IMAGE: Erik Mclean/Unsplash

Epic Games agrees to pay record-breaking $520 million for privacy violations

Epic Games, the developer of the popular video game Fortnite, agreed to pay $520 million over allegations the company violated digital privacy protections for children and used so-called “dark patterns” to trick users into making unintentional purchases, the U.S. Federal Trade Commission (FTC) announced Monday.

The agency, which oversees antitrust and consumer protection enforcement, said the agreement consisted of two separate record-breaking settlements. One triggered by a court order filed by the Department of Justice on behalf of the FTC involves a $275 million penalty for violating the Children’s Online Privacy Protection Act (COPPA). It is the largest penalty ever obtained for violating an FTC rule, the agency said, and Epic will be required to adopt “strong privacy default settings for children and teens.”

The second involved an order for Epic to pay $245 million to refund customers for its dark pattern and billing practices. It is the largest administrative order in history, and the FTC’s largest refund amount in a gaming case.

"As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children," said FTC Chair Lina Khan. "Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the Commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

Epic Games, based in Cary, North Carolina, develops one of the most popular video game engines, as well as video games including Fortnite, Gears of War and Infinity Blade. Fortnite, its runaway hit, had roughly 400 million registered users in 2021, and is especially popular with children and teenagers.

The FTC alleged in a complaint filed in federal court that Epic violated COPPA by collecting information from children without obtaining their parents’ consent, and violated a prohibition against unfair practices by enabling real-time voice and text chat communications for children and teens by default.

“As early as 2017, Epic employees urged the company to change the default settings to require users to opt in for voice chat, citing concern about the impact on children in particular,” the FTC said in its announcement. “Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings.”

In the dark pattern complaint, the FTC alleged that Epic used techniques such as “counterintuitive, inconsistent, and confusing button configuration” to trick users into making purchases, charged account holders without authorization and blocked access to purchased content.

“Epic ignored more than one million user complaints and repeated employee concerns that ‘huge’ numbers of users were being wrongfully charged,” the FTC said. “In fact, Epic’s changes only made the problem worse… Using internal testing, Epic purposefully obscured cancel and refund features to make them more difficult to find.”

In a statement on Monday, Epic announced a number of steps it has taken and will take in the future to address the FTC’s allegations. 

“The old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered,” the company said. “We share the underlying principles of fairness, transparency and privacy that the FTC enforces, and the practices referenced in the FTC’s complaints are not how Fortnite operates. We will continue to be upfront about what players can expect when making purchases, ensure cancellations and refunds are simple, and build safeguards that help keep our ecosystem safe and fun for audiences of all ages.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Adam Janofsky

Adam Janofsky

is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.