Fortnite developer Epic Games must pay a net $520 million penalty following two complaints from the US Federal Trade Commission alleging children's privacy law violations and widespread "dark patterns" that have purportedly tricked "millions of players into making unintentional purchases."
The FTC announced (opens in new tab) the record-setting agreements today. The bigger, $275 million penalty is a result of Epic breaking the Children's Online Privacy Protection Act (COPPA), the FTC says, and represents "the largest penalty ever obtained for violating an FTC rule."
The attached complaint (opens in new tab) clarifies that Epic knowingly "collected personal data from children without first obtaining parents' verifiable consent." The FTC also zeroes in on the fact that Fortnite enables text and voice chat by default, which it alleges "harmed children and teens."
"Children and teens have been bullied, threatened, and harassed within Fortnite, including sexually," the FTC writes. "Children and teens have also been exposed to dangerous and psychologically traumatizing issues, such as suicide and self-harm, through Fortnite."
Additionally, "in a first-of-its-kind provision," Epic will "adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default." Epic will subsequently be forced to delete any data collected in violation of COPPA unless users specifically allow the company to keep it, either through parental consent for underage users or affirmative consent for users who identify as being 13 or older "through a neutral age gate."
Just as importantly, Epic will have to launch "a comprehensive privacy program that addresses the problems identified in the FTC's complaint and obtain regular, independent audits," seemingly to ensure that the changes prompted by these complaints don't fall off.
Epic will also pay $245 million in direct refunds – likewise, "the FTC's largest refund amount in a gaming case, and its largest administrative order in history."
"Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," FTC Chair Lina M. Khan says. The FTC alleges that "Epic has persisted in its unlawful conduct" despite complaints from "millions" of individual consumers as well as feedback from its own employees.
The FTC's other complaint (opens in new tab) expands on the allegations of deception, calling out Fortnite's "counterintuitive, inconsistent, and confusing" interface and its ability to "incur unwanted charges based on the press of a single button."
"Players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen, or by pressing an adjacent button while attempting simply to preview an item," the FTC says. "These tactics led to hundreds of millions of dollars in unauthorized charges for consumers."
If anything, Epic's previous response to these issues "only made the problem worse," the FTC says, because it "purposefully obscured cancel and refund features to make them more difficult to find."
Epic's practice of blocking users from accessing accounts caught up in charge disputes – in some cases accompanied by warnings that they could be banned for disputing future charges, as the FTC puts it – will also end with these penalties. Naturally, the FTC will also prohibit Epic from "charging consumers without obtaining their affirmative consent."
The FTC has gone after many companies for deceptive practices in the past, particularly in the mobile space – Amazon (opens in new tab) and Apple (opens in new tab) faced similar charges in 2014 alone, for example – but these penalties are especially significant not just for squeezing Epic for half a billion, but for setting a modern precedent for privacy settings and the digital protections of children and teens. If the makers of Fortnite can be put through the wringer and forced to change how they operate, it goes without saying that so can other game and app companies.
Indeed, as associate attorney general Vanita Gupta says, "This proposed order sends a message to all online providers that collecting children's personal information without parental consent will not be tolerated."
"Developers should dig into the topic, as this settlement reflects state of the art American regulatory practice, for example now applying principles similar to the UK Age-Appropriate Design Code to voice chat defaults," Sweeney advises. "In-app purchasing is also a hot topic, with rigorous expectations of 'Affirmative Express Consent' for purchases made both in real money and paid virtual currency."
"The old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered," Epic writes, apparently feeling quite introspective all of a sudden.
Epic's statement also details the changes it's now made to Fortnite's policies and UI, namely a "hold-to-purchase" mechanic in place of one-button purchases, an "explicit yes or no choice" for saving payment information, the restoration of "thousands" of accounts banned for chargebacks, and parental controls for chat filters like "everybody" or "friends only" (voice and text will still default to "nobody" for anyone under 18).
The FTC is in a litigious mood, having just sued Microsoft to block its acquisition of Activision.