Earlier this week, Epic Games, maker of Fortnite, was fined over half a billion dollars by Federal Trade Commission for violating children’s privacy and using dark patterns to mislead consumers into purchases. Outside of hefty fines, this settlement is particularly noteworthy for one main reason, Default Settings that violated privacy of kids and teens.
Epic used privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children,” said FTC Chair Lina M. Khan.
The complaint mentions that Epic employees urged the company to change the default settings. Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings. And while it eventually added a button allowing users to turn voice chat off, Epic made it difficult for users to find, according to the complaint.
As a result of this settlement, Epic is now :
- Prohibited from enabling voice and text communications for children and teens until appropriate affirmative consent is attained through a privacy setting.
- Required to delete personal information previously collected from Fortnite users in violation of the #COPPA
- Mandated to establish a comprehensive privacy program that addresses the problems identified in the FTC’s complaint,
- Asked to obtain regular, independent audits.
Consumer #privacy is a major concern as platforms continue to harvest data, include new technology features and increasingly become more connected. This settlement has a lot to unpack for platforms and services that are either child directed or consumer oriented. The implications go beyond just having a strong privacy program and regular audits. Those are just table stakes. Regulators are going upstream and evaluating technologies, practices and processes more closely, when assessing consumer harm.
Some immediate #privacy related actions you could take as you head into 2023. This is not an exhaustive list and meant to get you started and provide food for thought.
- If your business services kids in ANY way, if you have proof of actual knowledge (data, customer service transcripts, communications etc.), If your content, visuals or language etc. attract kids — then you ARE likely a child directed business and COPPA applies to you. Conduct a thorough audit of your platform or service to check again COPPA requirements
- Review parental consent mechanisms to ensure it is obtained in a timely manner
- If your business or service collected any form of user data, you have privacy obligations
- Check default user setting, opt-in / opt-outs, notice and consent actions
- Make deletion requests simple and accessible for all, including parents and honor those requests / delete the data in a reasonable, allowable time frame
- Test if your user experience comes across as confusing or coercing in any way, to a child, teen, parent or adult.
Check for #darkpatterns in your UX and CX:
- Is the ecommerce capability or purchase button configuration counterintuitive, inconsistent, and confusing that it could incur unwanted charges?
- Is there a chance that your online store might charge credit card account holders without authorization? Would the charges go through without requiring any parental or card holder action or consent?
- Is the access to purchased content blocked in any way? Or are you not servicing purchase disputes correctly?
- Above all, have active cross functional conversations with consumer privacy at the center of it. Invite product, marketing, privacy, legal, IT, finance and others to the table. You need to connect the dots across your organization. Everyone has a role to play, and user privacy cant be attained in a silo.
As 2023 rolls in, privacy will remain a never ending topic that is going to take up our mind space. FTC will continue to exert its authority and power in its jurisdiction. Current FTC is aggressive, strong, creative and faster than ever. Epic, likely never expected to end up here, but now has an arduous task of complying with FTC order.
If your business model relies on harvesting user data as a revenue stream, it is critical that you make some hard pivots in your product, customer experience, and marketing. This applies to every #digital business including #platforms, #gaming, #metaverse, #ecommerce. It is time to reflect, reset, refine and pivot towards responsible business practices.
Privacy Complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesComplaint.pdf
Dark Patterns complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesComplaint.pdf
Privacy consent order: https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesSettlement.pdf
Dark Patterns consent order: https://www.ftc.gov/system/files/ftc_gov/pdf/1923203EpicGamesACCO.pdf
