Epic Games – the maker of Fortnite – Agrees to Record-Breaking $520M FTC Settlement; Entire Gaming Industry is Now on Notice
Yesterday, Epic Games (Epic), the maker of Fortnite, agreed to settle accusations that the company was illegally collecting children’s personal information, of harming young players by matching them with strangers on the gaming site and enabling live communications. In addition, the company was accused of using “dark patterns” – manipulative techniques that trick millions of players into making unintentional purchases. Epic will pay $275M for collecting information about kids under the age of 13 without parental permission. Specifically, the regulators accused Epic of violating the Children’s Online Privacy and Protection Act of 1998 (COPPA) by collecting personal information from children under 13 who played Fortnite without obtaining verifiable consent from a parent. And, according to the legal complaint filed, Epic made parents “jump through hoops” to have their children’s data deleted and sometimes failed to honor parents’ deletion requests.
COPPA is the preeminent US law protecting children’s privacy. It applies to all commercial websites or online services that direct their products or services to children under the age of 13, and to companies that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA imposes a number of requirements in order to collect the personal information of children, including:
- Posting an online privacy notice describing an operator’s information practices for personal information collected from children
- Providing direct notice to parents and obtaining verifiable parental consent prior to collecting personal information from children.
- Providing parents with the choice of consenting to the operator’s disclosure of children’s data to third parties.
- Providing parents with access to their children’s personal information.
- Providing parents with the right to delete their children’s personal information.
- Providing parents with the right to opt-out of future collection or use of their children’s personal information.
- Taking steps to protect the confidentiality, security, and integrity of children’s data.
This settlement is historic because this is the largest fine ever for a violation of COPPA. Epic will also refund customers $245M for unauthorized or unwanted purchases. FTC previously brought cases against Alphabet Inc.’s Google, Apple Inc., and Amazon.com Inc. over children’s unauthorized digital purchases. This settlement amount is much larger than the largest child privacy violations settlement on record where Google agreed to pay a $17M penalty over accusations that it illegally harvested data from children on YouTube and used it to target them with ads. State-level privacy initiatives continue to expand and evolve. Government scrutiny continues to increase regarding how social networks and video game companies deal with young people of all ages. Indeed, back in September, California enacted a sweeping online children’s safety law that will require companies to turn on the highest privacy settings for children by default and turn off certain features, like precise location tracking, that might expose them to risk. CA’s online children’s safety law is scheduled to become effective in 2024. Last week, the State of California was sued by NetChoice – whose members include Meta, Google, and Amazon – to try to block it.