Epic slammed with half-a-billion dollar FTC fine in landmark ruling over Fortnite's failure to protect childrens' privacy

sign of a person dancing with a big "do not do this" slash over it
(Image credit: Epic Games)

The US Federal Trade Commission has reached agreements with Epic Games that will see the videogame giant pay a total of $520 million in penalties and refunds, following allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) and used dark patterns (UI design tricks meant to fool users) to dupe players into purchases.

There are two settlements. Epic will pay a $275 million penalty for violating the COPPA rule— the largest penalty ever levied for violating an FTC rule. As part of this agreement Epic will also adopt "strong privacy default settings for children and teens," meaning communications via voice and text will be turned off by default.

The second part of it is Epic paying $245 million to refund consumers affected by Fortnite's "dark patterns and billing practices", which is the largest refund amount the FTC has ever obtained in a videogame matter.

"As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," said FTC chair Lina M. Khan. "Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices."

The FTC had filed two separate complaints against Epic in federal court, first alleging that Epic through Fortnite had violated the COPPA rule "by collecting personal information from children under 13 who played Fortnite, a child-directed online service, without notifying their parents or obtaining their parents’ verifiable consent". It further alleged a violation against the FTC Act's prohibition against unfair practices "by enabling real-time voice and text chat communications for children and teens by default".

The failure to notify parents and obtain consent seems to be the real biggie here, with the FTC saying Epic knew a huge part of Fortnite's audience was children and didn't take this seriously enough (I am obviously paraphrasing). It also says that Epic "required parents who requested that their children’s personal information be deleted jump through unreasonable hoops, and sometimes failed to honor such requests".

Which is exactly the kind of thing that really sets off a regulator's alarm bells. The FTC also says the default settings, alongside the game's nature of matching players with strangers, led to children and teens being "bullied, threatened, harassed, and exposed to dangerous and psychologically traumatizing issues such as suicide while on Fortnite".

Interestingly enough one of the key pieces of evidence for this was Epic's own concerns. As early as 2017 Epic employees were expressing concern internally about the makeup of the audience and default settings, per the FTC filing: "The company resisted turning off the default settings. And while it eventually added a button allowing users to turn voice chat off, Epic made it difficult for users to find".

Gimme dat cheddar.

(Image credit: Epic Games)

The dark patterns side is all about whether Fortnite tricked players into making purchases. The FTC says it did thanks to a "counterintuitive, inconsistent, and confusing button configuration" whereby players could incur charges through the press of a single button, for example, to wake the game from sleep mode, or within a loading screen, or when trying to preview an item.

Part of this is also that until 2018 buying V-Bucks, Fortnite's in-game currency, had fewer checks on it, so once an account was linked up to a payment method kids could buy V-Bucks without their parents realising. Similar claims have been brought against other big tech companies in different contexts, most notably Apple and the App Store.

Wait, there's more. The FTC alleged Epic locked the accounts of customers who disputed such charges directly through their credit card companies, in turn locking them out of previously purchased content. Even when Epic agreed to unlock an account, apparently, users would be warned that they risked a permanent ban on the account if they disputed future charges. The company "ignored" over a million user complaints and internal warnings and, says the FTC, went on to "purposefully obscure cancel and refund features to make them more difficult to find."

The settlement accepted by the FTC will see Epic barred from blocking customers who dispute unauthorised charges, and prohibited from using dark patterns. Epic will also have to seek affirmative consent before charging users. The proposed agreement will be published in the Federal Register soon, open for public comment for 30 days, after which the commission will decide whether to make the order final.

That was a lot of information, and there's a fair amount of context that needs to go around it before we get to Epic's response. The first is that this is mostly historical behaviour. Epic has clearly cleaned up its act in some regard and also, it must be said, was dealing with a success it hadn't predicted or prepared for. This is not to excuse the areas where we're crossing into unethical activity like dark patterns but, when the FTC and Epic are reaching agreement rather than going down the adversarial route, it suggests the publisher belatedly realised it made mistakes.

Epic's response comes in a statement that announces the settlement, before making the case for how and why this happened and what it's going to be doing in the future.

"No developer creates a game with the intention of ending up here," Epic's statement reads, before going on to describe the games industry as a fast-moving and innovative space that has simply got ahead of statutes "written decades ago [that] don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough".

Epic goes on to outline some of the ways it has changed its payment and refund systems, with some changes occurring many years ago and others more recent, and all of which are now within the parameters of what the FTC says are acceptable. This includes a "hold to buy" system to ensure users don't accidentally buy something with one click. As for barring accounts that dispute charges through their bank, Epic said it has changed its chargeback policy "to account for non-fraud related scenarios and will only disable accounts when fraud indicators are present". It says it has restored "thousands" of accounts previously banned under this policy.

As for the children's privacy aspects, Epic notes that "developers who create a teen-rated or mature-rated game can no longer assume that it won't be deemed to be directed to children, according to the United States’ Children’s Online Privacy Protection Act (COPPA)". That is, Fortnite is rated Teen and was aimed at an older audience, but the one it found was younger than expected.

It goes on to list newer measures such as "Cabined" accounts, which are for users under 13, and new default communications settings. Epic's list of features for younger players in Fortnite now includes:

  • Parental Controls that are easily accessible in the main Fortnite Lobby menu and the Epic Account portal. 
  • Parental Controls that include the option to require a PIN to send and accept friend requests and enable parents to authorize purchases before they are made. 
  • A daily spending limit for players under the age of 13.
  • Granular privacy options for chat, which include "Everybody," "Friends and Teammates," "Friends Only," or "Nobody."
  • Cabined Accounts that provide a tailored experience that is safe and inclusive for younger players while they wait for parental consent.
  • Settings that default to the highest privacy option for players under the age of 18, including voice and text chat defaulting to "Nobody."

The publisher notes that "the old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered". It's certainly been an expensive lesson for the gaming giant, though there is also a slight sense here that it is being held responsible for the wider industry as well as its own game. Fortnite is far from the only title that attracts younger players and often children, but it is the emblematic example of the moment, and Epic's statement makes clear that other developers should be looking at this example with extreme caution.

Epic CEO Tim Sweeney took to social media to share some thoughts, and it may be possible to detect a vague hint of resentment here that Epic has been left carrying the can.

"Developers should dig into the topic, as this settlement reflects state of the art American regulatory practice, for example now applying principles similar to the UK Age-Appropriate Design Code to voice chat defaults," writes Sweeney. "In-app purchasing is also a hot topic, with rigorous expectations of 'Affirmative Express Consent' for purchases made both in real money and paid virtual currency."

The tiniest violin in the world is playing for Epic right now. The publisher may be bang-to-rights on elements of the FTC charge, but it's also being used as an example to push wider industry change that the regulator wants to see. Other companies will be looking at the size of this settlement, and tomorrow morning a lot of development studios are going to be holding meetings about their default account settings and microtransaction pathways.

Ultimately it may hurt the bottom line but Epic has the money, and no FTC ruling is going to make a dent in Fortnite's popularity. The publisher is right that the games industry has, through no fault of its own, outpaced regulators, and has to deal with decade-old statutes that never imagined entertainment products like Fortnite. As this shows, however, just because you're out in front for a time doesn't mean the man won't eventually catch up.

Rich Stanton

Rich is a games journalist with 15 years' experience, beginning his career on Edge magazine before working for a wide range of outlets, including Ars Technica, Eurogamer, GamesRadar+, Gamespot, the Guardian, IGN, the New Statesman, Polygon, and Vice. He was the editor of Kotaku UK, the UK arm of Kotaku, for three years before joining PC Gamer. He is the author of a Brief History of Video Games, a full history of the medium, which the Midwest Book Review described as "[a] must-read for serious minded game historians and curious video game connoisseurs alike."