December 20, 2022

Epic Games to pay largest ever penalty for COPPA and FTC Act violations

The Federal Trade Commission (FTC) and US Department of Justice (DOJ) have settled separate complaints against Epic Games, Inc. (Epic), a Maryland corporation headquartered in North Carolina.  Epic is the creator of a popular video game, Fortnite, that has over 400 million users worldwide, many of whom are known by Epic to be children.  In addition to other compliance measures, the FTC consent order and DOJ stipulated order require Epic to pay penalties of $245 million and $275 million, respectively.  Epic entered into these agreements without admitting or denying the alleged facts.

The complaints allege that Epic violated the unfair or deceptive practices provisions of the FTC Act, and failed to comply with the parental notice, consent, review and deletion requirements of the Children’s Online Privacy Protection Act, 15 USC §§ 6501-6505 and the rule promulgated to implement it, 16 CFR Part 312 (COPPA).

FTC Act violations

The FTC complaint alleges a number of unfair and deceptive acts or practices in violation of Section 5(a) of the FTC Act, including the use of illegal “dark patterns” to trick users into making unwanted purchases and charging account holders without authorization. 

The initial download of Fortnite is free, but the premium version of the game, accessories and added features required payment online via stored payment card information.  Per the complaint, Epic did not initially inform users that their payment card information would be stored by the company, and for the first year of distribution, no option was available for consumers to decline storage.  In addition, the in-game purchase flow was designed in such a manner as to allow for inadvertent purchases without a mechanism to confirm the purchase – e.g., users could make purchases without intending to do so, and users accessing Fortnite on a game console could be misled by identically shaped and situated buttons. Epic received over one million complaints about unwanted charges to Fortnite players.

Beginning as early as 2017, Epic employees reportedly raised concerns about unwanted charges and, along with the Epic Community Coordinator and Director of Player Support, recommended measures to address them.  Before further verification measures were put in place in June 2020, Epic had billed account holders more than $4 billion. Furthermore, according to the complaint, Epic does not allow cancellation for most in-game purchases, and, even were cancellation is permitted, Epic uses design tricks (dark patterns) to deter consumers from requesting refunds for unauthorized charges, or it unreasonably complicated the process, including by obscuring the placement of the refund button, limiting to three the number of refunds on any account, and routinely deactivating accounts of members who disputed unauthorized charges (thus depriving users of other purchased items). 

In addition to the $245 million penalty for consumer redress, the consent decree requires Epic to (i) create records of consumer complaints, consumer testing, sales, services and charges for ten years, and to maintain each such record for five years; and (ii) refrain from charging an account holder for any fee or service without the account holder’s express, informed consent for a period of twenty years.

Violation of COPPA
In a separate complaint filed by the DOJ in the US District Court for the Eastern District of North Carolina, the United States alleged that Epic violated COPPA by collecting and using children’s personal information without notifying or obtaining parental consent or providing parents the opportunity to review the data collected, and without promptly deleting the information when requested to do so.  Moreover, the complaint alleged that, from the launch of Fortnite until September 2019, Epic did not require birthdate information for users to set up accounts.  Since then, US account holders have had to provide birthdates, first and last names, and email addresses to register; thereafter, users may exchange information with one another via the Fortnite platform.  Epic collects and tracks information about players, monitoring their progress, purchases, settings, friends lists and other player-specific information.  In addition, Epic pairs children and young teens with strangers in online matches, while broadcasting the young players’ user IDs and voices, which, per the DOJ complaint, causes substantial harm to children (e.g., young players are subject to bullying and harassment, including sexual harassment, by other players) and violates COPPA. 

According to the complaint, Epic did not heed employee recommendations to implement simple measures allowing users to easily opt out of the chat function, and it did not implement parental control options until 2019.  While Epic eventually added some user control settings, neither the toggle to disable the chat function or the parental control restrictions were obvious or accessible. In September 2019, Epic began taking additional compliance measures, implementing age gates for children located in the United States and requesting parental email addresses.  However, the DOJ found that these measures were insufficient and did not bring Epic’s practices into compliance with either COPPA or the FTC Act.

In addition to the civil penalty of $275 million, the stipulated order enjoins Epic from further violations and mandates the deletion of information obtained from children under the age of 13 without verifiable parental consent, a report concerning the information not deleted, and certification that the required deletions have been performed.  The order also requires that Epic (i) implement default settings that prevent children’s personal information from being disclosed to other users, (ii) maintain a comprehensive privacy program to be overseen by a qualified employee, and (iii) engage an independent third party to perform biennial assessments of the privacy program, whether it is effective, and whether it complies with the terms of the order, to commence 180 days after the establishment of the program and to continue for twenty years. 

FTC press release |Consent  order (FTC) |Stipulated order (DOJ)