Jack Tadman

CONTACT US

Fortnite Lawsuit Royale – Chapter 2: COPPA & The FTC Act

Eleven days after a judge certified a class action against Epic Games (“Epic”) in Québec, Epic was ordered to pay $520 million in fines to the US Federal Trade Commission (“FTC”). Of those, $275 million were for violating US consumer protection laws, including the Children’s Online Privacy Protection Rule (“COPPA”)1and the Federal Trade Commission Act (the “Act”)2. The judge ordered Epic to pay $245 million for “dark patterns and billing practices”3. This chapter of our Fortnite Lawsuit Royale series will examine Epic’s COPPA and Act violations. We will look into the implications for game developers and businesses that market their products or services to children under 13 (“Children”). 

US Consumer Protection Statutes 

The principal consumer protection statute in the US is known as the Consumer Protection Act, enforced by the FTC. The Act is in place to prevent unfair or deceptive acts or practices in commerce and competition in the US. Engaging in such actions can result in fines of up to $50,120.00 per violation.4

COPPA is another consumer protection statute enforced by the FTC. It prohibits unfair or deceptive practices regarding the collection, use, or disclosure of Children’s personal information on the internet. COPPA applies to any commercial website or online service (“Operators”) that is (1) directed to US Children and (2) collects, uses, or discloses personal information from Children.5 US-based Operators that collect information from foreign Children are also subject to COPPA. Penalties for violating COPPA can carry fines of up to $46,517 per violation. 

Violation #1 – Epic Failed to Notify Parents and Obtain Appropriate Consent

Establishing that an Operator directs its products or services to children is considered a violation of COPPA.

To prove that Fortnite is directed at children, the FTC argued (in the “Complaint”) that: 

  • Fortnite has cartoon graphics and colorful animations, and there is no blood or gore in the game; 
  • Epic stated that the reason behind the name “Fortnite” was due to a common childhood experience of fort-building; 
  • Epic has made millions in royalties by selling Fortnite toys, costumes, and youth apparel, with some products stating that its target demographic is “kids 6-9” or “6-11-year-old boys”
  • Epic’s 2019 player survey showed that 53% of US children aged 10-12 played Fortnite weekly

Considering Epic’s considerable fine for violating COPPA, it’s clear the court agreed that Fortnite is aimed at children. So how did Epic violate COPPA? COPPA requires Operators, among other things, to:7

  • Have a privacy policy that outlines what information it collects from Children, how it uses such information, and how it discloses such information
  • Obtain verifiable parental consent via a direct notice to the parents before any collection, use, or disclosure of Children’s personal information 
  • Provide a reasonable means for a parent to review the personal information collected from their child, revoke consent for the Operator to use the information, or require the Operator to delete the information. Parents should be able to exercise these rights in ways that are not “unduly burdensome”

According to the Complaint, from July 2017 until September 2019, Epic failed to provide direct notice to parents. It failed to obtain appropriate consent from parents regarding the collection of Children’s personal information. Instead, Epic provided brief statements in its privacy policy outlining that (i) Epic did not direct its services to Children or intentionally collect personal information from Children and (ii) parents could contact Epic if they believed Epic had mistakenly received personal information from a Child.8 These were held to be insufficient measures to comply with COPPA’s consent and disclosure requirements. 

The Complaint further outlined that when parents contacted Epic to review or delete their Children’s information, Epic sometimes made parents go through unreasonable steps to verify their parental status.9 For example, when parents were able to provide the requested information to verify their parental statuses such as providing the Child’s IP address or console ID, Epic made some parents provide even more information, such as the name of a cosmetic item their Child purchased more than 30 days ago and a recent rent or mortgage statement. 

Violation #2 – Default Settings Harmful to Children and Teens

Another allegation by the FTC stated that Fortnite’s former default communication settings violated the Act. The Act prohibits practices that cause or may cause harm to a consumer.10 

Between October 2017 and June 2018, Fortnite’s default settings allowed a user’s account name, voice, and text communications to be seen and heard by other users.11 The FTC argued that these default settings caused Children to be harmed through bullying, threats, and sexual assault provided examples of Children being told to “kill themselves,”12 and allowed Children to be solicited by predators to engage in illicit activity offline.13

The Court agreed that, in contravention of the Act, the default settings harmed consumers. 

Order 

  • As a result of the aforementioned COPPA and Act violations, Epic was ordered to pay $275 million to the US Treasury and was ordered to:14 
  • Delete all user personal information unless a user has identified as over 13 years old or has provided verifiable parental consent
  • Prevent users from communicating with other Fortnite players unless a Child or Teen (aged 13-17 – “Teen”) parent has provided affirmative, express consent
  • Implement a comprehensive privacy program to ensure compliance with COPPA
  • For the next 10 years, provide annual reports to the FTC certifying the compliance of its updated privacy program

Lessons Learned: COPPA and FTC Act Compliance

Epic’s settlement with the FTC provides substantial implications for any businesses that target or may target Children. 

As Epic’s actions showed, it is insufficient to attempt to contract out of COPPA’s obligations simply by stating the Operator does not intentionally target Children in its privacy policy. If it’s possible that your service targets Children, ensure your privacy policy (i) complies with COPPA’s privacy policy requirements and (ii) provides clear procedures on how parents can exercise their rights regarding their Child’s information. 

If your service allows direct communication between users:

  • Do not have direct communication as a default setting, especially if Children use the service. Communication settings that require users to “opt-in” are a safer option to ensure users understand the risks of enabling this feature.
  • If there is the knowledge that Children are using the service, obtain verifiable parental consent before permitting Children to access the service’s communication features.

If you would like to discuss your service’s features or privacy policy, please reach out to zach@gamblinglaw.caor jack@gamblinglaw.ca

1 Children’s Online Privacy Protection Rule (“COPPA”), 15 U.S.C. 6501-6508.
2 FTC Act (“The Act”), 15 U.S.C. Sec. 45.
3 Epic Games to Pay More than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges, Federal Trade Commission, December 19, 2022. 
4 FTC Publishes Inflation-Adjusted Civil Penalty Amounts for 2023, Federal Trade Commission, January 6, 2023.
5 Complying with COPPA: Frequently Asked Questions, Federal Trade Commission, July 2020.
6 United States v. Epic Games, Inc. Complaint (the “Complaint”), No. 5:22-CV-00518 at para 19, 20, 25 & 29.
7 COPPA at §312.3(a)-(c).
8 The Complaint at para 49.
9 Ibid at para 50.
10 The Act at Sec. 5(a)(4)(A)(i).
11 The Complaint at para 3.
12 The Complaint at para 41.
13 Concurring Statement of FTC Commissioner Christine S. Wilson, Matter No. 2223087, December 19, 2022.
14 United States v. Epic Games, Inc. Stipulated Order, No. 5:22-CV-00518 at Sections II(A), III, IV, V, VII, and VIII.
Categories
Recent Posts

Related Posts