If your website, app or game targets kids (or sort of targets kids) and you haven’t been taking your obligations under the Children’s Online Privacy Protection Act of 1998 seriously, then maybe this will be the wake-up call you needed.
The Federal Trade Commission has fined Epic Games, the maker of Fortnite, a total of $520 million. Of that, $275 million are for COPPA violations (the largest COPPA fine ever) and $245 million are for dark patterns.
“Epic put children and teens at risk through its lax privacy practices, and cost consumers millions in illegal charges through its use of dark patterns,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Under the proposed orders announced today, the company will be required to change its default settings, return millions to consumers, and pay a record-breaking penalty for its privacy abuses.
A. Figure out whether you target your service at kids:
- This includes being aware than many kids are using your service, as shown through surveys of users, licensing and marketing of merchandise, player support and other company communications.
- Consider also actual knowledge of the ages of your users. Internal communications were reviewed with statements like: “a large portion of our player base” consists of “underage kids,” acknowledged Fortnite’s “high penetration among tweens/teens,” flagged “that Fortnite is enjoyed by a very young audience at home and abroad,” and described putting on Fortnite “dance cam,” “makeup booth (for kids),” and other events at public gaming conferences (where most attendees were “very young.”)
- Consider also: The factors set forth in the COPPA Rule, including the game’s subject matter, use of animation, child-oriented activities and language, music content and evidence of intended audience
- Consider statements like: “We want to be living room safe, but barely. We don’t want your mom to love the game – just accept it compared to alternatives” and “Agree with the idea that, generally, all theming should be relevant to a 8-14 y.o., as a litmus test.”
- Consider television commercials targeting those aged 12-17 that aired on the Cartoon Network, Nickelodeon, and Nicktoons (Epic-Jazwares), and video advertisements on YouTube and Twitch intended to reach “Fortnite fans 8-12” and “Fortnite fans 13-21.”
B. If you do:
- Don’t put a standard “COPPA doesn’t apply to me” verbiage in your privacy notice.
- You must get verifiable parental consent before collecting the kid’ personal information.
- Your default settings must be privacy friendly – this means: No live on-by-default text and voice communications for users (especially if your service matches children and teens with strangers to play together). Going forward, this can only be enabled with affirmative consent (of users, and for under 13s – of the parents).
- It also means you should not, on default: enable the public broadcast of players’ display names and direct communication between players, regardless of a player’s age.
- Ordered to delete all Personal Information that is associated, at the time of the Compliance Date, with any Fortnite user, unless: 1) the user has provided age information through a neutral age gate identifying the user as age 13 or older; or 2) Epic has provided direct notice and Obtained Verifiable Parental Consent.
- Permanently restrained and enjoined from:
- Disclosing a Child or Teen’s Covered Information.
- Enabling a Child or Teen to disclose their Covered Information.
- Enabling a Child or Teen to converse with or be party to conversations between or among, any other user of the Covered Product or Service.
- For a Child user, the Child’s Parent has provided, and not withdrawn, their Affirmative Express Consent through an easily-located Privacy Setting.
- For a Teen user, the Teen (or the Teen’s Parent) has provided, and not withdrawn, their Affirmative Express Consent through an easily-located Privacy Setting.
- Ordered to establish and implement, and thereafter maintain, a comprehensive privacy program.
- Ordered to obtain initial and biennial assessments by a third party.
- Ordered to provide the FTC an annual certification from the Principal Executive Officer.
- You cannot use dark patterns (and specifically, counterintuitive, inconsistent and confusing button configurations) to get players (of any age) to incur unwanted charges based on the press of a single button. In this case: Players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen, or by pressing an adjacent button while attempting simply to preview an item.
- You can’t allow children to rack up in app charges without parental consent.
- You can’t ignore complaints with respect to your practices.
- You can’t restrict access to accounts because expenses are disputed.
- Restrained and enjoined from denying, temporarily or permanently, a consumer’s access to or use of his or her account, including any paid-for goods or services, for reasons that include the consumer’s dispute of a Charge.
- Restrained and enjoined from billing an Account Holder for any Charge without having obtained Express, Informed Consent for the Charge.
If it gets Express, Informed Consent to billing potential future Charges (other than future royalty payments owed by the user based on revenue the user derives from use of an Application), Epic must provide the Account Holder with a simple mechanism to revoke consent at any time.
Such mechanism must not be difficult, costly, confusing or time consuming, and must be at least as simple as the mechanism the consumer used to initiate the Charge(s).
For more information:
Privacy Complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesComplaint.pdf
Privacy Consent Order: https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesSettlement.pdf
Dark Patterns Complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesComplaint.pdf
Dark Patterns Consent Order: https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesACCO.pdf