The Epic Games FTC Settlement: 3 Unsurprising Things, 3 Surprising Things, and 3 Takeaways
In a bombshell announcement, the FTC announced Monday a historic $520 million penalty against Epic Games, creators of the popular game Fortnite. The penalty consists of $275m for violating the Children’s Online Privacy Protection Act (COPPA) and $245m for violations related to “dark pattern” practices related to in-app purchases. Both settlements are the largest of their kind in FTC history – notably, the two previous highest settlements were also for kids’ privacy violations.
As Epic acknowledged in a blog post discussing the decision, “The old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered.” We’ve sorted our initial observations about this settlement into three categories: things that are not surprising (at least with the benefit of hindsight), things that are a bit surprising, and things to remember going forward.
NOT SURPRISING
1. Epic/Fortnite as a COPPA enforcement target
Epic launched Fortnite in 2017, which is an eternity ago in the world of video games (and frankly, for kids privacy enforcement as well). At that time, a common industry misconception was that there were “kid games” created by “kids companies” like TinyCo, “adult games” like Grand Theft Auto or Call of Duty, and nothing in between. Although some gaming companies adopted hybrid “mixed audience” experiences, holdouts on the “adult” side would often point to their game’s content rating or their Terms of Service language to argue the game was not “directed to children” and therefore not subject to laws like COPPA.
This argument would not hold up. As the FTC made clear in the Musical.ly/TikTok case, it can consider an online service child-directed even if the developer does not intend for children to participate. Despite being a shooter rated “T for Teen” by the ESRB, Epic allegedly encouraged kids to play Fortnite, even partnering with Spirit Halloween in 2018 to make kids-sized Fortnite costumes. Although Epic would eventually implement an age-gate in 2019 (discussed in more detail below), Fortnite had virtually no protections in place for children for its first two years.
The FTC has had Fortnite on its radar for quite some time, with speakers mentioning it several times in its 2019 COPPA Workshop as an example of a service likely to appeal to children. Given that the FTC continues to state its intention to enforce COPPA vigorously, the current action is not surprising.
2. The FTC continues to focus on privacy, COPPA, and specifically real-world harms
The FTC complaint against Epic focuses on real-world harms arising from Epic’s privacy practices, which the FTC alleges led to bullying, threats, harassment (including sexual harassment), exposure to content related to suicide and self-harm, and “predators blackmailing, extorting, or coercing children and teens they met through Fortnite into sharing explicit images or meeting offline for sexual activity.” Likewise, the FTC complaint regarding “dark patterns” references the huge number of complaints from parents to Epic regarding unauthorized credit card charges in Fortnite. It’s clear from this action the FTC continues to prioritize cases where it perceives material consumer harm.
3. Internal concerns at Epic were aired, ignored, then eventually became evidence
In its complaint, the FTC utilized internal communications among Epic employees to make the case that Epic management knew of the problems underlying the complaint and failed to address them. Epic employees flagged issues with toxicity arising from having voice chat on by default in Fortnite matches, pointed out the issue of unauthorized purchases caused by Epic saving consumers’ credit card information by default, and suggested fixes that were ultimately rejected by management, such as requiring confirmation of the cardholder’s CVV before making subsequent purchases or adding a “purchase confirmation” function in the game’s user interface. Communications with Epic’s User Experience (UX) designers show that they specifically changed their flows with the intent to obfuscate important consumer information. The FTC settlement requires them to make the changes that these employees already suggested.
Given the realities of modern game development, it’s perhaps not surprising that the compliance issues raised by Epic’s employees didn’t result in immediate changes. However, this case serves as a good reminder to listen actively to and prioritize player (and employee) complaints, especially when they flag legal non-compliance.
A BIT SURPRISING
1. Epic’s 2019 age-gate rollout deemed insufficient
When Epic rolled out its Parental Controls and age-gate in September 2019, many in the industry viewed it as a reasonable correction. However, the FTC alleged that Epic’s age-gate was insufficient for several reasons. First, the rollout of the age-gate only affected prospective players, meaning it did not affect the alleged “hundreds of millions” of accounts Epic knew were children already used. Second, the age-gate only affected players who played Fortnite using Epic accounts – players using their console-controlled accounts were unaffected. Lastly, the age-gate did not change the user’s default privacy settings, so underage players’ display names were still publicly visible and could still receive voice and text chat from strangers.
2. Emphasis on the privacy of public “display names”
The FTC’s complaint repeatedly mentions that underage players’ “display names” were visible to strangers in Fortnite by default. The fact that the FTC considered this a violation is not necessarily a surprise – COPPA clearly includes “user names” in the definition of protected “personal information” so long as they can be used to initiate direct contact with the user. However, the FTC’s concern over “display names” in Fortnite may be surprising to some, given that, by design, these usernames are only used to identify players within the game’s ecosystem and cannot by themselves permit real-world contact.
The FTC’s decision shows that it understands that online harassment can harm a child even if the harassment is confined to the virtual environment. However, this creates a practical challenge for developers of multiplayer games to develop ways to allow for effective communication among groups of underage players without reliance on usernames.
3. The chargeback conundrum
As detailed by the FTC, a “chargeback” occurs when a consumer disputes a charge with its financial institution rather than the vendor itself. The FTC complaint alleges that Epic received tens of thousands of chargebacks, totaling millions of dollars, so much so that Visa and Mastercard threatened Epic’s ability to process consumer payments through their networks if if Epic did not reduce chargebacks.
In response, Epic instituted an aggressive chargeback policy, banning users’ accounts immediately in the event of a chargeback and permitting players only one chance to prove their innocence and get their account reinstated. Because account bans result in players losing access to all their virtual entitlements (even those players legitimately purchased), the FTC concluded this policy was too harsh. This decision could put game companies in a bind, as it could lead to an increase in chargebacks.
TAKEAWAYS
1. Default settings matter.
Children’s display names should be hidden by default, and free-form chat functionality (voice and text) should be disabled. On the payment side, the option to save payment information needs to be opt-IN, not opt-out.
2. UX matters.
Purchase confirmation pop-ups are critical to prevent accidental purchases. Options to undo a purchase should be prominent and require less effort than it took to make the initial purchase. For example:
Above: the original “undo purchase” flow in Fortnite.
Above: the “cancel purchase” option was obfuscated by Epic’s UX designers in a later update by moving it to a corner of the screen and requiring a held button press rather than a single tap. The FTC found this UX change to be a dark pattern.
3. Refund policies matter
Prior to June 2018, consumers could not request a refund through the Fortnite app, but instead had to complete a separate form on Epic’s website. Going forward, companies should process refunds promptly and without unnecessary steps that “add friction for friction’s sake.”
Likewise, refund policies need to be generous. Epic restricted users to a lifetime maximum of three refunds per account, which was found to be draconian. While there is no one-size-fits-all refund policy, adding protections at the point of sale (such as purchase confirmations and CVV security checks) could cut down on the number of refund requests and correspondingly reduce enforcement risk.
This case is still fresh, and the full effects on the industry will likely not be seen for while – contact an attorney at Tyz Law Group if you have questions.