Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Fortnite Maker Epic Pays $520M to Settle FTC Allegations
Epic Games Settles Accusations It Violated Children's Privacy and Duped UsersThe software developer behind tween-favorite video game Fortnite will pay more than half a billion dollars to U.S. federal regulators to settle allegations it violated children's privacy law and duped users and parents into funding unauthorized in-game charges.
See Also: Using the Netskope HIPAA Mapping Guide
In all, Epic Games will pay $520 million to end two investigations initiated by the Federal Trade Commission - $275 million to settle a court complaint about alleged violations of the Children's Online Privacy Protection Act and $245 million to settle allegations made in the FTC's administrative court that the company used dark patterns and frictionless in-app payments in order to rack up unauthorized credit card charges. The FTC says it will use the second pot of settlement money to offer consumers refunds.
The cartoonish shooter game, introduced in 2017, is free to download but has earned its makers billions through in-app purchases of avatar costumes and dance moves. Nearly 400 million users worldwide have downloaded the game, but user data tracked by a third party pegs the average monthly user base during 2022 at around 260 million.
The FTC portrays Fortnite as a vector for child harassment including sexual exploitation because, until recently, voice and text chat features were turned on by default and the game publicly broadcast players' account names. Criminal prosecutions of Fortnite users have included adults who coerced minors into sending sexually explicit images and a man arrested in a Waffle House restaurant in Georgia for setting up a proposed sexual encounter with a 13-year-old boy.
Internal communications seen by the FTC show company executives were aware that children younger than 13 were using the game. They mainly ignored recommendations from the user experience team to make the game less potentially toxic enabling highly visible controls to turn off the default options. "I think you both know this, but our voice and chat controls are total crap as far as kids and parents go. It’s not a good thing," one Epic employee emailed an executive in June 2018.
Epic did begin rolling out parental controls for privacy but for the FTC, it was too little, too late. "Even when Epic obtained actual knowledge that particular Fortnite players were under 13, Epic took no steps to comply with COPPA. Indeed, Epic went to great lengths to pretend it never obtained actual knowledge at all," the privacy complaint alleges.
The settlements, which don't require Epic to admit guilt, call for the game maker for the next 20 years to maintain a privacy program ensuring that it obtains parental consent before collecting the personal data of children under the age of 13. It must also agree to delete children's personal information at the request of a parent. The complaint charges Epic with making parents "jump through extraordinary hoops" to prove their parental status, in some cases by asking for the IP addresses used to access Fortnite. The company also must obtain "express, informed consent" for account charges.
In an online statement, Epic said its previous practices were in line with "long-standing industry practices" but that "the old status quo for in-game commerce and privacy has changed."
FTC commissioners voted unanimously on a bipartisan basis to approve the settlements, which technically are subject to 30 days of public comment before the commission votes to finalize them.