Epic Games, the creator of Fortnite, was fined a record-breaking $520 million under a settlement it reached with the Federal Trade Commission (FTC). The gaming platform settled for the amount when FTC found it in violation of the Children’s Online Privacy Protection Act (COPPA). The platform was also found guilty of engaging in unlawful, deceptive pricing practices. These are known as dark patterns, which duped users into making unauthorized purchases.
Violating COPPA Rule, Fortnite collected information from children under 13. The company did this without parental consent, and thus it’ll incur $275 for the violation. A further $245 million will go into refunding customers who fell for the dark-pattern pricing for in-game purchases. Commenting on the latter fine, Epic Games announced that it would pay the “245 million USD to the FTC to resolve concerns related to past designs”. It’ll also reconfigure its in-game settings.
This latest fine shows the regulators’ resolve not to cede an inch when it comes to protecting children online. “As our complaint notes, Epic used privacy-invasive default settings that harmed young Fortnite players,” said FTC Chair Lina M. Khan. “Protecting the public, and especially children and teens, from online privacy invasions is a top priority for the Commission, and this enforcement action makes clear to businesses that the FTC is cracking down on these unlawful practices.”
Fortnite’s COPPA Rule Violation
Fortnite is a free-to-play cross-platform game where players fight it out in a battle-royale format. The game, played by many children and teens, gathered email addresses, names, and other identifiers, including friends lists and purchases. Epic Games didn’t ask for parental consent when collecting such information on children.
COPPA requirements safeguard child privacy online and call on online services to conform to its mandated standards. Epic Games didn’t conform to these COPPA requirements while fully aware of its unlawful information collection.
A privacy complaint by the FTC alleged that Fortnite, through its default game settings, exposed children’s names and put them in direct voice chat with adults. Here, they were exposed to bullying, harassment, and aggressive language.
“Parents have a right to know and to consent before companies collect their children’s personal information,” stated Attorney General Brian M. Boynton. “The department is committed to enforcing the protections against unauthorized collection of information from consumers, particularly children.”
The $275 million is the largest ever civil penalty for a COPPA violation and serves to deter other violators. If the Federal Court approves it, the ruling will prohibit Epic Games from collecting personal information from children in this manner in the future.
Epic Games Used Dark Patterns to Dupe Customers
Besides the COPPA Rule violation, Epic Games also tricked gamers into making in-game purchases. Children, who don’t know any better, are especially liable to fall for these dark-pattern strategies and make mistake purchases.
“The company has deployed a variety of dark patterns aimed at getting consumers of all ages to make unintended in-game purchases,” read the FTC statement. “Fortnite’s counterintuitive, inconsistent, and confusing button configuration led players to incur unwanted charges based on the press of a single button.”
Epic Games charged players while they tried to wake the game from sleep mode or when loading the screen. Game creators deliberately put the “review” and “purchase” buttons next to one another. This design led to hundreds of millions of dollars in unauthorized charges.
The FTC has, in the past, leveled similar charges against Apple, Amazon, and Google. In these instances, children were allowed to make purchases without parental consent. User allegations even claimed that Epic Games blocked the accounts of those who disputed the unauthorized charges with their credit card companies.
The gaming platform threatened these customers with lifetime bans if they continued disputing charges. Refund and cancel purchase features were purposefully obscured, making them hard to find. And when users lodged complaints, Epic Games intentionally ignored them.
Implications for Online Service Providers
The regular has recently cracked down on social and gaming platforms. This means all online service providers collecting user information must be careful about how they treat data, particularly regarding children. COPPA compliance is unavoidable going forward. The Department of Justice, with the FTC, has made it clear that it’ll leave no stone unturned regarding child safety online.
Data protection is a topical issue. Companies will have to bear responsibility if violations occur due to lax policies or criminal breaches. Though Epic Games intentionally used child information and misled customers to make in-game purchases, third-party actors who gain access to user credentials are more serious threats. In a credential-stuffing attack on DraftKings betting company, cybercriminals compromised 67,000 accounts.
The best way to prevent such attacks is by using powerful firewalls, robust network security, multi-factor authentication, and regular patch management. Automated patching is particularly important because it covers known vulnerabilities that cybercriminals can exploit
FTC is tightening its grip over the video games industry and is currently blocking the $69 billion Microsoft acquisition of Activision Blizzard for its competition suppression.
Cybersecurity Dangers of Online Gaming
Cybercriminals usually exploit online gaming platforms to launch large-scale cyberattacks. The free gaming platforms allow them to exploit voice chats with displayed usernames, alongside in-game payments and microtransactions, to gain user credentials.
Cybercriminals can easily gain further information from children and launch social engineering attacks. In chats, malicious actors also peddle harmful malware in the form of gaming tools, baiting unsuspecting gamers into downloading them.
Epic Games has committed to revising its settings to eradicate its deceptive pricing practices. But the record-breaking fine of $520 million will serve to nip in the bud any future violations of the same nature.