The Epic Fall Of Bad Privacy Design
Epic Games, the creator of Fortnite, one of the most popular video games ever, was fined $520 million by the US Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA) and deploying deceptive design, also known as dark patterns, to push millions of players into making unwanted purchases. In today's newsletter, I will discuss this case further and show that there were bad design issues behind all Epic Games' violations - and what we can learn from it from a privacy perspective.
The Epic Games vs. FTC case involves two record-breaking penalties, and I will discuss them separately.
The first settlement is the $275 million penalty for violating the "COPPA Rule" - the largest penalty ever obtained for violating an FTC rule and the largest fine for a children's privacy violation.
The first violation is related to a lack of proper parental consent, as well as unfair and inadequate privacy design practices that made it difficult for parents to have their legitimate right to request the deletion of their children's data.
The second violation is connected to bad privacy default settings that made text and voice communications for users always on - which ended up causing harm to children and teenagers.
As a consequence of this first settlement, in addition to paying the civil penalty, Epic Games will be forbidden from enabling voice and text communications for children and teens unless parents (of users under 13) or teenage users (or their parents) provide their informed consent.
They must also delete personal information unlawfully collected from Fortnite users (unless they obtain proper consent), adopt strong privacy default settings for children and teens, establish a comprehensive privacy program that addresses the problems identified by the FTC, and undergo regular, independent audits.
2- Deceptive Design / Dark Patterns
The second FTC administrative order establishes that Epic Games will have to pay $245 million to refund consumers for its dark patterns and billing practices. This is the FTC’s largest refund amount in the context of a gaming case, and it is the FTC's largest administrative order in history.
Here, the first violation is related to a deceptive design practice pushing people to make unwanted purchases, leading to millions of dollars of unauthorized charges;
The second violation deals with unauthorized purchases by children and lack of parental consent, also due to malicious and unfair design;
The third violation deals with bad design practices that locked users outside of their accounts, therefore making them unable to access their previous purchases.
Because of these violations, Epic Games must pay a penalty of $245 million, which will be used to refund consumers. They must also obtain informed and affirmative consent before charging consumers and cannot block consumers from accessing their accounts in order to dispute unauthorized charges.
What is there in common between all the five violations above? They all mention bad design. In the first settlement, it is related to bad privacy design, and in the second, it is related to bad design - or dark patterns - in general.
This case, which brought record-high FTC fines, shows us that the regulation of design is already happening, including the regulation of privacy design.
As I spoke in previous editions of this newsletter, an organization cannot rely only on its legal department to guarantee that the company will be privacy compliant. Everybody must understand privacy and know how to apply it in their own day-to-day job. Especially UX design, product, engineering, and marketing teams.
It is not the fault of the professionals but of the tech industry. Tech organizations still do not deal with privacy as something that should be part of their DNA. If a tech company collects, processes, or uses personal data, then privacy should be a central goal, and how to implement privacy in practice should be a common conversation in all teams that deal with personal data - not only the legal department.
I see here a great leadership opportunity for any professional. Privacy is here to stay, and regulation is coming strong. The people that can bring privacy-informed perspectives and lead their teams in navigating privacy issues will be in a privileged position. If you are up for the challenge, sign up for the waitlist for my next course on privacy-enhancing design, to be launched early next year.
What are other interesting aspects of this Epic Games vs. FTC case? What other lessons can we learn from it? Privacy needs critical thinkers like you: share this article and start a conversation about the topic.
See you next week. All the best, Luiza Jarovsky