Why the FTC Fined ‘Fortnite’ Creator Epic Games $520M for Dark Patterns & COPPA Violations
Privacy & Compliance | December 19, 2022
The Federal Trade Commission (FTC) has announced a record-breaking settlement of $520 million with Epic Games, the creator of blockbuster video games such as Fortnite and Fall Guys. The settlement involves penalties from two separate charges: one involving violations of the Children’s Online Privacy Protection Act (COPPA) and another involving manipulative online practices, known as “dark patterns,” to trick users into making unintended purchases.
COPPA Violations: Epic Games Collected Personal Information from Children without Verifiable Consent
As part of the settlement, Epic Games has agreed to pay $275 million in penalties for violations of the Children’s Online Privacy Protection Act (COPPA).
COPPA is a US federal law designed to protect the personal information of children under the age of 13 online. COPPA requires websites or online services targeted at children to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. The law also requires companies to give parents the ability to review and delete their children’s personal information.
Regulators alleged that Epic Games collected personal information from children under 13 without obtaining verifiable consent from a parent–a clear violation of COPPA rules. The company also enabled voice and text chat by default, which put children and teens at risk of contact with strangers. Epic Games made it difficult for parents to have their children’s data deleted and sometimes failed to honor parents’ requests for deletion. As part of the settlement, the FTC will require Epic Games to adopt high-privacy default settings for children and teens, including turning off settings that enabled live text and voice chats for younger users.
Dark Patterns: Epic Games Tricked Consumers into Making Unintended Purchases
In a separate case involving “dark patterns,” Epic Games was fined $245 million to refund consumers for charges resulting from manipulative practices known as “dark patterns.”
“Dark patterns” are user interface designs that aim to trick users into making certain choices, such as consenting to tracking or taking certain actions, such as making purchases that they may not have otherwise taken. Examples of dark patterns include placing ‘purchase’ buttons too close to other buttons, using countdown timers to pressure users into making purchases, failing to clearly disclose the terms and conditions of promotions, and using certain color schemes to encourage actions.
The FTC alleges that Epic used a range of digital design tricks to charge customers for virtual merchandise without their express informed consent. When customers disputed unauthorized charges with their credit card company, Epic allegedly locked their accounts, depriving them of access to content they had already paid for.
According to the FTC’s complaint, Epic set up its payment system so that it saved by default the credit card associated with the account, allowing kids to easily make in-game purchases with the press of a button–without requiring separate cardholder consent.
FTC complaints also accused the company of designing in-game purchases in a manner that made it easy for users to accidentally make unwanted charges, such as by placing the purchase button too close to other buttons.
The company received millions of customer complaints spanning a period of years before eventually implementing a CVV input at the urging of its Fraud and Risk Consultant, but by then, millions of dollars of false purchases had already been made.
Consent Management is Key to Avoiding Fines
The settlement between the FTC and Epic Games is the largest administrative settlement to date for the agency and highlights the growing importance of implementing robust consent management capabilities and best practices–even in jurisdictions without strong privacy laws. Of complying with COPPA and obtaining verifiable consent from parents before collecting personal information from children. It also highlights the need for businesses to be transparent and upfront about their data collection practices and to avoid using “dark patterns” to trick consumers into making unintended purchases. Ensuring proper consent management is crucial for companies to avoid fines and ensure compliance with COPPA and other consumer protection laws like the GDPR and CCPA, which place strict requirements on the collection, use, and disclosure of personal information, particularly when it comes to children’s personal information. Failing to obtain proper consent or to manage consent in a compliant manner can result in significant fines and penalties, as well as damage to a company’s reputation. And the FTC isn’t the only regulator handing out fines. In August 2022, California regulators hit make up retailer Sephora with a $1.2M fine for poor privacy disclosures, and EU regulators have handed out over $2 billion in GDPR fines to date.