The company behind the popular video game Fortnite will pay a “record-breaking” settlement over Federal Trade Commission allegations that it violated child privacy laws and tricked players into making purchases.
Epic Games was fined a total of $520 million, including a $275 million penalty for violating the Children’s Online Privacy Protection Act, the FTC announced.
That’s the largest penalty ever obtained for violating an FTC rule, the commission said. And the consumer protection agency said its action carries a message to all companies that create products used by children that collecting their personal information without parental consent “will not be tolerated.”
Over the past year, under the direction of its chair, Lina Khan, the FTC has vowed to take a more aggressive stance in policing the data privacy and marketing practices of ed-tech companies.
“Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission,” Khan said in a statement about the Fortnite settlement. “And these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”
In addition to collecting the personal data of children under the age of 13 without parental consent, the FTC complaint filed in federal court alleges Epic also violated the rules by having its default settings allow real-time voice and text chat communications between children and teens — opening the door for bullying and harassment.
The company also used “dark patterns” to trick players, including children, into making unwanted purchases and allowed children to rack up unauthorized charges without parental involvement, according to the FTC.
“No developer creates a game with the intention of ending up here,” Epic Games said in a statement responding to the settlement. “We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”
Statutes that were written decades ago don’t specify how gaming ecosystems should operate, the company pointed out.
“The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough,” said Epic’s statement.
Among the changes the company has made, Epic has added a “refund token” system to Fortnite along with a mechanic in its payment flow that re-confirms a player’s intent to buy, instant purchase cancellations, and self-service refunds.
Epic said it has also rolled out in-game parental controls and “cabined accounts,” which allow children under 13 — or under their country’s age of digital consent — to play a limited version of the game in which chat and purchasing is disabled while they wait for parental consent.
And as of September, Epic said the video game’s default settings for players under 18 hides their profile information and show them as “invite only.”
Players under 16 also have a mature language feature on by default.
“Over the past few years, we’ve been making changes to ensure our ecosystem meets the expectations of our players and regulators, which we hope will be a helpful guide for others in our industry,” Epic said.
A proposed federal court order would prohibit the company from enabling voice and text options for children and teens unless parents provide their consent through a privacy setting. It would also require Epic to delete personal information previously collected from Fortnite users in violation of privacy laws.
The company would additionally be ordered to establish a “comprehensive privacy program” to address the FTC’s complaints.
Warning for Industry
This settlement comes weeks after the FTC filed a complaint against the ed-tech textbook rental and homework help provider Chegg over its data security efforts.
The commission said Chegg “took shortcuts” with students’ information and needs to strengthen its safeguards after it allegedly exposed sensitive information about millions of users.
The FTC has made it clear in recent months that protecting children is a priority. In September, the commission announced that it will turn its focus, to and gather public comment on, marketing and advertising disguised as online games and entertainment.
And in May, the FTC issued a policy statement reminding ed-tech companies of their responsibility on data privacy, and that students’ rights cannot be compromised when they access online tools.
“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a May statement.
“Parents should not have to choose between their children’s privacy and their participation in the digital classroom.”
Image Collage: Liz Yap/EducationWeek (Getty & stock.adobe.com)