Fortnite Dev to Pay $520m in Record-Breaking Settlement

Gaming giant Epic Games will pay the FTC hundreds of millions of dollars to settle two blockbuster allegations relating to children’s privacy and its use of so-called “dark patterns.”

The payments apply against two charges: $275 related to violating the Children’s Online Privacy Protection Act (COPPA), and $245 million to refund consumers for its apparently shady billing practices.

The gaming firm, which produces the wildly popular Fortnite title, broke the COPPA law in two key ways: collecting data from children without first obtaining parents’ verifiable consent, and harming young players by automatically enabling “live on-by-default” text and voice communications for users.

The latter exposed children to cyber-bullying, harassment and other traumatizing incidents, according to the FTC. The regulator also claimed that when parents asked the firm to delete their children’s data, they were made to jump through unreasonable hoops – or else Epic simply didn’t honor these requests.

Separately, Fortnite’s use of dark patterns tricked players into making unwanted payments, the FTC said.

It described a “counterintuitive, inconsistent and confusing button configuration” that could lead to a single button press incurring charges. In addition, children were able to incur charges without cardholder consent until 2018, and Epic locked the accounts of customers who dispute unauthorized charges, the FTC claimed.

“As our complaints note, Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children,” said FTC chair, Lina Khan.

“Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

Alongside the record civil penalty, a court order will prevent Fortnite from enabling voice and text communications for children by default, unless parents or teenage users provide consent.

All data on children collected in violation of COPPA must be deleted and Epic must establish a comprehensive privacy program to address the problems outlined in the complaint.

Editorial credit icon image: DANIEL CONSTANTE /

What’s Hot on Infosecurity Magazine?