Epic Games will pay over half a billion dollars to settle two Federal Trade Commission complaints regarding the company’s use of children’s private information and its use of “dark patterns” to encourage accidental in-game purchases. The penalties—which the FTC says are some of the largest imposed in the organization’s history—also come with imposed changes to the way Epic handles purchases and player interactions in its online games.
Copping to COPPA, bringing light to “dark patterns”
The FTC’s first complaint alleged that Fortnite “failed to comply with the COPPA (Children’s Online Privacy Protection Act) Rule’s parental notice, consent, review, and deletion requirements.” The alleged violations included turning voice and text chat features on by default for young players, as well as publicly broadcasting their account names in the game.
Epic has recently changed those policies, implementing default settings for players under 18 that limit chat, hide usernames, and allow joining of parties by “invite only.” Epic also pointed to this month’s rollout of “cabined accounts,” which limits full access to online features for young children’s accounts until they are verified by an adult.
In a separate complaint, the FTC said that Epic often charged Fortnite players for in-game items without their “express informed consent.” The use of “design tricks known as ‘dark patterns'” led to “millions of complaints” to Epic and disputes of unauthorized charges with credit card providers, according to the FTC.
Until late 2018, for instance, Epic automatically stored the credit card information for anyone who made a single purchase in Fortnite and didn’t require the CVV security information for further purchases. That made it easy for many children to make additional purchases without their parents’ consent, according to the FTC.
Epic also drew criticism from the FTC for putting the “Purchase” button for in-game items right next to the “preview styles” button and offering no subsequent purchase confirmation prompt in the case of misplaced clicks. And while Epic introduced an “Undo Purchase” button in July 2019, it was eventually made much less prominent and harder for customers to find.
In response to the FTC’s complaint, Epic says it will now “re-confirm a player’s intent to buy” via a “hold-to-purchase” button on its store pages. The company is also offering instant purchase cancellations and self-service refunds, hopefully obviating the need to go through a credit card company to deal with some complaints. And when a credit card chargeback happens, Epic will no longer automatically assume it is related to fraud and ban the affected account.
A new world of enforcement
According to the FTC investigation, Epic was well aware of what it was doing in both of these cases. By reducing the prominence of the “Undo Purchase” button, for instance, Epic reduced the “net undo rate” by 35 percent, according to an Epic product manager cited in the FTC complaint.
As for COPPA, one unnamed Epic employee cited by the FTC said in an email:
I think you both know this, but our voice and chat controls are total crap as far as kids and parents go. It’s not a good thing. It was on my list a year ago, but never bubbled to the surface. This is one of those things that the company generally has weak will to pursue, but really impacts our overall system and perception. I’ve made a COPPA compliant game and we are far from it, but we don’t need to be that far …
Epic will pay $275 million to the US Treasury to settle the COPPA complaint. An additional $245 million paid for the “dark patterns” complaint will be used to refund affected customers. The four FTC commissioners voted unanimously to impose both penalties.
Beyond Epic, though, the large fines should serve as a warning to other online game developers to take protections like these more seriously. In its blog post regarding the settlements, Epic warns that, while Fortnite is rated T for Teen by the ESRB, developers “can no longer assume [such a rating] won’t be deemed to be directed to children” under COPPA.
Epic also offered other cautions about the new enforcement regime the entire industry will now operate under:
The video game industry is a place of fast-moving innovation, where player expectations are high and new ideas are paramount. Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough. … The old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered.”