Epic Games has reached a $520 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that the Fortnite creator violated online privacy laws for children and tricked users into making unintended purchases in the video game.
To that end, the company will pay a record $275 million monetary penalty for breaching the Children's Online Privacy Protection Act (COPPA) by collecting the personal information of Fortnite players under the age of 13 without seeking permission from their parents.
It will also pay $245 million to reimburse customers who were deceived by its dark pattern tricks to make accidental purchases as well as for allowing children to rack up unauthorized charges through in-game content purchases without requiring any parental or card holder action or consent.
"Epic Games possessed actual knowledge that it collected personal information from children, including their names, email addresses, and identifiers used to keep track of players' progress, purchases, settings, and friends lists," the Justice Department said.
"Epic Games nonetheless failed to notify parents that it was collecting children's personal information and to obtain verifiable parental consent for that collection, as required by the COPPA Rule."
The American video game developer further drew scrutiny for enabling voice and text chat settings by default, in the process publicly broadcasting child and teen Fortnite players' display names, and putting them in direct contact with adult gamers and exposing them to bullying and harassment.
"Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings," the FTC said in a statement.
On top of that, the complaint also accused Epic Games of forcing parents to "jump through unreasonable hoops" to get their children's personal data deleted and making it difficult to find the option to disable voice chat.
As part of the proposed settlement, the company has been barred from turning on voice and text communications for children unless parents provide their affirmative consent. It has also been ordered to delete all the data it previously collected in contravention of the COPPA Rule.
Epic Games, however, can retain the data should it obtain permissions from parents or users who identify themselves as 13 or older through a neutral age gate.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The company, in response to the court order, said it accepted the agreement because "we want Epic to be at the forefront of consumer protection and provide the best experience for our players."
The development comes weeks after Epic Games announced Cabined Accounts as a way to offer a "safe and inclusive" experience for young users by disabling features like chat, personalized recommendations, and in-game purchases without a parent or guardian's consent.
"Epic used privacy-invasive default settings that harmed young Fortnite players," FTC Chair Lina M. Khan said. "Protecting the public, and especially children and teens, from online privacy invasions is a top priority for the Commission, and this enforcement action makes clear to businesses that the FTC is cracking down on these unlawful practices."