A Fortnite Education: Epic Games’ Hard Lesson in Children’s Privacy, Dark Patterns, and FTC Enforcement

Epic Games, Inc. (“Epic”) wrapped up 2022 by entering into an agreement with the Federal Trade Commission (“FTC”) to pay whopping penalties and refunds over allegations of violating children’s privacy law and using dark patterns to trick players into making in-game purchases. The video game industry is buzzing after this crackdown, and developers and publishers at all levels are wondering what this means for their business practices. Let’s break down what happened and how to lessen the chances of becoming the next headline.

Children’s Privacy
The FTC alleged that Epic violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from children under 13 who played Fortnite without first notifying their parents or obtaining their parents’ verifiable consent. As part of settling with the FTC over the alleged COPPA violations, Epic agreed to pay the FTC a $275 million penalty, which is the largest penalty ever obtained for violation of an FTC rule.

COPPA is a U.S. federal law designed to protect kids from having their personal data used or disclosed without parental permission. Video game developers and publishers must design online gaming experiences with COPPA in mind to avoid hefty FTC fines – up to $40,000 per violation. Some of the core requirements to meet COPPA standards include posting an adequate privacy notice, providing notice to parents, and obtaining verifiable parental consent before collecting personal data from children.

The FTC primarily took issue with Fortnite related to:

  • Parental Notification and Consent.
    According to the FTC, Epic collected personal data from children under age 13 online without first obtaining their parents’ verifiable consent, despite knowing that many children were playing Fortnite. Additionally, when parents requested that Epic delete their children’s personal data, Epic required parents to take burdensome steps and sometimes failed to honor the deletion requests.
  • Dangerous Game Design and Default Settings.
    The FTC alleges that Epic’s gameplay design and default settings in Fortnite harmed children and teens by matching them with strangers to play Fortnite together and enabling live on-by-default text and voice communications for users. As a result, the FTC found, children and teens have experienced bullying, harassment, and threats through playing Fortnite, resulting in dangerous real-life situations including trauma and suicide. Epic eventually added a button allowing players to turn off the voice chat, but players complained that the button was difficult to find.

We can learn a lot from the FTC’s allegations against Epic. Keep in mind that, in addition to COPPA, certain U.S. state laws have established children’s privacy standards stricter than COPPA, and games offered in European and UK markets must also meet the standards set by the General Data Protection Regulation and its UK counterpart. Below are some general best practices for providing a compliant and safe gaming experience for players of all ages:

  1. Post a Privacy Notice that meets statutory notice requirements for players and parents.
  2. Collect verifiable parental consent before collecting any personal data from children.
  3. Implement an age gate to identify US players under age 13 and EU/UK players under age 16.
  4. Don’t collect personal data from children online without legally adequate parental consent. If children’s personal data was previously collected without parental consent, delete it.
  5. Don’t enable voice or text communications for children or teen players without parental consent.
  6. Establish a comprehensive privacy program that meets the requirements of COPPA and other consumer privacy laws that apply to the developer or publisher and its players.
  7. Complete independent audits of privacy practices and information systems at regular intervals, preferably on an annual basis.

Methods to implement these best practices are exceptionally fact-specific and vary from one game to the next.
Have questions?  Immix Law Group’s attorneys can help untangle COPPA requirements and develop solutions tailored to each specific game.

Dark Patterns
“Dark patterns” is a headline-worthy term that broadly refers to deceptive user interface practices or deceptive design practices that trick users into taking certain unintended actions. In this case, the FTC alleges that Epic organized the Fortnite interface to confuse players into making unintended purchases, allowed credit card charges to be made at the click of a button and without consent, and made it difficult to request or receive refunds.

Deceptive user interface practices are nothing new. Prior to this Epic case, industry giants like Apple and Google have faced enforcement for allowing child users to make gaming purchases without parental permission. More recently, the FTC published a staff report to address its efforts to stop the use of dark patterns. As part of its resolution with the FTC, Epic will pay $245 million (of the $520 million total) in customer refunds for its dark patterns and billing practices, which is the largest refund amount in a gaming case and the FTC’s largest administrative order in history.

It’s clear that the FTC doesn’t want video games to trick children into buying digital llama-shaped pinatas with their parents’ real money. What steps can video game developers and publishers take to try to avoid the FTC’s dark patterns wrath?

  1. Purchases should not be surprises.
    The Fortnite controller buttons that result in purchases were at times switched or unclear. As a result, players made accidental one-click purchases in the game. Purchases should not be a surprise to the player or the credit card holder. Ensure that any in-game purchases require at least a second confirmation click before a purchase is made.
  2. Take extra precautions with child players.
    If children will likely play the game, take extra precautions. The player experience should match a child’s development and intuition. For example, children are less able to discern when real money is being spent in the game. Provide simple, obvious and repeated disclaimers and collect parental consent and authorization along the way.
  3. Listen to feedback.
    The FTC noted that Epic did not respond to internal red flags or customer feedback when parents requested refunds for surprise charges for in-game purchases. Listen to employees, developers, and customers and respond by making improvements.
  4. Use vetted third-party contractors and require they not use deceptive UX practices.
    Third-party contractors are often used in the industry to develop video games. It can be difficult to control and prevent use of dark patterns by these contractors. Vet third-party contractors carefully and have contracts in place for their work that prohibits and prevents use of dark patterns in their work product.

Video games provide unique and immersive experiences that can transport players to alternate worlds. But this level of player engagement brings with it a responsibility to protect children’s privacy online and to understand how design choices can impact player behavior, both good and bad. It can be tricky to meet these standards without losing the sense of escapism carefully designed into each game.

At Immix Law Group, our lawyers understand the video game industry and help developers, publishers, and platforms create and offer games that meet these standards while still providing a fun and enjoyable experience for players. For more information and personalized advice, please reach out to connect with our team.

Authors

Emily Maass
emily.maass@immixlaw.com

Emily is a corporate attorney and privacy and data security expert with a keen understanding of the innovative technologies driving today’s market and culture. She advises companies on federal, state, and international privacy matters including compliance strategies with COPPA, HIPAA, GDPR, and state privacy regimes. Emily leverages her expertise to offer a privacy-forward edge to clients in game development, publishing, platform strategy, web3, and highly regulated industries. As corporate counsel to innovative and growth-oriented companies, Emily offers results-oriented support in commercial contract negotiations, corporate governance, regulatory compliance, and other day-to-day business needs.

Miriam Wainwright
miriam.wainwright@immixlaw.com

Miriam is a corporate attorney who uses her business and marketing background to serve clients on a range of legal matters. She regularly counsels game companies on video game development, publishing and platform strategies, and additionally advises clients on growth strategies as well as day-to-day legal issues, including business transactions, financing, and intellectual property protections.

Miriam is passionate about working with small and growing businesses and using her skills to make legal support accessible. Her professional legal experience includes transactional work with game and technology companies at Immix Law Group, as well as internships with the U.S. Bankruptcy Court of the District of Oregon and the U.S. Securities and Exchange Commission, all of which solidified her focus on corporate transactions and compliance matters.