top of page

Epic Games will pay $520 million to settle COPPA, trick purchase accusations

To settle claims that it broke online child privacy rules and used illicit purchase patterns, Epic Games, the developer of the famous video game Fortnite, agreed to pay a record-breaking $520 million in penalties and reparations and adopt tighter privacy protections.

According to the Department of Justice (DOJ) and Federal Trade Commission (FTC), the developer violated the Children's Online Privacy Protection Act (COPPA) and its related rule by collecting the names, email addresses, and other personal information of young players without parental authorization. Epic Games was also charged with breaking the FTC Act by instituting default privacy settings that could endanger younger gamers.

Epic Games agreed to pay $275 million in civil penalties as part of its settlement filed Monday in U.S. District Court for the Eastern District of North Carolina. The amount is a COPPA violation record, according to the agencies.

The developer must pay an additional $245 million in restitution to millions of customers who were fooled by its "dark patterns" and billing practises, which allegedly tricked gamers into transactions they didn't plan to make, according to a separate order issued by the FTC. According to the FTC, this is the greatest refund amount ever ordered in a gaming lawsuit.

The FTC called it a "first-of-its-kind provision," saying Epic Games must have strong privacy settings for younger users, including turning off voice and text conversations by default.

Fortnite, which has more than 400 million users, is free to download but charges players for in-game purchases. Fortnite is considered intended to children under the age of 13 due to the game's child-oriented activities and the way Epic Games has promoted it to younger users, according to the FTC's COPPA complaint.

Epic Games "was aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licencing and marketing of Fortnite toys and merchandise, player support, and other company communications—and collected personal data from children without first obtaining parents' verifiable consent," the FTC said.

According to the agency, the corporation allegedly neglected to remove children's information when their parents made legitimate demands.

Epic Games must implement a privacy programme to secure client information and select a person or team to carry out the programme within 30 days. The programme must be reviewed by a third-party privacy expert. The programme must be examined annually for the next ten years, including analysing the risk of unlawful collection or dissemination of personal information and testing measures in place, with conclusions reported to a governing body or senior official.

The corporation must also provide annual COPPA Rule compliance training to all employees and contractors.

Epic Games must destroy the personal information of all players under the age of 13 within 60 days unless parents provide authorization for it to be maintained. Within 90 days, the developer must show the FTC it has destroyed the information and/or secured the requisite parental consents and the number of accounts affected.

“No developer creates a game with the intention of ending up here,” Epic Games said in a statement posted Monday on its website. “The video game industry is a place of fast-moving innovation, where player expectations are high and new ideas are paramount. Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough.”

Epic Games said it also no longer saves customer payment information by default.

“We’ve agreed with the FTC to change this practice, and we now offer an explicit yes or no choice to save payment information,” the company said.



bottom of page