Devclosure Logo
Devclosure
FeaturesHow it Works
Back to Blog
COPPA Compliance

Lessons from Epic Games' $520M COPPA Settlement: What Every Digital Business Should Know

25 min read

Introduction

In December 2022, the Federal Trade Commission announced a landmark settlement with Epic Games, the creator of the wildly popular video game Fortnite. The $520 million penalty—the largest ever imposed for violations of children's privacy and consumer protection laws—sent shockwaves through the digital industry. But this settlement is far more than a cautionary tale about one company's missteps. It represents a fundamental shift in how regulators approach digital privacy, consumer protection, and the design practices that companies deploy to drive revenue. Understanding the lessons from this case is essential for any organization that collects user data, offers in-app purchases, or caters to a young audience.

The Violations: A Two-Pronged Attack

The FTC's action against Epic Games comprised two separate but equally serious allegations:

COPPA Violations: Children's Privacy Without Consent

The first complaint alleged that Epic Games violated the Children's Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 without obtaining verifiable parental consent. This sounds straightforward, but the complexity lies in how Epic argued—and lost—about whether Fortnite was even subject to COPPA in the first place.

Epic maintained that Fortnite was not "directed at children" and that the company lacked "actual knowledge" that children under 13 were playing the game. However, the FTC disagreed, presenting compelling evidence: the game's cartoon graphics, non-violent laser-tag mechanics, inclusion of music events from artists popular with children, and licensing deals for child-themed toys and merchandise. Internal Epic communications further contradicted the company's position, revealing employees fully aware of the young demographic using the platform.

The violation was particularly egregious because Epic didn't just collect basic information. The company directly collected children's full names, email addresses, and usernames—and enabled real-time voice and text chat communications by default. This last practice created a particularly troubling situation: children could be matched with adults in multiplayer games, exposing them to bullying, harassment, threats, and what the FTC described as "psychologically traumatizing issues such as suicide."

As part of the settlement, Epic agreed to pay $275 million—the largest COPPA penalty ever imposed—and implement strict requirements including deleting previously collected children's data and disabling voice and text chat by default.

Dark Patterns: Design Tricks and Deceptive Billing

The second complaint targeted Epic's use of "dark patterns"—deceptive user interface design tricks intended to manipulate users into making unintended purchases. This aspect of the settlement yielded a $245 million consumer refund, the largest refund amount in any FTC gaming case.

The dark patterns identified in the complaint paint a picture of deliberate, systematic manipulation:

Confusing Purchase Buttons: Epic positioned the button to preview merchandise dangerously close to the purchase button on mobile devices. A simple misclick—easily done on a small screen—would trigger an unauthorized charge. Inconsistent Design: On PlayStation, the cross button could preview items for some products but initiate purchases for others. This counterintuitive design led players to accidentally spend money. Buried Refund Options: While making purchases was effortless, requesting a refund required navigating a difficult path through the Settings tab. The FTC alleged this was deliberate obfuscation designed to discourage refund requests. Account Lockouts: When customers disputed unauthorized charges with their credit card companies, Epic locked their accounts entirely—depriving them of access to content they had legitimately purchased. Some accounts contained thousands of dollars in legitimate purchases, yet customers lost access to everything.

The scale of harm was massive. Epic ignored more than one million user complaints about unauthorized charges. Even more damning, the company's own employees raised these concerns repeatedly and recommended standard industry safeguards like requiring CVV number confirmation before charges. Yet Epic rejected these suggestions, with internal reasoning citing concerns that such protections would reduce "impulse purchases."

Key Lessons for Digital Businesses

Lesson 1: Intent Matters Less Than Impact

One of the most important takeaways from the Epic settlement is that companies cannot hide behind technical arguments about whether they "really" target children or have "actual knowledge" of a young user base.

The FTC has moved beyond requiring explicit targeting. If your product's design, marketing, or content has clear appeal to children, and if substantial numbers of children use your service, COPPA applies—period. This represents an expansion of the regulation's reach and a shift in enforcement philosophy.

For any digital business, the implications are straightforward: conduct a genuine assessment of your user base. If you have evidence—through surveys, user research, demographic analysis, or simply observable facts about your product—that children under 13 are using your service, you must comply with COPPA requirements. Don't hide behind the hope that regulators won't notice.

Lesson 2: Default Settings Are a Critical Compliance Tool

The Epic settlement introduced an important first: the FTC's first COPPA settlement requiring enhanced privacy protections for teens, not just younger children.

Epic was required to disable voice and text communications by default for all users under 18. This represents a paradigm shift away from the principle of "privacy-invasive defaults" that many digital services had embraced. Companies had long operated under the assumption that if a feature is valuable enough, they could activate it by default and let users opt-out if they objected. The Epic settlement demolishes this approach.

Lesson for businesses: Review your default settings through the lens of privacy and safety, not engagement optimization. Ask yourself: Does this default setting prioritize user welfare, or does it prioritize our business metrics? If you cannot confidently answer that it prioritizes user welfare, change it.

Lesson 3: Listen to Your Users and Employees—They Will Tell You Where You're Wrong

One of the most striking aspects of the FTC's complaint is how thoroughly the agency documented Epic's awareness of its own problems. The company received more than one million complaints from users about unauthorized charges. Internally, employees flagged the issues repeatedly, recommending standard protective measures.

Yet Epic not only ignored these signals—it doubled down, making some problems worse. For example, the company made changes to its payment system that the FTC alleged actually increased unintended charges rather than preventing them.

This represents a critical lesson about governance and risk management. The fact that users and employees are complaining about a practice should trigger an immediate review, not a defensive posture. The sophisticated companies will establish systems to systematically identify, escalate, and address such complaints. If you're receiving repeated complaints about billing practices, privacy concerns, or design clarity, treat those as regulatory red flags.

Lesson 4: "Reducing Impulse Purchases" Is Not an Acceptable Reason to Reject Privacy Safeguards

The FTC complaint quotes an internal Epic email acknowledging that adding confirmation screens before purchases would prevent unintended charges but stating that Epic had rejected this approach because it would reduce "impulse purchases."

This reasoning—while perhaps honest in the internal discussion—has become legally and ethically indefensible. The FTC and broader consumer protection framework have now made clear: if a protection would reduce unauthorized or unintended charges, you must implement it, even if it reduces your total purchase volume.

This extends beyond just confirmation screens. Any design decision that trades consumer clarity and control for increased transaction volume is now a regulatory target. The days of "dark UX patterns" as a legitimate business optimization are over.

Lesson 5: Expansion of "Personal Information" and Data Deletion Obligations

The COPPA Rule was updated in January 2025 (effective June 23, 2025), and these updates were significantly informed by the Epic case. The new definition of "personal information" now explicitly includes biometric identifiers and government-issued identification numbers beyond Social Security numbers.

Furthermore, Epic was required to delete all personal information previously collected from children under 13 unless it obtained retroactive parental consent or the user self-identified as 13 or older through a neutral age gate. This represents a significant shift: not only must you be careful about future data collection, but you may be required to remediate past collection.

Lesson for businesses: Audit your existing data stores. If you may have collected information from children under 13 without proper consent, develop a plan to either obtain consent retroactively or delete the data. Regulators are increasingly willing to impose remediation requirements for past violations.

Lesson 6: Age Verification and Consent Mechanisms Need to Be Thoughtfully Designed

The Epic settlement requires implementing a "neutral age gate mechanism" for users to identify themselves as 13 or older. But it also requires that this mechanism not inadvertently make it too easy for children to misrepresent their age.

This highlights a fundamental tension in digital compliance: you need to respect user privacy (so not collecting excessive identifying information), but you also need reliable age verification. The balance point is moving toward more rigorous verification, particularly for children-focused services.

Lesson 7: Dark Patterns Have Entered the Regulatory Mainstream

Prior to the Epic case, "dark patterns" was a term familiar primarily to UX researchers and privacy advocates. The FTC's enforcement action brought the concept into mainstream regulatory discourse. In 2021, the FTC issued an enforcement policy statement targeting dark patterns in subscription services. The Epic settlement operationalized this enforcement approach.

Now, in 2025, dark patterns have become an explicit focus of regulatory attention across multiple jurisdictions, including California's privacy laws. Companies should conduct a comprehensive audit of their user interface and purchase flows, asking: Would a reasonable consumer understand what they're consenting to? Can they easily undo their action? Are key information and cancellation options equally visible as purchase options?

Regulatory Trends and Future Implications

The Epic settlement should be understood not as an isolated case but as an expression of broader regulatory trends:

1. Aggressive Expansion of COPPA's Scope

The FTC has moved away from requiring explicit evidence that a service is "directed to children." The focus is now on actual usage patterns and appeal. This expansion is likely to continue, particularly as service operators attempt to appear "general audience" while obviously designing for younger demographics.

2. Merger of Privacy and Consumer Protection Concerns

Historically, COPPA violations and consumer protection violations (like deceptive billing practices) were separate domains. The Epic case showed that the FTC is increasingly willing to combine these authorities in enforcement actions, treating privacy violations and dark patterns as interlocking problems requiring comprehensive remediation.

3. Remediation Beyond Monetary Penalties

While the $520 million fine was headline-grabbing, the operational requirements imposed on Epic may ultimately be more consequential. Requirements to implement specific default settings, conduct independent audits, delete existing data, and establish comprehensive privacy programs represent a new form of regulatory oversight that reaches into the day-to-day operations of companies.

4. Alignment Toward International Standards

The updates to COPPA now require separate parental consent for disclosures to third parties for targeted advertising. This brings COPPA somewhat closer to the GDPR framework used in Europe, suggesting a trend toward global harmonization of children's privacy standards.

Practical Steps for Compliance

If your organization offers digital services that might be accessed by or appeal to children, here are practical steps to avoid Epic Games-style liability:

For All Digital Services:

1. Conduct a genuine audience assessment: Use analytics, surveys, and user research to determine whether children under 13 are using your service or would find it appealing.

2. Implement privacy-by-default: Turn off communications features, personalization, and data sharing by default. Require affirmative opt-in for these features, and for children specifically, require parental consent.

3. Simplify data practices: Collect only what you genuinely need. If you collect data from children, establish a clear retention policy and implement it.

4. Make cancellation and refunds as easy as purchase: Apply the "negative friction" principle: if your purchase flow is one click, your cancellation flow should also be one click.

5. Establish feedback mechanisms: Create systems to surface user complaints about billing, privacy, and design clarity to senior management on a regular basis.

6. Audit your user interface regularly: Have external experts review your interface for dark patterns. Ask the question: "Would this design choice survive FTC scrutiny?"

For Services Specifically Targeting or Used by Children:

1. Implement age verification: Use a neutral, privacy-respecting age gate that doesn't over-collect data but reliably identifies age.

2. Obtain verifiable parental consent: Understand COPPA's requirements for verifiable consent (which vary by industry and context) and implement mechanisms that meet or exceed those requirements.

3. Establish a comprehensive privacy program: Designate someone to oversee privacy compliance, conduct regular audits, and maintain documentation of your practices.

4. Plan for data deletion: Develop processes to delete children's data upon parental request or if consent cannot be obtained.

5. Regular independent audits: Consider engaging external auditors to review your COPPA compliance practices, similar to what Epic is now required to do.

Conclusion

The Epic Games settlement represents a watershed moment in digital privacy and consumer protection regulation. The FTC has signaled that it will aggressively pursue violations of children's privacy laws and that it will combine privacy enforcement with consumer protection enforcement to address the full scope of harm caused by deceptive practices.

For digital businesses, the settlement's lessons are clear: children's privacy is non-negotiable, dark patterns will not be tolerated, and regulators increasingly view the design and default settings of your products as legal and compliance issues, not just business optimization opportunities.

The days of "let them opt-out" and "they knew what they were getting into" are over. In their place, regulators expect privacy-by-default, transparency about data practices, and genuine care for user welfare—especially for young users. Organizations that move proactively to align with these expectations will not only reduce regulatory risk but also build stronger relationships with their users.

Author

Researched and written by Perplexity AI

References

1. Federal Trade Commission. (2022, December). "Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars Over Alleged COPPA Violations and Misleading Dark Patterns." Press Release. https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars

2. Federal Trade Commission. (2023, March). "FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges." Press Release. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-finalizes-order-requiring-fortnite-maker-epic-games-pay-245-mill

3. TechCrunch. (2022, December 18). "FTC fines Fortnite maker Epic Games $520M over children's privacy charges." Retrieved from https://techcrunch.com/2022/12/19/ftc-fines-fortnite-maker-epic-games-520m-over-childrens-privacy-charges/

4. Cleary Cybersecurity Watch. (2022, December). "Regulators Impose Epic Consequences for Children's Privacy Rights Violations." Retrieved from https://www.clearycyberwatch.com/2022/12/regulators-impose-epic-consequences-for-childrens-privacy-rights-violations/

5. Cheq. (2023, June 25). "Why the FTC Fined 'Fortnite' Creator Epic Games $520M for Dark Patterns & COPPA Violations." Retrieved from https://cheq.ai/blog/ftc-fines-epic-games-coppa/

6. Loeb & Loeb LLP. (2023, January). "Fortnite Video Game Maker Settles FTC Privacy, Deception Claims for Record Penalties." Client Alert. Retrieved from https://www.loeb.com/en/insights/publications/2023/01/fortnite-video-game-maker-settles-ftc-privacy-deception

7. Zwillgen PLLC. (2022, December 20). "FTC-Epic Games Half a Billion Dollar Settlements Show the Company Should Evaluate Impact of its Privacy Practices." Retrieved from https://www.zwillgen.com/gaming/ftc-epic-games-settlement/

8. Darrow Everett LLP. (2024, September). "The FTC is Turning the Lights On: Dark Patterns Aren't in the Dark Anymore." Retrieved from https://darroweverett.com/dark-patterns-litigation-enforcement-business-analysis/

9. Federal Trade Commission. (2022, December). "$245 million FTC settlement alleges Fortnite owner Epic Games used digital dark patterns to charge players for unwanted in-game purchases." Business Guidance Blog. https://www.ftc.gov/business-guidance/blog/2022/12/245-million-ftc-settlement-alleges-fortnite-owner-epic-games-used-digital-dar

10. Federal Trade Commission. (2021, October). "FTC to Ramp up Enforcement against Illegal Dark Patterns Trick or Trap Consumers into Subscription Services." Press Release. Retrieved from https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-ramp-enforcement-against-illegal-dark-patterns-trick-or-trap-con

11. Federal Trade Commission. (2025, December). "FTC Publishes Updates to COPPA Rule." Client Alert. Retrieved from https://www.lw.com/en/insights/ftc-publishes-updates-to-coppa-rule

12. Perkins Coie. (2023, August 20). "FTC's COPPA Enforcement Action Provides Lessons for EdTech Providers." Retrieved from https://perkinscoie.com/insights/update/ftcs-coppa-enforcement-action-provides-lessons-edtech-providers

13. Consumer Finance Services Law Monitor. (2022, September). "FTC Report Highlights Evolving Dark Patterns and Signals Increased Enforcement." Retrieved from https://www.consumerfinancialserviceslawmonitor.com/2022/09/ftc-report-highlights-evolving-dark-patterns-and-signals-increased-e

14. Sports Litigation Alert. (2024, September 5). "Under the Influence: The Legal Implications of Dark Patterns in Video Games and Esports." Retrieved from https://sportslitigationalert.com/under-the-influence-the-legal-implications-of-dark-patterns-in-video-games-and-esports/

15. California Law Review. (2024, December 21). "Reimagining COPPA: Safeguarding Children's Privacy in the Digital Age." Journal Article. Retrieved from https://www.culawreview.org/journal/reimagining-coppa-safeguarding-childrens-privacy-in-the-digital-age

16. Gibson Dunn. (2025, March 4). "FTC Updates to the COPPA Rule Impose New Compliance Obligations for Online Services that Collect Data from Children." Client Alert. Retrieved from https://www.gibsondunn.com/ftc-updates-to-coppa-rule-impose-new-compliance-obligations-for-online-services-that-collect-data-fro

17. The NAI. (2023, May). "Dark Patterns Defined: Examining FTC Enforcement and Developing Best Practices." Retrieved from https://thenai.org/wp-content/uploads/2023/05/Dark-Patterns-Defined_Examining-FTC-Enforcement-and-Developing-Best-Practices.pdf

18. Miller Canfield. (2025, January 26). "More Than Child's Play: $520 Million FTC Settlement Signals Risks for Digital Platforms." Retrieved from https://www.millercanfield.com/resources-FTC-Settlement-Signals-Risks-for-Digital-Platforms.html

19. California Attorneys. (2023, February 8). "Kochava & Epic Games: Important FTC Cases." Retrieved from https://calawyers.org/privacy-law/kochava-epic-games-important-ftc-cases/

20. Cochran Firm. (2020, November 18). "Understanding the Epic Games Fortnite Lawsuit Settlement." Retrieved from https://www.cochranfirm.com/understanding-epic-games-settlement/

21. Federal Trade Commission. (2025, April 30). "Children's Online Privacy Protection Rule (COPPA)." Retrieved from https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa

Back to All Posts