Epic Games to pay $275m penalty for violating children’s privacy law

Epic Games, the developer of Fortnite, has been hit with the largest civil penalty ever imposed for a Children’s Online Privacy Protection Act (COPPA).

The big fine is part of a settlement between the company, the US Department of Justice and the Federal Trade Commission (FTC) to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. If the claims are proved in court, Epic Games will also be subject to a permanent injunction regarding the previously collected data.

“This historic civil penalty, totaling over a quarter-billion dollars, lays down a marker for online service providers everywhere,” said US Attorney Michael Easley for the Eastern District of North Carolina. “The unauthorized collection of personal information from children online violates the law. The Department of Justice and the Federal Trade Commission have a strong partnership and are committed to deterring violations.” 

Contact with adult players

In the complaint, which was filed in the US District Court for the Eastern District of North Carolina, the government is claiming that computer game Fortnite was designed and marketed to be used by children. The government also alleges Epic Games of having actual knowledge that the company was collecting personal information from children, including:

  • their names;
  • mail addresses;
  • identifiers used to keep track of players’ progress;
  • purchases;
  • settings;
  • and friends lists.

Epic Games did not notify parents that the company was collecting the children’s personal information, nor had verifiable parental consent for that collection, which is required by the COPPA Rule.

Epic Games is further alleged to have maintained default privacy settings that were unfair under Section 5 of the FTC Act, “in that the default privacy settings publicly broadcast child and teen Fortnite players’ display names and put children and teens in direct, real-time communication with adult Fortnite players”.

Vanita Gupta, Associate Attorney General. Photo: DOJ

“The Justice Department takes very seriously its mission to protect consumers’ data privacy rights,” said Associate Attorney General Vanita Gupta. “This proposed order sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”

“Parents have a right to know and to consent before companies collect their children’s personal information,” said Principal Deputy Assistant Attorney General Brian M Boynton, head of the Department of Justice’s Civil Division. “The department is committed to enforcing the protections against unauthorized collection of information from consumers, particularly children.”

Unlawful practices

If the order is approved by the court, Epic Games will be prohibited from collecting personal information from children in a manner that violates the COPPA Rule. The company will also be prohibited from using the data that was previously collected – unless it obtains verifiable parental consent or imposes compliance reporting obligations upon Epic Games.

Lina M Khan, FTC Chair. Photo: FTC

The agreement also requires Epic Games to maintain default privacy settings that protect children’s and teens’ privacy, to delete certain previously collected personal information, and to maintain a comprehensive privacy program that protects certain data.

“As our complaint notes, Epic used privacy-invasive default settings that harmed young Fortnite players,” said FTC Chair Lina M Khan. “Protecting the public, and especially children and teens, from online privacy invasions is a top priority for the Commission, and this enforcement action makes clear to businesses that the FTC is cracking down on these unlawful practices.”