‘Fortnite’ maker Epic settles child privacy case, agrees to make refunds

Photo for The Washington Post by Eve Edelheit
Children pose in front of a school bus made to look like the battle bus from the game “Fortnite” in December 2019 in Indian Rocks Beach, Fla.

Epic Games, the maker of the popular video game “Fortnite,” has agreed to pay a record $520 million to settle Federal Trade Commission allegations that the company violated online child privacy laws and tricked players into making unintentional purchases.

Under the settlement, Epic will pay a $275 million penalty for violating the Children’s Online Privacy Protection Act (COPPA) and $245 million in refunds to players who were allegedly tricked into making purchases through design ploys. The settlement marks both the largest penalty doled out for violating an FTC rule, and the biggest refund for a gaming case under the FTC.

The settlement will result in significant changes to “Fortnite,” the cartoonlike shooter game played by more than 400 million users worldwide. Epic will have to adopt stronger privacy settings for children and teenagers that ensure voice and text communications are turned off by default. The company must also delete the personal information it allegedly collected from children under 13 without their parents’ consent and establish a plan to address future privacy issues.

FTC commissioners voted unanimously to accept the agreement with Epic, underscoring the growing bipartisan concern in Washington over the ways that technology companies allegedly harm children and siphon their data. The FTC has been under growing pressure from lawmakers, parents and child safety advocates to use the authority it has under a 1998 law to better protect minors under the age of 13 online.

“Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” Chair Lina Khan, a notable tech industry critic, said in a statement Monday.

The settlement could have wide-ranging consequences for a host of other tech companies and game makers that rely on “dark patterns” – deceptive design tricks that manipulate users into making certain choices.

The FTC action comes as enforcers around the world are weighing how to better protect young people online. The United Kingdom enacted landmark rules to protect minors online in 2021, and in the absence of action from Washington, some U.S. states are following suit. A California statute requiring users to adopt protections for users under the age of 18 is slated to take effect in 2024, though a tech industry group is suing to block it.

Lawmakers in Congress have also weighed new legislation that would update protections for children and teens online. COPPA was written years before many of the tech platforms where young people spend much of their time online even existed.

Epic said in a news release that “long-standing industry practices are no longer enough” in an environment where enforcement is rapidly evolving.

“No developer creates a game with the intention of ending up here,” the company said. “We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”

In a complaint filed in federal court, the FTC alleged that Epic collected personal information from “Fortnite” players under 13 without their parents’ consent, a violation of COPPA. To get that personal data deleted, the FTC alleged, parents had to “jump through unreasonable hoops” and were sometimes unsuccessful. Moreover, text and voice communication functions were turned on by default, exposing children to bullying, threats and other “psychologically traumatizing issues” as they played “Fortnite” with strangers online, the agency alleged.

The FTC filed a separate complaint spelling out Epic’s use of “dark patterns.” For example, a player could be charged for attempting to wake the game up from sleep mode, according to the agency. Epic ignored more than 1 million user complaints that they had been improperly charged, the FTC said.

Child safety advocates and lawmakers commended the FTC’s action, but warned that it signaled the need for Congress to update the decades-old statutes governing how tech companies handle children’s data.

“Congress must meet this moment in history by stepping up and stepping in for the well-being of young people across America,” said Sen. Ed Markey (D-Mass.), who was one of the original authors of COPPA and who has drafted an update to the children’s online safety legislation. “Without immediate action to thwart the pernicious threats facing young people, we will fail to safeguard them in the face of a generation-defining mental health and privacy crisis.”

Child safety advocates have called for Congress to include protections for children in its omnibus spending bill.

“These provisions give teens privacy rights for the first time, address unfair monetization by prohibiting targeted advertising, and empower regulators by creating a dedicated youth division at the FTC,” said Josh Golin, the executive director of Fairplay, a nonprofit focused on protecting children from marketing.

Many major tech companies have previously paid fines for allegedly violating COPPA, including Youtube and TikTok predecessor Musical.ly. But the fines – typically in the millions – usually pale in comparison to the billions in revenue that tech companies generate annually, and critics have argued that they are viewed as the cost of doing business.

Tech industry critics said the “Fortnite” settlement marked a departure.

“This agreement is not a parking ticket – it’s a clear demonstration of the FTC’s full-throated commitment to protecting children online and ending the use of dark patterns,” said Sarah Miller, executive director of the American Economic Liberties Project, a group that has advocated for the regulation of tech companies.