Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.

< BACK TO ALL STORIES

Data Privacy Alert: FTC Authors Epic $500 million Settlement with Fortnite Game Company

Created on January 20, 2023


Director of Marketing, Privacy

The Federal Trade Commission has continued its campaign of stepped-up privacy enforcement with a $520 million settlement with Epic Games, the maker of popular online game Fortnite, over violations of children’s privacy and its use of dark patterns to charge consumers extra fees.

Overview

On December 19, 2022, the FTC announced in a press release that it had reached an agreement with Epic Games on a $520 million settlement for alleged privacy violations. While Fortnite is free to download and play, users often pay for in-game items including costumes (known as “skins”) and dance moves (“emotes”). Over 400 million people worldwide play the game, in which they battle each other alone and in teams to determine who is the final survivor out of 100 players. During gameplay, users can speak to each other using text or voice communications.

Download the full alert here!

The FTC agreement, which broke down into 275 million in fines for its alleged violations of the Children’s Online Privacy Protection Act (COPPA) and $245 million in consumer refunds for charges made as a result of its use of dark patterns to trick game players into unwanted purchases. It set several records: the largest ever penalty for violating an FTC rule (COPPA); the largest refund in a gaming case; and the largest total administrative order in its history. In addition to the monetary component of the settlement, Epic agreed to adopt strong privacy settings for children and teens, namely that in-game voice and text communications are turned off by default.

What It Covers

The FTC had charged Epic with COPPA violations for collecting personal data from children under 13 without parental consent and by enabling voice and text chat for children by default. FTC alleged that Epic was aware that many children played Fortnite and collected data without verified parental consent. Epic employees had urged the company to change the default settings, but when it did so, made it difficult for users to turn voice chat off.

A separate complaint alleged that Epic used dark patterns to trick users into making unwanted purchases with confusing, counterintuitive, and inconsistent button placement; by charging parents’ credit cards without consent; and by locking accounts when customers disputed unauthorized charges on credit cards. Epic received upwards of one million user complaints, but only made cancel and refund options more difficult to find. The FTC will use $245 million of the settlement for consumer refunds.


Expert Analysis from Matt Dumiak, Director Privacy Services, Compliance Point

The FTC put a stake in the ground surrounding the collection of personal information from children and the use of deceptive practices. This enforcement highlights how critical it is for businesses to implement and follow privacy by design and default principles in order to reduce risk and demonstrate compliance. This can be accomplished by conducting privacy impact assessments to identify risk to the consumer, implementing meaningful consent mechanisms, and designing different settings and default tiers for the different age groups interacting with a product or service. This will ensure products are age appropriate and will result in transparency to the consumer, a reduction in complaints, and an overall better experience for the consumer. The FTC has been vocal about its priorities when it comes to protecting children online and will continue to levy fines against businesses being deceptive and misusing the personal information of children.

Data Privacy Tip

Organizations must recognize that cookie banners and older forms of acquiring and managing consumer consent will no longer suffice; they must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic on enterprise consent management.