COPPA Violations and Deceptive Dark Patterns Will Not Be Tolerated: Fortnite Game Maker Agrees to a $520 Million FTC Settlement

“Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” Federal Trade Commission (“FTC”) Chair Lina M. Khan warns in the press release from December 19, 2022 announcing the FTC’s settlements with Epic Games, Inc. (“Epic”), the creator of the videogame Fortnite (the “Settlements”). Pending approval from a federal judge, the Settlements will require Epic to pay a total of $520 million in penalties. The FTC announced the Settlements in response to allegations that Epic violated the Children’s Online Privacy Protection Act (“COPPA”) and deployed deceptive design features, known as “dark patterns,” that deceived Fortnite players into making millions of dollars of unintentional purchases. As part of the Settlements, Epic agreed to adopt additional privacy protection mechanisms for children and teens and eliminate dark patterns.

COPPA Violations

In the first of the Settlements, Epic agreed to pay $275 million in response to alleged COPPA violations. This amount represents the largest penalty ever obtained for violating an FTC rule and surpasses the previous record of $136 million paid by Google and YouTube in their settlement for alleged COPPA violations in 2019. The FTC claims to have evidence that Epic collected personal information from Fortnite players under the age of 13 without the prior consent of, or prior notification to, their parents and that Epic’s default settings on Fortnite were harmful to children and teens, including by subjecting them to bullying, threats, harassment, and exposure to dangerous and psychologically traumatizing issues.

COPPA, which aims to protect the online privacy of children under the age of 13, requires businesses such as Epic to provide notice that it collects personal information from children under the age of 13 and to obtain verifiable parental consent before any collection or use of that personal information. It also provides parents the right to request that their children’s personal information be deleted.

The FTC claims that Epic was aware that many Fortnite players were under the age of 13 and, nevertheless, collected personal information from those players without first obtaining verifiable parental consent. The FTC further alleges that the video game maker made it difficult for parents to request that their children’s personal information be deleted and failed to comply with deletion requests when made. In addition, the FTC claims Epic was aware that certain voice and text communication features on the video game that were automatically turned on allowed for children to be easily bullied and harassed online. Further, although the voice and text communications may be disabled, the FTC argued that the disable button was difficult to find.

In addition to the monetary penalty, the COPPA Settlement requires Epic to delete any personal information it previously collected in violation of COPPA unless Epic obtains proper verifiable parental consent, and to turn off the voice and text communication features within Fortnite for children and teens unless parents (of users under 13) or teen users (or their parents) provide prior affirmative consent through a privacy setting. Epic must also establish a privacy program to address these issues and obtain regular audits to ensure compliance with COPPA.

Deceptive Design Features

In the second Settlement, Epic agreed to pay $245 million to remedy the alleged deceptive design practices used within its Fortnite video game. The FTC’s complaint alleges that Epic used design elements in its video game that tricked players into unwanted purchases and allowed children to make unauthorized charges without parental knowledge. These types of deceptive design practices that intentionally lead users to make unwanted or unintended choices are known as “dark patterns.” Dark patterns violate the FTC Act’s prohibition against unfair or deceptive practices if they cause substantial harm to consumers who cannot reasonably avoid them and the benefits to the consumer do not outweigh the harm.

The FTC further alleges that Epic used a variety of dark patterns to cause users of all ages to make unintended in-game purchases. For example, a player attempting to take the video game out of “sleep mode” or accidently clicking a “purchase” button that is located right next to a “preview an item” button would result in an unintended charge. Parents complained their children were allowed to make hundreds of dollars of purchases without them being aware of what was happening. However, the FTC claims that Epic ignored more than one million user complaints and repeated employee concerns that users were being wrongfully charged. Further, the FTC alleges that Epic purposefully obscured cancel and refund features to make them more difficult to find. The FTC also alleges that if a customer was able to figure out how to dispute a charge, then Epic would lock the customer account or threaten to ban the customer if future charges were disputed. The $245 million Settlement will be used to provide refunds to customers who had their accounts locked for disputing charges or were charged for unwanted purchases.

Epic issued a separate statement announcing the Settlements along with a list of new features and updated policies to address the FTC’s allegations. New features and policies announced included instant purchase cancellations, spending limits for players under the age of 13, self-service refunds, and additional parental controls.

In connection with the Settlements, the Department of Justice announced that it “takes very seriously its mission to protect consumers’ data privacy rights” and that the proposed order to approve the COPPA Settlement “sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.” A copy of the orders stipulating the penalties are available here and here.

If you are unsure if your business complies with COPPA or if your business utilizes dark patterns, please contact one of our Cybersecurity & Data Privacy attorneys to discuss how Lewis Rice can help your business achieve and maintain compliance.