “covered information” is broader than COPPA’s definition of Personal Information and includes biometric information and “content from any communication from an individual.” In addition, COPPA does not require an additional consent from parents for children to use a game’s interactive features and does not require receipt of any consent from teens. In fact, this is the first FTC COPPA settlement that has afforded teens any special privacy protections.
The FTC separately brought its own administrative proceeding against Epic alleging Epic’s use of dark patterns illegally caused consumers to rack up hundreds of millions of dollars in unintended charges, violating Section 5 of the FTC Act, which prohibits deceptive and unfair practices. Section 5 defines “unfair” practices as those that “cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.”
In the dark patterns complaint, the FTC alleged that Epic:
- Used dark patterns to trick users into making unintended in-game purchases. The agency said Fortnite’s “counterintuitive, inconsistent, and confusing button configuration led players to incur unwanted charges based on the press of a single button.” Players could incur unauthorized charges while, among other things, waking the game up from sleep mode or pressing adjacent buttons to preview an item.
- Charged account holders without authorization. Fortnite players could purchase in-game items using game currency known as “V-Bucks.” Epic would immediately store a credit card upon its first use in the game without the holder’s consent or knowledge. Then, until 2018, Epic would use the stored credit card to allow children to buy V-Bucks without requiring parental or credit card holder action or consent. Therefore, many parents were unaware that their children were able to buy V-Bucks on Fortnite with their credit cards.
- Blocked access to purchased content. Epic locked the accounts of consumers who disputed unauthorized charges with their credit card companies, which meant players lost access to all content purchased. Even when the game maker unlocked an account, it warned players they could be banned for life if they disputed any future charges.
- Ignored more than one million user complaints as well as employees’ repeatedly raising concerns that a large number of players were wrongfully charged. Further, Epic purposely hid its cancel and refund features to make them more difficult to find, a fairly common dark pattern.
The FTC intends to use the $245 million penalty assessed against Epic to refund consumers who were wrongfully charged. Under the settlement, Epic will also:
- Discontinue using dark patterns to obscure in-game charges.
- Cease charging players without obtaining affirmative consent.
- Stop blocking players from accessing their accounts merely because they have disputed unauthorized charges.
The agency said it intends to make refunds available to:
- Parents whose children made an unauthorized credit card purchase in the Epic Games Store between January 2017 and November 2018.
- Fortnite players who were charged the in-game currency V-Bucks for unwanted in-game items between January 2017 and September 2022.
- Fortnite players whose accounts were locked between January 2017 and September 2022 after they disputed unauthorized charges with their credit card companies.
The FTC raised concerns in its complaint about practices that businesses may not realize are considered dark patterns. These nontraditional dark patterns include:
- Collecting and storing credit card information upon first use in the game without informing parents.
- Providing no confirmation of in-game purchases, so that it is unclear whether a purchase was made, either intentionally or accidentally.
- Failing to make disclosures clear and conspicuous. Online disclosures must be “unavoidable” and in the same medium as the underlying content—audio content must have audio disclosures, visual content must provide a visual disclosure, etc. Finally, disclosures directed to children must be provided when the “ordinary consumers” include children.
- Failing to require affirmative, express consent before charging a user’s credit card. The user must also be able to revoke consent at any time for a subscription or for future charges.
Previously, the FTC has said that it would actively pursue privacy violations and dark patterns that deceive consumers. The FTC’s recent Enforcement Policy Statement and the Staff Report on Bringing Dark Patterns to Light provide valuable insight into the agency’s view on these issues and show that the FTC is serious about making these issues enforcement priorities. The Epic settlements underscore the FTC’s increased scrutiny and enforcement appetite for policing privacy violations and deceptive marketing tactics.