Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges

Authored by ftc.gov and submitted by YouAreNotMeLiar

The Federal Trade Commission has secured agreements requiring Epic Games, Inc., creator of the popular video game Fortnite, to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (COPPA) and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases.

The FTC’s action against Epic involves two separate record-breaking settlements. As part of a proposed federal court order filed by the Department of Justice on behalf of the FTC, Epic will pay a $275 million monetary penalty for violating the COPPA Rule—the largest penalty ever obtained for violating an FTC rule. Additionally, in a first-of-its-kind provision, Epic will be required to adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default. Under a separate proposed administrative order, Epic will pay $245 million to refund consumers for its dark patterns and billing practices, which is the FTC’s largest refund amount in a gaming case, and its largest administrative order in history.

"As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," said FTC Chair Lina M. Khan. "Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

“The Justice Department takes very seriously its mission to protect consumers’ data privacy rights,” said Associate Attorney General Vanita Gupta. “This proposed order sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”

Epic’s video game Fortnite is generally free to download and play but charges users for in-game items such as costumes and dance moves. The game has more than 400 million users worldwide. The FTC alleged in two separate complaints that North Carolina-based Epic engaged in several unlawful practices.

“Epic put children and teens at risk through its lax privacy practices, and cost consumers millions in illegal charges through its use of dark patterns,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Under the proposed orders announced today, the company will be required to change its default settings, return millions to consumers, and pay a record-breaking penalty for its privacy abuses.”

In a complaint filed in federal court, the FTC alleged that Epic violated the COPPA Rule by collecting personal information from children under 13 who played Fortnite, a child-directed online service, without notifying their parents or obtaining their parents’ verifiable consent. Epic also violated the FTC Act’s prohibition against unfair practices by enabling real-time voice and text chat communications for children and teens by default. Specifically, the FTC alleged that Epic:

Violated COPPA by Failing to Notify Parents, Obtain Consent: The FTC alleged that Epic was aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent. The company also required parents who requested that their children’s personal information be deleted to jump through unreasonable hoops, and sometimes failed to honor such requests.

The FTC alleged that Epic was aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent. The company also required parents who requested that their children’s personal information be deleted to jump through unreasonable hoops, and sometimes failed to honor such requests. Default settings harm children and teens: Epic’s settings enable live on-by-default text and voice communications for users. The FTC alleges that these default settings, along with Epic’s role in matching children and teens with strangers to play Fortnite together, harmed children and teens. Children and teens have been bullied, threatened, harassed, and exposed to dangerous and psychologically traumatizing issues such as suicide while on Fortnite.

Epic employees expressed concern about its default settings. As early as 2017, Epic employees urged the company to change the default settings to require users to opt in for voice chat, citing concern about the impact on children in particular. Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings. And while it eventually added a button allowing users to turn voice chat off, Epic made it difficult for users to find, according to the complaint.

In addition to paying the record civil penalty, which goes to the U.S. Treasury, for violating the COPPA Rule, the proposed federal court order will prohibit Epic from enabling voice and text communications for children and teens unless parents (of users under 13) or teenage users (or their parents) provide their affirmative consent through a privacy setting. Epic must delete personal information previously collected from Fortnite users in violation of the COPPA Rule’s parental notice and consent requirements unless the company obtains parental consent to retain such data or the user identifies as 13 or older through a neutral age gate. In addition, Epic must establish a comprehensive privacy program that addresses the problems identified in the FTC’s complaint, and obtain regular, independent audits.

The Commission voted 4-0 to refer the civil penalty complaint and proposed federal order to the Department of Justice. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Eastern District of North Carolina. Commissioner Christine S. Wilson issued a separate statement.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

In a separate administrative complaint, the FTC alleged that Epic used dark patterns to trick players into making unwanted purchases and let children rack up unauthorized charges without any parental involvement. The complaint alleged that Epic:

Used dark patterns to trick users into making purchases: The company has deployed a variety of dark patterns aimed at getting consumers of all ages to make unintended in-game purchases. Fortnite’s counterintuitive, inconsistent, and confusing button configuration led players to incur unwanted charges based on the press of a single button. For example, players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen, or by pressing an adjacent button while attempting simply to preview an item. These tactics led to hundreds of millions of dollars in unauthorized charges for consumers.

The company has deployed a variety of dark patterns aimed at getting consumers of all ages to make unintended in-game purchases. Fortnite’s counterintuitive, inconsistent, and confusing button configuration led players to incur unwanted charges based on the press of a single button. For example, players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen, or by pressing an adjacent button while attempting simply to preview an item. These tactics led to hundreds of millions of dollars in unauthorized charges for consumers. Charged account holders without authorization: Children and other users who play Fortnite can purchase in-game content such as cosmetics and battle passes using Fortnite’s V-Bucks. Up until 2018, Epic allowed children to purchase V-Bucks by simply pressing buttons without requiring any parental or card holder action or consent. Some parents complained that their children had racked up hundreds of dollars in charges before they realized Epic had charged their credit card without their consent. The FTC has brought similar claims against companies such as Amazon, Apple, and Google for billing consumers millions of dollars for in-app purchases made by children while playing mobile app games without obtaining their parents’ consent.

Children and other users who play Fortnite can purchase in-game content such as cosmetics and battle passes using Fortnite’s V-Bucks. Up until 2018, Epic allowed children to purchase V-Bucks by simply pressing buttons without requiring any parental or card holder action or consent. Some parents complained that their children had racked up hundreds of dollars in charges before they realized Epic had charged their credit card without their consent. The FTC has brought similar claims against companies such as Amazon, Apple, and Google for billing consumers millions of dollars for in-app purchases made by children while playing mobile app games without obtaining their parents’ consent. Blocked access to purchased content: The FTC alleged that Epic locked the accounts of customers who disputed unauthorized charges with their credit card companies. Consumers whose accounts have been locked lose access to all the content they have purchased, which can total thousands of dollars. Even when Epic agreed to unlock an account, consumers were warned that they could be banned for life if they disputed any future charges.

Epic ignored more than one million user complaints and repeated employee concerns that “huge” numbers of users were being wrongfully charged. In fact, Epic’s changes only made the problem worse, the FTC alleged. Using internal testing, Epic purposefully obscured cancel and refund features to make them more difficult to find.

As part of the proposed administrative order with the FTC over the company’s unlawful billing practices, Epic must pay $245 million, which will be used to provide refunds to consumers. In addition, the order prohibits Epic from charging consumers through the use of dark patterns or from otherwise charging consumers without obtaining their affirmative consent. The order also bars Epic from blocking consumers from accessing their accounts for disputing unauthorized charges.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Epic related to its deceptive billing practices.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

Saeryf on December 19th, 2022 at 16:42 UTC »

Fuck any company with zero "confirmation of destructive action" before purchases and such. Same with deleting content in a game, and no "buy-back" at vendors...

This is a slap on the wrist for them, but it's something I guess.

BeerGogglesFTW on December 19th, 2022 at 14:49 UTC »

Blocked access to purchased content: The FTC alleged that Epic locked the accounts of customers who disputed unauthorized charges with their credit card companies. Consumers whose accounts have been locked lose access to all the content they have purchased, which can total thousands of dollars. Even when Epic agreed to unlock an account, consumers were warned that they could be banned for life if they disputed any future charges.

Doesn't every company do this? Especially those with a digital library? e.g. Steam

I feel like I've heard stories of people losing their massive steam libraries because of a charge back. Even if its unintentionally done through PayPal.

Not sure about followup details on getting their accounts back.

Seigmoraig on December 19th, 2022 at 14:41 UTC »

Well they had to recoup all the money they spent on EGS exclusives somehow