In a complaint filed today in the U.S. District Court for the Eastern District of North Carolina, the government alleged that Epic Games designed and marketed Fortnite for use by children. The government further alleged that Epic Games possessed actual knowledge that it collected personal information from children, including their names, email addresses, and identifiers used to keep track of players’ progress, purchases, settings, and friends lists. Epic Games nonetheless failed to notify parents that it was collecting children’s personal information and to obtain verifiable parental consent for that collection, as required by the COPPA Rule. The government further alleged that Epic Games maintained default privacy settings that were unfair under Section 5 of the FTC Act, in that the default privacy settings publicly broadcast child and teen Fortnite players’ display names and put children and teens in direct, real-time communication with adult Fortnite players.
“The Justice Department takes very seriously its mission to protect consumers’ data privacy rights,” said Associate Attorney General Vanita Gupta. “This proposed order sends a message to all online providers that collecting children’s personal information without parental consent will not be tolerated.”
“Parents have a right to know and to consent before companies collect their children’s personal information,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Department of Justice’s Civil Division. “The department is committed to enforcing the protections against unauthorized collection of information from consumers, particularly children.”
“As our complaint notes, Epic used privacy-invasive default settings that harmed young Fortnite players,” said FTC Chair Lina M. Khan. “Protecting the public, and especially children and teens, from online privacy invasions is a top priority for the Commission, and this enforcement action makes clear to businesses that the FTC is cracking down on these unlawful practices.”
“This historic civil penalty, totaling over a quarter-billion dollars, lays down a marker for online service providers everywhere,” said U.S. Attorney Michael Easley for the Eastern District of North Carolina. “The unauthorized collection of personal information from children online violates the law. The Department of Justice and the Federal Trade Commission have a strong partnership and are committed to deterring violations.”
In a proposed stipulated order filed today, Epic Games has agreed to pay $275 million in civil penalties, the largest civil penalty ever imposed for a COPPA violation. If approved by the court, the order will prohibit Epic Games from collecting personal information from children in a manner that violates the COPPA Rule. It will also prohibit Epic Games from using children’s personal information that was previously collected unless it obtains verifiable parental consent, and imposes compliance reporting obligations upon Epic Games. Further, the agreement requires Epic Games to maintain default privacy settings that protect children’s and teens’ privacy, to delete certain personal information of children that it previously collected, and to maintain a comprehensive privacy program that protects certain personal information.
This matter was handled by Trial Attorneys Michael Wadden and Josh Fowkes and Assistant Director Lisa Hsiao of the Civil Division’s Consumer Protection Branch. Andrew Hasty, James Trilling, and Amanda Koulousias represented the FTC.
For more information about the Consumer Protection Branch and its enforcement efforts, visit its website at https://www.justice.gov/civil/consumer-protection-branch. For more information about the FTC, visit its website at https://www.FTC.gov.
