Two Epic Cases from the FTC: Spotlight on COPPA, Unfairness, Teens, Dark Patterns, In-App Purchases, Cancellations, and More
Just in time for the holidays, the FTC has released two companion settlements resolving allegations that Epic Games (maker of the popular video game Fortnite) violated the Children’s Online Protection Act (COPPA) and the FTC Act, with Epic to pay $520 million in penalties and consumer redress. The cases build on existing FTC law and precedent but add new dimensions that should interest a wide array of companies subject to FTC jurisdiction.
Notably, the first case alleges COPPA violations (compromising the privacy and safety of users under 13) but adds allegations that Epic violated teens’ privacy and safety, too. And the second case alleges unauthorized in-app purchases – not just by kids, which was the focus of earlier FTC cases, but by users of all ages. Both cases rely on unfairness theories in extending their reach. Both incorporate the (now ever-present) concept of dark patterns (generally defined as practices that subvert or impair user choice). And both got a 4-0 Commission vote, with a strong concurrence from Republican Commissioner Wilson explaining her support for the FTC’s use of unfairness here. Neither case names any individuals.
The privacy case
The FTC’s privacy case alleges that, for over two years following Fortnite’s launch in 2017, Epic allowed kids to register with no parental involvement, and for kids and teens to play the game with features enabling them to communicate in real time with anyone on the platform. According to the FTC, these practices subjected kids and teens to bullying, harassment, threats, and “toxic” content, including “predators blackmailing extorting, or coercing children and teens…into sharing explicit image or meeting offline for sexual activity.” Further, says the FTC, Epic knew about these problems, resisted fixing them and, when it finally took action, added controls that were hard to find and use, and failed to cure the violations.
The complaint includes two counts. First, it alleges that that EPIC violated COPPA because it operated a website directed to children (based on e.g., visual content and features, merchandising tie-ins, and audience composition); knew specific users were kids (based on player requests, reports, and complaints): and failed to comply with COPPA’s notice, consent, access, and deletion requirements.
Second, the FTC alleges that EPIC engaged in an unfair practice by operating a “ubiquitous, freely available” video game that was directed at children and teens and that, through default settings allowing real time social interaction, put children and teens at risk of substantial injury.
Under the order, Epic must (1) fully comply with COPPA; (2) delete data collected in violation of COPPA; (3) provide default settings that prevent interaction between minors and other users, unless Epic obtains affirmative express consent from parents or teens or, alternatively, the user identifies as 13 or older through a neutral age gate; (4) implement a privacy program with third party assessments for 20 years; (5) submit annual certifications from Epic’s chief executive (for not just Epic, but certain affiliated companies); and (6) pay $275 million in civil penalties. The order’s definition of “affirmative express consent” prohibits the use of dark patterns.
What’s new or notable here? For one thing, the case provides further insight into how the FTC analyzes the “directed to children” element of COPPA (and to a lesser extent, “actual knowledge”), with detailed discussion of the factors it considered in the analysis. For another, the penalty is the largest ever obtained in a COPPA case and, according to the FTC, in any FTC rule violation matter. Of perhaps greatest significance, though, is FTC’s decision to address teen privacy in this case. Indeed, amidst all of the public discussion and concern about teen privacy (and on the same day Congress declined to include kid/teen privacy legislation in the end-of year omnibus package), the FTC announced a teen privacy case based on its existing FTC Act authority, with a 4-0 vote.
The dark patterns case
The FTC’s second settlement with Epic, framed in the press release as an “illegal dark patterns case,” is strikingly similar to the FTC’s earlier cases against Apple, Google, and Amazon involving unauthorized in-app charges by kids, but with some new elements. (In a prior post, we said that those three cases were essentially dark patterns cases but without the “catchy term.” I guess we were prescient!)
In brief, the complaint here alleges that Epic charged accountholders for purchases that weren’t authorized – either because accountholders weren’t told about, and didn’t authorize, their kids’ purchases, or because they themselves incurred unwanted charges due to poor disclosures and a deliberately confusing purchase flow.
At the same time, the complaint alleges, Epic designed the process for canceling purchases and seeking refunds to be difficult and cumbersome, and even deactivated user accounts (removing allof the user’s content) when users attempted to dispute unauthorized charges. According to the FTC, users incurred billions of dollars in unwanted charges. Further, despite receiving thousands of complaints and acknowledging the issues in internal emails (and even after the FTC took action against Apple, Google, and Amazon for similar practices), Epic failed to correct the problem.
The complaint contains two counts. First, it alleges that Epic engaged in unfair billing practices by charging users for in-app purchases without express informed consent from the accountholder. Second, it alleges that Epic unfairly denied consumers access to their accounts after they disputed unauthorized charges.
The order, in turn: (1) prohibits charging any user without express informed consent; (2) in the case of consent for continuing charges, requires that consumers be able to revoke consent at any time, using a mechanism that isn’t difficult, costly, confusing, or time-consuming, and is as simple as the mechanism used to initiate the charges; (3) enjoins Epic from denying someone access to their account “for reasons that include” disputing a charge; and (4) obtains $245 million in refunds.
What’s new or notable in this case? First, as already mentioned, the case extends, not just to obviously-unauthorized in-app purchases by kids, but also to purchases by older users. Second, the FTC is once again focusing on ease of cancellation (see our post on the FTC’s Vonage settlement), requiring that cancelling recurring charges be just as simple and frictionless as signing up. Third, the FTC appears to be saying that deactivating accounts following the dispute of charges is per se illegal (and, due to the broad wording of the injunction, that companies can never cancel an account for this or any other reason).
Finally, this is an example of the FTC’s continuing ability to obtain consumer redress post AMG. In a case like this, where no rule violations have been alleged, the FTC would normally be forced to pursue redress using a two-step process – an administrative action, followed by a federal district court action. Here, Epic has simply agreed to pay redress in one step.
Why two cases and not one?
Some readers might be wondering why the FTC split this matter into two cases. Under the FTC Act, the agency must refer any civil penalty case (here, the COPPA/privacy case) to the Department of Justice for filing in federal district court. By contrast, as discussed above, the FTC must initiate an administrative action to obtain redress in non-rule matters (here, the dark patterns case). While there may be some theory for consolidating both cases into one DOJ action, that would be exceedingly complicated – even more so than the shortcut the parties agreed to here. These cases were also handled by two different FTC divisions, which also may have weighed in favor of bifurcation.
* * *
One last thing – as if the cases themselves weren’t enough to digest, it’s worth taking a look at Epic’s post on the topic, explaining that the laws haven’t kept pace with technological developments but fully embracing the principles and requirements laid down in the settlements.