Epic Games / FTC $520M Settlement – what does this mean for Children's privacy in Europe?

As readers of this blog will be aware, protecting children's data online is becoming a key topic for lawmakers and regulators in Europe. Whilst so far there have been only a few high profile enforcement actions in Europe to guide companies in their compliance journey, this recent US settlement between the US Federal Trade Commission (FTC) and Epic Games, Inc. (makers of "Fortnite"), although occurring in the US, is important for three reasons.

Firstly, it extends the cross-Atlantic trend of enforcement in relation to protecting children. Secondly, it evidences the kind of protections which regulators in all jurisdictions may start to expect. Thirdly, it underlines the need to start thinking about a joined-up compliance strategy on both sides of the Atlantic. Related European issues include:

• the avoidance of dark patterns, as per the European Data Protection Board's guidelines;
• the creation of age appropriate communication services and default high privacy settings, as per the UK Age Appropriate Design Code (and a version of which is also coming to California!); and
• mechanisms for identifying and removing harmful and illegal content (such as hate speech), as per the EU's Digital Services Act and the UK's prospective Online Safety Bill.

What was the Epic settlement about?

The FTC announced on 19 December 2022 that it had secured an agreement with Epic to pay $520 million, made up of: a $275 million penalty for violating the Children's Online Privacy Protection Act ("COPPA") and $245 million in refunds for use of "dark patterns" that led customers into making unwanted charges. The company has since made its own announcement outlining the extensive changes it has made to its practices in the wake of the FTC's investigations.

In its federal court and administrative complaints the FTC sets out what it saw as the most concerning violations of COPPA and the FTC Act. In short, the allegations boiled down to:

1. Knowingly collecting personal data from children without first obtaining verifiable parental consent, particularly given evidence of Epic's marketing towards children and insufficient "age-gating".
2. Using default settings which enabled live text and voice communication between children, teens and adult strangers "on-by-default".
3. Using confusing button configurations which led players of all ages to make unintended game purchases (e.g. using the same square button to both preview different Fortnite character "skins" as well as to purchase them).
4. Allowing children to easily make in-game purchases without their parents' authorization by storing payment information for future purchases.
5. Locking the accounts of customers who disputed unauthorised charges with their credit card companies.
6. Using other "dark patterns" to deter users from cancelling or requesting virtual currency charge refunds (e.g. by reducing the size and prominence of the "undo" button, relabelling this a "cancel purchase" button, and requiring it to be held down rather than simply clicked).

What does this mean for businesses in Europe?

For international companies with a presence in both the US and Europe, designing a consistent compliance strategy which avoids these pitfalls will now be the challenge. Thankfully, Epic's experience here should provide some useful guidance.

On the same day as the FTC's announcement, Epic published its own update on the company's blog. Emphasising its "ambition to be at the forefront of consumer protection", the company set out in some detail the changes it was adopting. These included:

• Creating a new type of user account for players under 13 (or the country's age of digital consent) where certain features such as chat and purchasing are disabled.
• Implementing "high privacy default settings" for players under 18, as well as a mature language filter for players under 16.
• Increased parental controls to limit daily spending of under 13s, a parental PIN for players to accept friend requests or chat options, and restrictions on voice chat.
• Allowing instant cancellation of cosmetic purchases made with virtual currencies, and extending the window for these cancellations.
• Requiring a button to be held down (as opposed to simply clicked) for all in-game purchases.
• Updating its chargeback policy to only disable accounts when fraud indicators are present.
• Requiring an explicit "yes/no" choice for the saving of payment information.

Many of these could be replicated by other companies within their own products. For example, we would expect an explicit "yes/no" choice for saving payment information and "hold-to-buy" systems like those Epic uses for in-game purchases to quickly become the norm. However, others will require more thought. For example, if the use of distinct user accounts for children is the goal, businesses will need to review the age-gating tools they make use of, determine what default privacy settings would be appropriate in the context of their specific products, and consider the impact of excluding personalised recommendations for their business model. Companies will also need to carefully consider whether it is possible or desirable to take the same strategy in all jurisdictions in which their products are sold based on varying laws and market forces.

As Epic put it, "The old status quo for in-game commerce and privacy has changed" – and in the coming months a lot of existing assumptions are going to need to be revisited. 

With thanks to Trainee Solicitor, James Russell, for contributing to this article.