FTC Obtains Record Penalties from Video Game Company Amidst Growing Privacy and Consumer Protection Enforcement Trends

On December 19, 2022, the Federal Trade Commission ("FTC”) announced that Epic Games, Inc. (“Epic”)—creator of the well-known video game Fortnite—agreed to pay a total of US$520 million pursuant to two settlements for violating the Children’s Online Privacy Protection Act (“COPPA”) and deceiving users to make unwanted purchases in violation of the FTC Act. These settlements, which are the largest in the FTC’s history, will require EPIC games to refund consumers and implement more protective privacy practices. 

First launched in 2017, Fortnite is an open-world “survival” game where players collect resources, build structures, and battle to stay alive until only one player remains. It has quickly grown to become one of the most popular video games in the world, with over 400 million users. Although the game is free to download and play, Epic sells in-game items like character costumes, dance moves, and tools. These items can be purchased using the game’s medium-of-exchange currency, “V-Bucks.”

The FTC filed an administrative complaint against Epic for allegedly employing “dark patterns” to lure users into making unintentional in-game purchases. The complaint alleges, for example, that Epic configured the “purchase” buttons on player controls in confusing and inconsistent ways, and designed purchases to be completed with the push of a single button. This allowed in-game purchases to be made, among other ways, while players pushed certain buttons to wake the game from sleep mode or while attempting to preview certain items. It was not until June 2020, following the launch of the FTC’s investigation, that Epic began requiring more than the push of a single button to complete purchases. In the case of younger consumers, Epic’s practices also allowed for purchases to be made without parental consent or involvement because V-Bucks purchases did not require a credit card at the time of purchase.

Epic allegedly received more than one million complaints for unwanted purchases. The FTC alleged that Epic responded to these complaints by deactivating those users’ Fortnite accounts, causing them to lose their in-game purchases, and then threatening to permanently ban them if they submitted additional disputes. The FTC asserted that Epic’s billing and account suspension practices violated Section 5(a) of the FTC Act, which prohibits deceptive acts that “cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” In this settlement, Epic agreed to pay the FTC US$245 million, which will be used to refund aggrieved consumers, and to cease the deceptive billing and account suspension practices.

Separately, in a complaint filed in federal court, the FTC alleged that Epic violated COPPA by (1) collecting personal data from Fortnite players under 13 without notifying and obtaining the consent of their parents; and (2) enabling, as a default setting, live text and voice communications while matching Fortnite players together for games, thus exposing children and teens to bullying, threats, harassment, and other traumatizing issues like suicide. The complaint further points out that Epic was aware of these issues as early as 2017, but resisted modifying these default settings. Over time, Epic introduced a feature to silence the voice chat that was nonetheless difficult to find.

The US$275 million penalty that Epic agreed to pay for violating COPPA marks the largest penalty ever imposed by the FTC. Pursuant to the settlement, Epic is also prohibited from enabling live voice and text communications for players under 13 without affirmative consent from their parents. Additionally, the settlement requires Epic to delete previously collected information that violated COPPA’s parental notice and consent requirements, unless it retroactively obtains parental consent. Going forward, Epic must also develop and establish a comprehensive privacy program that includes periodic, independent audits to prevent the privacy problems that led to the COPPA violations. Vanita Gupta, an Associate Attorney General from the Department of Justice, which filed the complaint on behalf of the FTC, commented that it “sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”

The actions against Epic illustrate a growing trend of FTC scrutiny of business practices relating to privacy and consumer protection. They also demonstrate the significant increase in penalties the FTC is willing to seek. By comparison, in the FTC’s 2019 settlement with Google’s subsidiary, YouTube, the US$136 million that YouTube paid as a penalty for violating COPPA previously marked the largest amount collected by the FTC since the law was enacted in 1998. Companies that operate a website, video game, or online application that could be viewed as directed to children under 13 should be particularly mindful of this increased focus. These companies should ensure that before launching a webservice or application, they have evaluated whether their potential consumer population includes children 13 years old and younger and implemented appropriate privacy protections, including notice and parental consent. These companies should also carefully evaluate whether online purchases and other functionality are conducted in a transparent and non-deceptive manner.  

O’Melveny & Myers has extensive experience advising on these issues and working with clients to develop practical solutions to satisfy privacy requirements and minimize enforcement risk. Please reach out to any of the contacts included here, or any member of our Data Security and Privacy group.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and Juan Antonio Solis, an O'Melveny associate licensed to practice law in Texas contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.