Over a Fortnite: Epic Games to Pay Record US$520 Million to Settle FTC Claims of Children’s Privacy Violations and Digital Dark Patterns, Which Continued for Years

By: Katie Staba and Desirée Moore

The Federal Trade Commission (FTC) has reached its largest administrative settlement to date: US$245 million. The proposed settlement is with Epic Games, Inc. (Epic Games), the company that developed and offers the multiplayer, online game Fortnite, and stems from Epic Games’ unlawful collection of personal information and illegal use of digital dark patterns to bill Fortnite users for unintentional in-game purchases. In total, Epic Games will be responsible for US$520 million, which includes a US$275 million penalty.

UNITED STATES v. EPIC GAMES, INC.[1]

The complaints at issue involve Epic Games’ popular game, Fortnite. Fortnite attracts young users to play the game online, through a mobile application, or through a video gaming console. Although access to the game is free, while playing Fortnite users can make various in-game purchases, such as gear and dance moves, through “V-Bucks”—a virtual currency purchased with real money. The FTC has accused Epic Games of violating the Children’s Online Privacy Protection Act (COPPA) and using design tricks, referred to as dark patterns, to trick millions of users into making inadvertent in-game purchases.

First, in a complaint filed in federal court,[2] the FTC alleged that Epic Games collected personal information from children under 13, without parental consent, and enabled voice and text chat for these children by default. Fortnite was launched with “no parental controls and minimal privacy settings;” thus, neither children nor their parents could prevent the public display of the child’s username, or disable the default voice and text chat functions, unless the gaming console itself provided such parental controls.[3] Further, Epic Games failed to provide direct notice to parents regarding its practice of collecting, using, and disclosing children’s personal information, nor did Epic Games seek verifiable parental consent prior to collecting such information.[4] Indeed, Epic Games required parents to “jump through extraordinary hoops” just to verify their parental status in order to review or delete their child’s personal information.[5]

The FTC accused Epic Games of causing “substantial harm” by matching children with strangers during interactive gameplay, while “publicly broadcasting players’ display names and imposing real-time communications through on-by-default voice and text chat.”[6] Epic Games’ User Experience team allegedly warned leadership to move to an opt-in voice chat feature, as the default feature “presented ‘a risk in terms of negative social behavior’ . . . .”[7] Indeed, children were reportedly “bullied, threatened, and harassed, including sexually, through Fortnite.”[8] The FTC alleged that Epic Games’ collection of personal information without parental consent, as well as its use of voice and text chat by default, violates COPPA and the FTC Act.[9] Ultimately, Epic Games agreed to pay a US$275 million penalty stemming from the claims alleging these practices.

Second, in an administrative complaint,[10] the FTC alleged that Epic Games engaged in a pattern of digital dark practices meant to trick users into unintentionally purchasing in-game perks. Many of the users, the FTC claims, were young children using their parents’ payment information.[11]

The accused digital dark patterns include the following:

  • Epic Games saved consumers’ credit card information by default, which allowed children to make in-game purchases without any further cardholder [adult] consent.[12] FTC alleged that up until 2018, once credit card information was uploaded the first time, children could make later purchases with the press of a button.
  • Further, the company designed the in-game purchases to deceive users and encourage inadvertent charges. For example, on the Fortnite smartphone application, Epic Games designed the in-game purchase page to place the “purchase” button very close to the “preview” button, resulting in unwanted purchases stemming from one inadvertent click.[13]
  • The complaint also alleges that Epic Games used conflicting and counterintuitive designs to trick users into making purchases. For example, for some items, the “preview” merchandise function is selected by using the “cross button” on a PlayStation controller, while the “purchase” merchandise function is selected by the “square button.” For other items, the buttons are reversed, causing users to purchase items when pressing the “square button,” rather than preview the items.[14]

Further, FTC alleged that Epic Games intentionally hindered users’ ability to receive a refund or reverse the unauthorized charges. For certain items, Epic Games had a strict “no refunds” policy.[15] For other items, FTC alleged that Epic Games “deliberately requires consumers to find and navigate a difficult and lengthy path to request a refund through the Fortnite app,”[16] which conceals the refund button under the “Settings” tab. When consumers disputed unauthorized credit card charges, Epic Games locked the consumers out of their accounts, restricting access to the consumers’ content that they had already purchased.

The complaints detail years of disregarded parental complaints, overlooked employee warnings, and inadequate half-measures taken toward compliance. For example, both parents and employees had expressed concerns to Epic Games regarding its default chat features, to no avail. One parent allegedly complained to Epic Games that her nine-year-old son had an online communication with another player, where the player threatened to kill himself that night.[17] Additionally, in response to a situation where a younger player was verbally harassed during a publicly-streamed game, an Epic Games employee acknowledged that Epic Games “honestly should have seen this coming or [at least] expected this with an on-by-default voice chat system” and predicted that “[s]ituations like this are bound to happen . . . .”[18] However, Epic Games declined to modify its default voice chat system.[19] The FTC described Epic Games’ subsequent changes to Fortnite as “weak-willed attempts” to provide children and their parents with “some privacy and parental controls” which still failed to cure its COPPA violations.[20]

In regards to Epic Games’ billing and refund practices, Epic Games received over a million complaints and concerns about the inadvertent charges, including some from Epic Games’ own employees.[21] Despite the millions of complaints and concerns, Epic Games continued its unauthorized billing practices for over three years. As of the date of the Complaint, Epic Games was still improperly charging users for certain items, without requiring any additional confirmation beyond the single press of a button.[22]

Epic Games agreed to pay another US$245 million for its dark patterns in the form of a settlement, which the FTC will use to refund consumers who were affected by Epic Games’ purchase and refund practices. Additionally, the proposed order requires Epic Games to overhaul its billing and dispute practices and restricts Epic Games from any further use of the digital dark patterns. The FTC will accept public comments on the proposed settlement for 30 days after publication in the Federal Register.

Lina M. Khan, FTC chair, has warned that “protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission,” and noted that the FTC’s enforcement actions “make clear to businesses that the FTC is cracking down on these unlawful practices.”[23]

KEY TAKEAWAYS

  • Adopt strong, user-appropriate privacy controls and settings when a website, mobile application, or gaming program is directed to or knowingly used by children under 13 years of age;
  • Default Settings should be regulatory reviewed to assess the impact on consumers;
  • Dilatory, “weak-willed”[24] compliance is not enough where incremental, positive changes fall short of full compliance;
  • Do not collect any personal information of children without requiring verifiable parental consent;
  • Be transparent in your billing practices, including how to purchase in-game or on-website items;
  • Ensure that your refunds page is conspicuous and easy for users to locate; and
  • Pay attention to consumer complaints, particularly parental requests, and promptly resolve the issues.

[1] The Consent Agreement is available at https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesACCO.pdf.

[2] See Complaint at *1, United States v. Epic Games, Inc. (E.D.N.C. Dec. 19, 2022) (No. 5:22-CV-00518).

[3] See id. at *21. Epic Games introduced parental controls in Fortnite in June 2019, nearly two years after its launch. Id. at *22.

[4] Id. at *22–23.

[5] Id. at *23–24 (noting that in certain situations, Epic Games required parents to provide personal information to verify their parental status, including in some instances “a copy of the parent’s passport, identification card, or recent rent or mortgage statement”).

[6] Id. at *16–17.

[7] See id. at *18.

[8] See id. at *18 (noting that children playing Fortnite “have been bullied, threatened, and harassed, including sexually” and that news stories have documented “reports of predators blackmailing, extorting, or coercing children and teens they met through Fortnite into sharing explicit images or meeting offline for sexual activity”).

[9] See id. at *28–29.

[10] See Epic Games, Inc., FTC Dkt. No. C-192-3203.

[11] Id. at ¶ 17.

[12] See id. at ¶ 9.

[13] See id. at ¶ 28.

[14] See id. at ¶ 32.

[15] See id. at ¶ 37.

[16] See id. at ¶ 43.

[17] See Compl. at *19.

[18] See id. at *17.

[19] Id.

[20] Id. at *20.

[21] See FTC Dkt. No. C-192-3203, at ¶¶ 34, 35.

[22] See id. at ¶ 36.

[23] See Press Release, Fed. Trade Comm’n, Statement from FTC Chair Lina M. Khan on Epic Games Matter (Dec. 19, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.

[24] See Compl. at *20.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.