6 Top Takeaways from the FTC’s $520 Million Landmark Epic Games Settlements

On December 19, 2022, the FTC announced two record-breaking settlements with Epic Games, Inc.—a video game developer, best known for the game Fortnite—for a combined total of $520 million:

• Violation of Children’s Online Privacy Protection Act Rule (“COPPA”): In a federal court action and settlement, the FTC alleged that Epic violated COPPA by failing to provide required parental notice or failing to obtain parental consent and violated Section 5 of the FTC Act (“Section 5”) by enabling live on-by-default text and voice communications for children and teens.
• Deceptively Utilizing “Dark Patterns”: In a separate administrative action and settlement, the FTC alleged Epic Games violated Section 5 by tricking players into making unwanted purchases, charging user accounts without authorization, and blocking access to purchased consent for users who disputed the unauthorized purchases.

The key takeaways from these extraordinary settlements are as follows:

1. Epic Games’ civil monetary penalty of $275 million for violating COPPA is the largest penalty to date for violating an FTC Rule.

Epic’s record-setting $275 million COPPA settlement shatters the previous record, which was a $170 million COPPA settlement in 2019 against Google LLC and its subsidiary YouTube, LLC. The settlement sends a clear message to companies operating online sites and services that the FTC plans to take an aggressive and expansive view of the types of sites and services that are subject to COPPA’s requirements and will seek substantial penalties for those that fail to comply with COPPA’s requirements.

2. Gaming and other online services cannot avoid COPPA compliance by simply claiming they are not “directed to” children.

According to the FTC’s Complaint, for the first two years of operation the Fortnite privacy policy “disavowed” that it directed its services to children, with Epic Games taking steps to avoid learning the actual age of its users.  FTC noted these steps were not sufficient to shield the company from COPPA liability.

COPPA applies to operators of online websites or services that are “directed to” children or who have “actual knowledge” that they collect personal information from children. The COPPA Rule contains a non-exhaustive list of factors to consider whether an online service is directed to children. In the Complaint, the FTC meticulously analyzed each factor to reach the determination that Fortnite is “directed to” children and thus subject to COPPA. Among other factors, the FTC found that Fortnite was directed to children because the shooter-survival style of gameplay and build-and-create mechanics are popular with children; the cartoony graphics and colorful animation is appealing to children; and the game features music and celebrities popular with children. Further, Epic Games entered lucrative licensing deals to sell Fortnite-branded merchandise for children, such as Halloween costumes, toys, books, child-sized apparel and back-to-school merchandise, as well as co-branded products popular with kids like Hasbro’s Super Soaker water guns. Many of these products were marketed directly to young kids. The Complaint also highlighted empirical evidence that children comprised a significant portion of the Fortnite audience, including publicly available research (which Epic Games was aware of) showing 53% of children aged 10–12 played Fortnite weekly. Epic Games has similar results from the company’s internal surveys. Most telling, the Complaint laid out scores of examples from internal company documents demonstrating employees’ actual knowledge that a significant portion of the game’s audience was children under 13 and the company’s intent to specifically target that audience.

To be sure, the Complaint also identified instances where Epic Games had actual knowledge it collected personal information from a child and failed to comply with COPPA. But the focus on the child-directed nature of Fortnite is indicative of a larger trend showing the FTC’s willingness to aggressively pursue COPPA enforcement against services that appeal to, and are used by, children.

3. Partial compliance with COPPA is not sufficient.

For more than two years, the FTC alleged that Epic Games failed to take any steps to comply with COPPA’s requirements for child-directed sites and online services, which include (i) providing required notice to parents or in its privacy policy, (ii) obtaining verifiable parental consent, and (iii) providing the means for parents to review and request deletion of their children’s personal information.

According to the Complaint, even when Epic Games obtained actual knowledge that a player was under 13, not only did they not take any additional steps to comply with COPPA, they actually went to great lengths to pretend they never actually obtained that knowledge. For instance, when a third party informed Epic Games that a user playing Fortnite through the third-party’s console platform or system was under the age of 13, Epic did not take any steps to comply with COPPA with respect to that player. Further, when a parent contacted Epic to request to review or delete information Epic Games collected from their children, Epic Games made parents jump through extraordinary hoops to “verify” their parental status by providing tedious information, such as all of the IP addresses their child used to play Fortnite, the date their child’s Epic Games account was created, invoice IDs, locations where purchases were made, the last 4 digits of the payment card on the child’s Epic Games account, the name of an item their child purchased and a copy of the parent’s passport, identification card, or recent rent or mortgage statement.

In June 2019, over two years after Fortnite’s launch, Epic Games introduced parental controls. Months later, in September 2019, Epic Games introduced an age gate to the account creation process and sought verifiable parental consent (VPC) for users under 13 in the United States.

The Complaint described these compliance efforts as “dilatory” and noncompliant, identifying the following shortcomings with Epic Games’ compliance approach:

• Introducing the age gate and parental consent only for new users who created accounts after that date but failing to ask the age of hundreds of millions of existing users.
• Failing to determine age and seek VPC for players and accounts who accessed Fortnite through third-party systems such as game consoles.
• Failing to apply COPPA protections to non-U.S. users (based on IP address).
• Failing to alter Fortnite’s default privacy controls, which continued to broadcast the player’s display name and enabled direct communication between players.

Noting that “Epic has consistently resisted, deprioritized, and delayed privacy and parental controls,” the FTC did not appear to award bonus points for “dilatory” efforts to comply with COPPA.

4. Enabling on-by-default live voice and text chat features for children and teens was an “unfair practice” in violation of Section 5 of the FTC Act.

As described in the Complaint, Fortnite featured on-by-default voice and text communications that matched children and teens with strangers during gameplay. Perhaps unsurprisingly, the FTC alleged that children and teens were bullied, threatened, harassed, and exposed to dangerous and traumatizing interactions through the game chat features. Despite warnings from inside the company and repeated complaints from distressed parents and users about the dangers to children and teens inherent in the voice and text chat functions, Epic Games declined to modify the on-by-default setting. When Epic Games did finally introduce an opt-out toggle switch to turn off the voice to chat feature, it was difficult to find and buried deep within the settings page.

As part of the settlement, the FTC imposed an “opt-in” requirement for Epic Games to enable voice and text communications for children under 13 as well as teens age 13–17. Among other things, for all services that permit users to disclose personal information or be a party to conversations, Epic Games is required to provide clear and conspicuous disclosures and seek affirmative express consent from the parent (for children under 13) or from the teen before permitting such communications. Epic Games also must make certain assumptions as to whether a user is a child or teen based on whether the covered website or service is directed to children and if it makes children its primary audience.

By expanding the remedy to cover teens who would otherwise not be subject to COPPA protections, the Order indicates the FTC’s broader interest in improving online safety and protecting minors from harm.

5. The $245 million administrative order is the FTC’s largest refund amount in a gaming case and largest administrative order in history.

In the administrative action, the FTC ordered Epic Games to pay $245 million in consumer redress for unfair billing and unfair denial of account access. As a part of the settlement, Epic Games was enjoined from billing users for charges without having obtained express informed consent and from denying users access to their accounts, including any paid-for goods and services, as well as customer-disputed charges. This settlement represents the FTC following through on its enforcement priorities in response to companies deploying so-called “dark patterns.”

6. Dark Patterns were not explicitly defined in the settlement but are described as design tricks obscuring the ability to cancel a purchase or seek a refund.

While the FTC continues to use the undefined term “dark patterns” as a catchall term to refer to a variety of user interface designs and marketing strategies, in the Epic Games Complaint, the FTC highlighted the “myriad design tricks” which allegedly allowed the company to deter consumers from cancelling or requesting refunds for unauthorized in-game purchases. In Epic Games’ case, Fortnite users were unable to cancel or reverse charges until 2019. Even after the implementation of a refund mechanism, users were deterred from cancelling or requesting refunds for their unauthorized charges. The FTC alleged that Epic Games did this by reducing the prominence of an “undo” button and changing the button name to “cancel purchase.” After making these design changes, Epic Games saw a marked decline in the rate of purchase cancellations.

According to the FTC, Epic Games also hid the link for refund requests. In addition to a strict limitation on refunds policy, Epic Games hid the refund request button under the settings tab and would require users to answer a series of questions and steps before even being able to submit a refund request. These additional steps were not part of an initial purchase. To support the FTC’s allegations of dark patterns, the FTC used evidence of customer surveys and statements made by user experience designers showing that Epic Games intentionally made design changes to make it more difficult for users to receive refunds.

Finally, when a user would dispute Epic Games’ unauthorized charges with their credit card company, Epic Games deactivated and locked their Fortnite accounts. Locked accounts lost access to all the content they had purchased, and when Epic Games agreed to unlock the accounts, customers were warned they could be banned for life if they disputed any future charges.

In response to this settlement, companies should carefully consider any user interface design changes that make it more difficult for consumers to authorize charges or cancel ongoing services. To prevent risk, companies should also consider educating product design, user experience designers, and marketing teams about the dangers of using design choices that could be termed “dark patterns” by either making it too easy for consumers to make unwanted purchases or being unable to cancel services.