A Whopping $520M Settlement – Tips to Avoid Noncompliance Penalties

The developer of the popular video game Fortnite, Epic Games, Inc., has agreed to pay a whopping $520 million fine to the Federal Trade Commission (FTC). The settlement follows FTC’s allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) and misled millions of players into making unintentional in-game purchases through the use of dark patterns.

This settlement could have far-reaching consequences for the video games industry, as it sets a precedent for how online platforms should refrain from using dark patterns and only collect children’s data if authorized through parental consent. It could also encourage regulatory bodies in other jurisdictions to take a closer look at the practices of various digital platforms, especially those belonging to the video game industry.

Background of the Settlement

In 2020, the FTC filed a complaint against Epic Games in federal court, alleging that the company violated COPPA by collecting personal information from children under 13 without notifying their parents or obtaining the parent’s verifiable consent. FTC also alleged that Epic violated the prohibition against unfair practices as imposed under FTC Act by enabling live voice and text communications for children and teenagers by default.

In a separate administrative complaint, FTC also alleged that Epic used dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration” to manipulate users into making unwanted purchases. Moreover, FTC highlighted that Epic let children make in-app purchases while playing Fortnite, without any parental involvement or consent. Epic allegedly locked the accounts of users who complained to their credit card companies about the unauthorized charges. Even after unlocking such accounts, Epic cautioned consumers that if they contested any subsequent charges, they risked having their accounts permanently locked and consequently losing access to all purchased content. The FTC further stated that Epic deliberately obscured the cancel and refund features to make them more difficult to detect.

Breakdown of the Penalty

As a result of FTC’s action against Epic, two separate settlements set records:

1. $275 million penalty for violating the COPPA;
2. $245 million penalty to refund consumers for Epic’s dark patterns and billing practices.

In addition, Epic will be obliged to provide robust privacy default settings for children and teenagers, guaranteeing that voice and text communications are disabled by default. This is a first-of-its-kind requirement.

The $275 million penalty is the largest penalty ever obtained for violating an FTC rule. The $245 million refund is the FTC’s largest refund amount in a gaming case and its largest administrative order in history. This demonstrates a major shift in the regulatory landscape and signifies the willingness of regulators to impose non-compliance penalties.

According to the FTC:

"Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the [Federal Trade] Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

Ruling Against Epic Games

In the proposed federal court order against Epic Games, amongst other directives, the following injunctions were made:

1. Obtain consent before enabling voice and text communications for minors: Unless parents (of users under 13) or teen users (or their parents) give their affirmative express consent through an easily located privacy setting, Epic Games will not be allowed to enable voice and text communications for children and teenagers.
2. Delete personal data of minors unless its retention is consented to: Unless the company receives parental consent to retain personal data or the user indicates that they are 13 or older through a neutral age gate, Epic must delete any personal information previously collected from Fortnite players in violation of the COPPA's parental notice and consent obligations.
3. Develop a privacy policy and obtain independent assessments: Epic must establish a comprehensive privacy program that addresses the problems identified in the FTC’s complaint and obtain regular, independent audits.

Best Practices for Avoiding Non-compliance Penalties under the COPPA

The rules applicable to digital interfaces, including online gaming platforms, are continually evolving, necessitating the re-evaluation of practices employed by game developers and other businesses. Businesses must ensure they are complying with evolving laws to steer clear of hefty penalties. In this regard, following are some tips for game developers subject to the COPPA to help them avoid non-compliance penalties:

1. Stay informed about relevant laws and regulations: Make sure to keep up to date with any amendments or changes in the legal framework that affect your business. This will help you ensure that you are in compliance and avoid penalties.
2. Post a clear and comprehensive privacy policy: Make sure the privacy policy clearly delineates the activities of the organization with respect to the collection and processing of children’s personal data. The privacy policy should include information regarding the data controllers, the type of information collected, the use and disclosure of such information, and the rights of the parents to review their child’s personal information, have it deleted or updated, or prohibit its further collection and use. The privacy policy should not contain any unrelated, confusing, or contradictory materials.
3. Obtain parental consent: The general rule under COPPA, with limited exceptions, is that organizations should provide direct notice to parents/guardians of children and obtain their verifiable consent ‘before’ the collection of children’s personal data on online interfaces. The parental authorities should be allowed to consent to the collection of children’s personal data by the controller for internal use, but prohibit the disclosure of such data to third parties, unless such disclosure is essential to your digital platform and the same is highlighted to the parental authorities.
4. Look at your website or app through the eyes of consumers: A good user experience is crucial and should include privacy fundamentals for business adaptability and continuity. Be open and honest about handling users’ privacy, especially when it involves billing that includes banking details. Do not make any unauthorized charges using the financial data of consumers. In this regard, it is important to introduce additional thresholds in games played by children so they cannot make purchases without their parental authority's permission.
5. Default settings that harm the consumers may be unfair under the FTC Act: Evaluate the potential harm caused to consumers by any default configurations present on your digital platform. Eliminate any default settings that may harm children.
6. Reconsider your DSR and refund policies: Parental authorities should be able to access their children’s personal information as collected by your platform, and have that information erased, deleted, or updated. Moreover, they should be allowed to prevent the further use or online collection of their child’s personal information. Inform the parental authorities regarding such rights with the help of effective and dynamic privacy notices and policies. Additionally, hiding or obscuring any refund request path is a poor business practice, so your organization should not use it.
7. Implement data minimization: Retain the personal data of children for only such period as is necessary to achieve the particular processing purpose for which the data was collected. Thereafter, delete such personal data employing appropriate security measures which protect the information from unauthorized access or use.
8. Implement data security measures and conduct assessments: Ensure data security, confidentiality and integrity by taking appropriate security measures and conducting regular conformity assessments to identify risks and take mitigation steps accordingly. Moreover, children’s personal data should only be released to entities capable of maintaining the security and confidentiality of the data.
9. Do not collect children’s personal information through any coercive means: Children’s participation in any online activity should not be made contingent on a child providing more personal information than is necessary to participate in such an activity.

How Securiti Can Help

The digital landscape is radically evolving, especially in light of recent technological advancements and concerns post-Covid-19 pandemic. It reveals that governments and regulators are beginning to see data privacy as a fundamental human right. Therefore, the need to protect consumers’ data, especially that of minors, has never been more crucial.

Securiti’s Data Command Center framework enables organizations to discover dark patterns, protect data systems, establish sensitive data intelligence, govern access to sensitive data, analyze the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, analyze data lineage, and so much more.

Request a demo to see Securiti in action.