Epic Games, the developer of the hugely popular battle royale game Fortnite, has agreed to pay $520 million to settle claims that it violated the Children’s Online Privacy Protection Act (COPPA) and used “dark patterns” to obtain payments from players. COPPA was signed into law in 1998 and compliance has been mandatory since April 21, 2000. COPPA imposes restrictions on operators of websites and online services regarding children under 13 years of age. In order to collect the personal information of children under 13, persons or entities under U.S. jurisdiction are required to obtain consent from a child’s parent or legal guardian. COPAA also requires operators of websites and protect children’s privacy and ensure their safety online, and also places restrictions on marketing to children under 13 years of age.
The Federal Trade Commission (FTC), which enforces compliance with COPPA, alleged Epic Games violated COPPA in two ways. Firstly, Epic Games was alleged to have collected the personal information of children under 13 without obtaining consent from a parent or guardian, and secondly, Epic Games was alleged to have caused children to come to harm by enabling live on-by-default text and voice communications for its Fortnite game, which exposed children to cyber-bullying, harassment, and other traumatizing incidents. $275 million of the settlement amount resolved these allegations.
The remaining $275 million resolved claims that the company engaged in shady billing practices and dark patterns to trick Fortnite players into making unwanted payments. Fortnite is free to play, but players can pay for a season battle pass to receive certain in-game perks, such as additional challenges and skins to change players’ appearances.
According to the FTC, Epic Games had implemented a “counterintuitive, inconsistent, and confusing button configuration,” which meant that a player could incur charges with a single button press. Further, children could incur charges in the game without obtaining the consent of the cardholder until 2018. Any customers who disputed unauthorized charges were locked out of the game. The FTC said the default settings in Fortnite were privacy-invasive and the interfaces were deceptive, which resulted in teenagers and children being tricked into making payments.
In addition to the financial penalty, the settlement requires Epic Games to disable voice and text communications for children by default, with consent required from a parent or guardian to enable that feature for children under 13. Teenage users are also required to provide consent to have that feature enabled. Epic Games is also required to establish and maintain a comprehensive privacy program to address all issues detailed in the complaint, and the personal data of any children that were collected in violation of COPPA must be deleted.