Epic Games $520 Million Settlement with FTC for Unfair Practices and COPPA Violations

In a recent agreement totaling $520 million, Epic Games, Inc. (Epic), maker of the popular Fortnite video game, settled allegations posed by the Federal Trade Commission (FTC) that it violated the Children’s Online Privacy Protection Act (COPPA). The FTC’s complaint alleged that Epic engaged in unfair trade practices by publicly broadcasting players’ names and connecting players in real-time using on-by-default settings in violation of COPPA, and knowingly used dark patterns in its video games that led to unfair billing practices under Section 5 of the FTC Act. The alleged COPPA violations resulted in a $275 million penalty, while the unfair billing practices resulted in $245 million in refunds.

Fortnite is free to download and play, but users also can pay for in-game items such as costumes and dance moves, giving it a consumer reach of more than 400 million users.

The FTC alleged that Epic violated COPPA by:

  • Failing to notify parents and obtain consent prior to collection of personal information from children under 13 and required parents who requested that their children’s personal information be deleted to take unreasonable, unwieldy actions in order to do so
  • The default settings enabled live text and voice communications between users and led to matching children and teens with adults who bullied, threatened, harassed, and exposed these minors to traumatizing issues

Epic must obtain affirmative consent from parents/guardians of all users ages 13 and under as well as delete information previously collected unless they obtain consent to retain such data.

The FTC also alleged that Epic violated Section 5 of the FTC Act by:

  • Tricking users into making in-game purchases using dark patterns -i.e., counter-intuitive, inconsistent, and confusing button configurations;
  • Charging child users without authorization; allowing children to press a button to make a purchase using a credit card with no parent/guardian consent; and
  • Blocking access to purchased content by users who disputed charges with their credit card companies and warning users that they might be banned for life if they continued to dispute charges.

To read the agreement and consent order, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.