The settlement will result in significant changes to Fortnite, the cartoonlike shooter game played by more than 400 million users worldwide. Epic will have to adopt stronger privacy settings for children and teenagers that ensure voice and text communications are turned off by default. The company must also delete the personal information it allegedly collected from children under 13 without their parents’ consent and establish a plan to address future privacy issues.
FTC commissioners voted unanimously to accept the agreement with Epic, underscoring the growing bipartisan concern in Washington over the ways that technology companies allegedly harm children and siphon their data. The FTC has been under growing pressure from lawmakers, parents and child safety advocates to use the authorities it has under a 1998 law to better protect minors under the age of 13 online.
“Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” Chair Lina Khan (D), a notable tech industry critic, said in a statement Monday.
Sex, drugs, and self-harm: Where 20 years of child online protection law went wrong
The settlement could have wide-ranging consequences for a host of other tech companies and game makers that rely on so-called “dark patterns” — deceptive design tricks that manipulate users into making certain choices.
The FTC action comes as enforcers around the world are weighing how to better protect young people online. The United Kingdom enacted landmark rules to protect minors online in 2021, and in the absence of action from Washington, some U.S. states are following suit. A California statute requiring users to adopt protections for users under the age of 18 is slated to take effect in 2024, though a tech industry group is suing to block it from taking effect.
Lawmakers in Congress have also weighed new legislation that would update protections for children and teens online. COPPA was written years before many of the tech platforms where young people spend much of their time online even existed.
Epic said in a news release that “long-standing industry practices are no longer enough” in an environment where enforcement is rapidly evolving.
“No developer creates a game with the intention of ending up here,” the company said. “We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”
In a complaint filed in federal court, the FTC alleged that Epic collected personal information from Fortnite players under 13 without their parents’ consent, a violation of the Children’s Online Privacy Protection Act, known as COPPA. To get that personal data deleted, the FTC alleged, parents had to “jump through unreasonable hoops” and were sometimes unsuccessful. Moreover, text and voice communication functions were turned on by default, exposing children to bullying, threats and other “psychologically traumatizing issues” as they played Fortnite with strangers online, the agency alleged.
The FTC filed a separate complaint spelling out Epic’s use of “dark patterns.” For example, a player could be charged for attempting to wake the game up from sleep mode, according to the agency. Epic ignored more than 1 million user complaints that they had been improperly charged, the FTC said.
Child safety advocates and lawmakers commended the FTC’s action, but warned that it signaled the need for Congress to update the decades-old statutes governing how tech companies handle children’s data.
“Congress must meet this moment in history by stepping up and stepping in for the well-being of young people across America,” said Sen. Edward J. Markey (D-Mass.), who was one of the original authors of COPPA and who has drafted an update to the children’s online safety legislation. “Without immediate action to thwart the pernicious threats facing young people, we will fail to safeguard them in the face of a generation-defining mental health and privacy crisis.”
Child safety advocates have called for Congress to include protections for children in its omnibus spending bill.
“These provisions give teens privacy rights for the first time, address unfair monetization by prohibiting targeted advertising, and empower regulators by creating a dedicated youth division at the FTC,” said Josh Golin, the executive director of Fairplay, a nonprofit focused on protecting children from marketing.
Many major tech companies have previously paid fines for allegedly violating COPPA, including TikTok predecessor Musical.ly and YouTube. But the fines — typically in the millions — usually pale in comparison to the billions in revenue that tech companies generate annually, and critics have argued that they are viewed as the cost of doing business.
Tech industry’s critics said the Fortnite settlement marked a departure.
“This agreement is not a parking ticket — it’s a clear demonstration of the FTC’s full-throated commitment to protecting children online and ending the use of dark patterns,” said Sarah Miller, executive director of the American Economic Liberties Project, a group that has advocated for the regulation of tech companies.
An earlier headline said the company had settled the child privacy case for $520 million. The child privacy settlement was $275 million. The remainder, $245 million, was for refunds to gamers who’d been tricked into making unintended purchases.