Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

A Whopping $520M Settlement – Tips to Avoid Noncompliance Penalties

Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

The developer of the popular video game Fortnite, Epic Games, Inc., has agreed to pay a whopping $520 million fine to the Federal Trade Commission (FTC). The settlement follows FTC’s allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) and misled millions of players into making unintentional in-game purchases through the use of dark patterns.

This settlement could have far-reaching consequences for the video games industry, as it sets a precedent for how online platforms should refrain from using dark patterns and only collect children’s data if authorized through parental consent. It could also encourage regulatory bodies in other jurisdictions to take a closer look at the practices of various digital platforms, especially those belonging to the video game industry.

Background of the Settlement

In 2020, the FTC filed a complaint against Epic Games in federal court, alleging that the company violated COPPA by collecting personal information from children under 13 without notifying their parents or obtaining the parent’s verifiable consent. FTC also alleged that Epic violated the prohibition against unfair practices as imposed under FTC Act by enabling live voice and text communications for children and teenagers by default.

In a separate administrative complaint, FTC also alleged that Epic used dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration” to manipulate users into making unwanted purchases. Moreover, FTC highlighted that Epic let children make in-app purchases while playing Fortnite, without any parental involvement or consent. Epic allegedly locked the accounts of users who complained to their credit card companies about the unauthorized charges. Even after unlocking such accounts, Epic cautioned consumers that if they contested any subsequent charges, they risked having their accounts permanently locked and consequently losing access to all purchased content. The FTC further stated that Epic deliberately obscured the cancel and refund features to make them more difficult to detect.

Breakdown of the Penalty

As a result of FTC’s action against Epic, two separate settlements set records:

  1. $275 million penalty for violating the COPPA;
  2. $245 million penalty to refund consumers for Epic’s dark patterns and billing practices.

In addition, Epic will be obliged to provide robust privacy default settings for children and teenagers, guaranteeing that voice and text communications are disabled by default. This is a first-of-its-kind requirement.

The $275 million penalty is the largest penalty ever obtained for violating an FTC rule. The $245 million refund is the FTC’s largest refund amount in a gaming case and its largest administrative order in history. This demonstrates a major shift in the regulatory landscape and signifies the willingness of regulators to impose non-compliance penalties.

According to the FTC:

"Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the [Federal Trade] Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

Ruling Against Epic Games

In the proposed federal court order against Epic Games, amongst other directives, the following injunctions were made:

  1. Obtain consent before enabling voice and text communications for minors: Unless parents (of users under 13) or teen users (or their parents) give their affirmative express consent through an easily located privacy setting, Epic Games will not be allowed to enable voice and text communications for children and teenagers.
  2. Delete personal data of minors unless its retention is consented to: Unless the company receives parental consent to retain personal data or the user indicates that they are 13 or older through a neutral age gate, Epic must delete any personal information previously collected from Fortnite players in violation of the COPPA's parental notice and consent obligations.
  3. Develop a privacy policy and obtain independent assessments: Epic must establish a comprehensive privacy program that addresses the problems identified in the FTC’s complaint and obtain regular, independent audits.

Best Practices for Avoiding Non-compliance Penalties under the COPPA

The rules applicable to digital interfaces, including online gaming platforms, are continually evolving, necessitating the re-evaluation of practices employed by game developers and other businesses. Businesses must ensure they are complying with evolving laws to steer clear of hefty penalties. In this regard, following are some tips for game developers subject to the COPPA to help them avoid non-compliance penalties:

  1. Stay informed about relevant laws and regulations: Make sure to keep up to date with any amendments or changes in the legal framework that affect your business. This will help you ensure that you are in compliance and avoid penalties.
  2. Post a clear and comprehensive privacy policy: Make sure the privacy policy clearly delineates the activities of the organization with respect to the collection and processing of children’s personal data. The privacy policy should include information regarding the data controllers, the type of information collected, the use and disclosure of such information, and the rights of the parents to review their child’s personal information, have it deleted or updated, or prohibit its further collection and use. The privacy policy should not contain any unrelated, confusing, or contradictory materials.
  3. Obtain parental consent: The general rule under COPPA, with limited exceptions, is that organizations should provide direct notice to parents/guardians of children and obtain their verifiable consent ‘before’ the collection of children’s personal data on online interfaces. The parental authorities should be allowed to consent to the collection of children’s personal data by the controller for internal use, but prohibit the disclosure of such data to third parties, unless such disclosure is essential to your digital platform and the same is highlighted to the parental authorities.
  4. Look at your website or app through the eyes of consumers: A good user experience is crucial and should include privacy fundamentals for business adaptability and continuity. Be open and honest about handling users’ privacy, especially when it involves billing that includes banking details. Do not make any unauthorized charges using the financial data of consumers. In this regard, it is important to introduce additional thresholds in games played by children so they cannot make purchases without their parental authority's permission.
  5. Default settings that harm the consumers may be unfair under the FTC Act: Evaluate the potential harm caused to consumers by any default configurations present on your digital platform. Eliminate any default settings that may harm children.
  6. Reconsider your DSR and refund policies: Parental authorities should be able to access their children’s personal information as collected by your platform, and have that information erased, deleted, or updated. Moreover, they should be allowed to prevent the further use or online collection of their child’s personal information. Inform the parental authorities regarding such rights with the help of effective and dynamic privacy notices and policies. Additionally, hiding or obscuring any refund request path is a poor business practice, so your organization should not use it.
  7. Implement data minimization: Retain the personal data of children for only such period as is necessary to achieve the particular processing purpose for which the data was collected. Thereafter, delete such personal data employing appropriate security measures which protect the information from unauthorized access or use.
  8. Implement data security measures and conduct assessments: Ensure data security, confidentiality and integrity by taking appropriate security measures and conducting regular conformity assessments to identify risks and take mitigation steps accordingly. Moreover, children’s personal data should only be released to entities capable of maintaining the security and confidentiality of the data.
  9. Do not collect children’s personal information through any coercive means: Children’s participation in any online activity should not be made contingent on a child providing more personal information than is necessary to participate in such an activity.

How Securiti Can Help

The digital landscape is radically evolving, especially in light of recent technological advancements and concerns post-Covid-19 pandemic. It reveals that governments and regulators are beginning to see data privacy as a fundamental human right. Therefore, the need to protect consumers’ data, especially that of minors, has never been more crucial.

Securiti’s Data Command Center framework enables organizations to discover dark patterns, protect data systems, establish sensitive data intelligence, govern access to sensitive data, analyze the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, analyze data lineage, and so much more.

Request a demo to see Securiti in action.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New