Settlement with Epic Games Highlights Continued Focus by Regulators on Unfair Privacy Practices, Teens, and User Interface Design

Settlement with Epic Games Highlights Continued Focus by Regulators on Unfair Privacy Practices, Teens, and User Interface Design

Blog WilmerHale Privacy and Cybersecurity Law

On December 19, the Federal Trade Commission (FTC) reached two separate record-breaking settlements with Epic Games, Inc. (“Epic”) over allegations, among others, that the Fortnite video game maker knowingly violated the Children’s Online Privacy Protection Act (COPPA), engaged in unfair practices by publicly broadcasting players names and connecting players in real-time through on-by-default settings, and purposefully maintained dark patterns resulting in unfair billing practices under Section 5 of the FTC Act.

The agreements require Epic to pay a combined $520 million in civil penalties and consumer refunds, as well as establish a comprehensive privacy program that addresses the allegations in the FTC complaints. Each settlement amount, the $275 million in civil penalties and $245 million consumer refund, are the largest amounts obtained in each respective type of settlement by the FTC. These large amounts demonstrate the FTC’s commitment to enforcing its rules, including the FTC’s COPPA rule, and Section 5 of the FTC Act with respect to children and teens and dark patterns. 

Following are key takeaways from the settlements: 

  • The FTC is continuing to test out its unfairness authority over alleged privacy violations. Here the FTC alleged that broadcasting players’ display names while putting children and teens in direct, real-time contact with others through on-by-default lines of voice and text communication during gameplay was unfair under Section 5. Commissioner Christine S. Wilson, the sole Republican commissioner, released a separate statement in support of the FTC’s unfairness allegations pointing to Epic’s knowledge of its users’ young ages and actual harms caused by Fortnite’s voice and live text features. This decision comes in the wake of other FTC claims that highlight how companies’ data practices can allegedly be unfair to consumers. For example, the FTC is also litigating an unfairness claim with Kochava, a data broker that, according to the FTC’s complaint, sold the precise location data of individuals from which intimate details about their lives could be discerned. The Epic settlement gives the FTC precedent it can point to when it pursues unfairness claims against other companies, even in other contexts.  
  • The FTC and other regulators are increasingly focusing on consumer protection issues related to teens. COPPA regulates how personal information can be collected by online services from users under 13, but there is increased recognition that teens are a special category of individuals who should receive heightened protections. Congress and state legislatures are addressing this issue. For example, California’s Age Appropriate Design Code provides protections to people under age 18, and the recent federal proposal the Kids Online Safety Act would extend protections to people age 16 or younger. To the extent you collect personal data from teenagers, or target your services/products to that demographic, we encourage you to start thinking about heighted protections for them to meet regulatory expectations and reduce reputational risk.
  • The FTC will continue to focus on dark patterns and user interfaces that it alleges constitute an unfair practice under Section 5 of the FTC Act. Companies should be thinking about dark patterns when designing their user interfaces and should continue to monitor their user interfaces for evidence of dark patterns. For example, companies that allow for online or in-app purchases should ensure that their user interface design is transparent around how purchases are made. Companies should take particular care where people under 18 are known users and recognize that people under 18 may not have the same ability as adults to make payment decisions. Businesses should also note that dark patterns are also a point of emphasis for the new state privacy laws going into effect next year in California, Colorado, and Connecticut. 
  • These settlements highlight the FTC’s continued focus on obtaining monetary relief post AMG Capital Management, and signal that the FTC will continue to leverage enforcement of its rules so that it can obtain penalties for first time violations, as well as obtain monetary relief for consumers who have been harmed by allegedly unfair or deceptive business practices.
  • Finally, companies should pay close attention to employee recommendations and concerns as well as consumer complaints. Epic’s own employees repeatedly voiced concerns about the company’s approach to COPPA compliance, decision to opt-in teens and children to voice and text chat, and its use of dark patterns. These internal communications were damning for Epic’s defense, and certainly served to increase the penalty amount sought by the FTC as they arguably put the company on notice of a potential regulatory violation. In addition, Epic had a large number of consumer complaints that would have made clear there were issues relating to in-app purchases and refunds, among other things.

Background

Epic is the developer of Fortnite, an online multiplayer video game where individual players or teams fight to be the last player or team standing. The game has various social features which allow players to friend each other, play matches together, exchange personal information, and speak with each other in real time by voice and text. According to the complaint referred to the Department of Justice by the FTC, as early as 2017, Epic was aware that the primary users of the game were children. The complaint also alleged that, as early as 2017, employees warned Epic that the game was in violation of COPPA. Despite this knowledge, the complaint alleged that Epic did not make efforts to comply with COPPA until 2019. According to the complaint the measures taken at that time, such as parental controls and changes to their global privacy policy, were insufficient. Specifically, the complaint highlights that Epic attempted to disclaim its obligations under COPPA through its global privacy policy, which is not sufficient to comply with COPPA obligations. 

Within the Epic game Fortnite, users can make in-game purchases using “V-bucks.” A separate complaint referred to the DOJ by the FTC, alleged that for more than a year after Epic began offering in-app purchases, children were able to purchase V-bucks without parental consent. Additionally, the complaint alleged that Epic purposefully deployed dark patterns, such as automatically saving consumer payment information and obscuring the opt-out check box, which also led to unauthorized purchases. Further, FTC findings indicate that Epic took steps to limit and obscure consumers’ refund options once unauthorized purchases were discovered. According to the complaint, employees highlighted these dark patterns in the user interface and recommended adding a confirm purchase feature, as early as 2018. Despite employee and consumer complaints, Epic made no changes to its user interface design.

Allegations

Across the two complaints, the FTC alleged that Epic violated COPPA and the unfairness prong of the FTC Act.

  • COPPA violations: The complaint alleged that Epic was aware that children were playing Fortnite through various sources. For example, the complaint cited that Epic received copies of public surveys of Fortnite users which indicated that 53% of U.S. children aged 10-12 were playing Fortnite weekly. Despite this knowledge, the complaint alleged that Epic did not make attempts to obtain parental consent for users under the age of 13 until as late as 2019, which violated COPPA’s consent and notice requirements. The complaint also alleged that parents’ deletion requests were not accessible and required parents to jump through unreasonable hoops which violated COPPA’s deletion requirements. For example, parents were required to provide large amounts of information in order for Epic to process their deletion request across multiple rounds of review, such as, IP addresses, the date the child’s account was created, the locations where purchases were made, among others. According to the complaint, many parents’ requests were not accepted or processed. 
  • Default Voice and Live Text Settings Constitute Unfair Practices: Epic’s settings on Fortnite enabled live text and voice communication features for users that remained on by default. The complaint alleged that these default settings, when paired with Fortnite’s game model (where users are paired to play with strangers), led to harm for children and teens, which they could not reasonably avoid themselves. For example, the complaint points to specific instances of exposure to sexual harassment and self-harm facilitated by the voice and live text communication features. 

    According to the complaint, employees urged Epic to require users to opt-in for voice and live text features over months. For example, in 2017, only two weeks after they were released, an Epic employee cited concerns regarding the potential for online harassment of children in connection with a public incident. Despite these concerns, the complaint alleged that Epic maintained the default settings. Although the complaint acknowledged that Epic added the ability to turn off the voice features, it states that the default feature remained an unfair practice under Section 5 because Epic did not alert users of the new feature and purposefully hid the feature in the settings page. 
  • Dark Patterns and Billing Practices Constitute Unfair Practices: The complaint alleged that Epic ignored over one million consumer complaints related to unauthorized charges caused by dark patterns and lack of parental consent. According to the complaint, the company deployed various dark patterns to encourage consumers to make unintended purchases. For example, the complaint cites Fortnite’s counterintuitive and inconsistent button placements as leading to unintended charges upon one click of a single button. Specifically, the complaint cited that while Epic provided players an option to not save their payment method, a player had to opt-into this option and the box to do so was hidden. If players did not check this box, payment information was automatically saved for future purchases. Further, the FTC found that Epic purposefully obscured the cancel and refund features. The complaint also alleged that, until 2018, children under the age of 13 were able to make in-game purchases without first obtaining parental or card holder consent. For example, parents authorized one-time purchases and were unaware that their children would later be able to make additional purchases without consent. The complaint points to all of these billing practices as violations of the unfairness prong of the FTC Act. 

    Further, the FTC alleged that consumers who complained about these unauthorized charges by disputing them with their credit card companies had their accounts locked by Epic, which constituted a violation of the unfairness prong because consumers were unaware of these potential consequences. Specifically, the complaint alleged that consumers were unaware that disputing an unauthorized charge would lead to them being locked out from an account where some consumers stored thousands of dollars’ worth of purchased items. Despite large volumes of consumer complaints, the complaint alleged that Epic did not make changes.

Penalties and Injunctive Relief

Per the COPPA settlement, Epic Games, Inc. must pay a monetary penalty of $275 million for violating COPPA. Among other requirements, Epic must adopt strong privacy default settings for children and teens: specifically voice and text communications must remain turned off by default. Epic must obtain affirmative consent from a parent for children under 13, or the affirmative express consent of a teen, before disclosing their personal information to other users or enabling voice and text communications. Epic is also required to delete all previously collected personal information unless the user has provided age information through a neutral age gate identifying them as 13 or older or the defendant has provided notice and obtained verifiable parental consent. In addition, Epic is required to implement a comprehensive privacy program, that includes providing the written program and evaluations thereof to the Board or governing body, at least once every twelve months, a documented risk assessment, and regular privacy and COPPA rule training.  

Under the consent order regarding Epic’s unfair practices, Epic will need to pay a $245 million refund to consumers that were affected by Epic’s alleged violations of the unfairness prong of Section 5 of the FTC Act. In addition, Epic is barred from using dark patterns to get consumer consent for payment processes, and it will need to overhaul its billing and dispute practices. 

Authors

More from this series