Epic Games, creator of popular video game “Fortnite,” reached an agreement with the FTC to pay $520 million in fines and refunds over allegations the company violated a children’s privacy law and “dupe[d] millions of players into making unintentional purchases,” the agency said.

Epic reached two separate settlements with the Federal Trade Commission, both of which are for record-setting amounts. The games company will pay $275 million to the FTC over allegations the company violated the Children’s Online Privacy Protection Act (COPPA). In addition, Epic will pay $245 million to refund consumers for its practice of “trick[ing] players into making unwanted purchases,” the FTC said.

As part of the agreement, in what the FTC said was a first-of-its-kind provision, Epic is required to adopt “strong privacy default settings for children and teens” and ensure that voice and text communications are turned off by default. (Epic said that in September 2022, it implemented “high privacy default settings” for “Fortnite” players under 18, under which chat defaults to “nobody”; profile details default to hidden; parties default to “invite only”; and personalized recommendations are turned off by default.)

“Epic used privacy-invasive default settings and deceptive interfaces that tricked ‘Fortnite’ users, including teenagers and children,” FTC Chair Lina M. Khan said in announcing the settlement. “Protecting the public, and especially children, from online privacy invasions and dark patterns is a top priority for the commission, and these enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices.”

Epic, in a statement about the settlement (at this link), said in part, “No developer creates a game with the intention of ending up here. The video game industry is a place of fast-moving innovation, where player expectations are high and new ideas are paramount. Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough. We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”

From the $245 million that Epic will pay for the alleged deceptive billing practices, the FTC plans to make refunds available to: parents whose children made an unauthorized credit card purchase in the Epic Games Store between January 2017 and November 2018; “Fortnite” players who were charged in-game currency (V-Bucks) for unwanted in-game items (such as cosmetics, llamas, or battle passes) between January 2017 and September 2022: and “Fortnite” players whose accounts were locked between January 2017 and September 2022 after disputing unauthorized charges with their credit card companies.

According to the FTC, it will provide updates on its website (at ftc.gov/fortnite) and send email notices to customers who believe they are eligible for a refund payment about next steps.

The FTC alleged that Epic violated COPPA by collecting personal information from children under 13 who played “Fortnite” without notifying their parents or obtaining their parents’ verifiable consent. In addition, the agency alleged that Epic’s default settings enabling live text and voice communications — along with its role in matching “Fortnite” players — “harmed children and teens” who have been “bullied, threatened, harassed, and exposed to dangerous and psychologically traumatizing issues such as suicide while on ‘Fortnite.'”

According to the FTC’s complaint about the alleged children’s privacy violation, Epic employees expressed concern internally about the default settings in “Fortnite” as early as 2017 and recommended they be changed. “Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings,” the FTC said. While Epic eventually added a button allowing “Fortnite” users to turn voice chat off, Epic made it difficult for users to find, according to the complaint.

In the second complaint, the FTC alleged Epic has used a variety of “dark patterns” intended to cause players to make unintended in-game purchases. “‘Fortnite’s’ counterintuitive, inconsistent and confusing button configuration led players to incur unwanted charges based on the press of a single button,” the agency said. For example, players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen or by pressing an adjacent button while attempting to preview an item. In addition, the FTC alleged that Epic locked the accounts of customers who disputed unauthorized charges with their credit card companies.

Epic ignored more than 1 million user complaints “and repeated employee concerns that ‘huge’ numbers of users were being wrongfully charged,” the FTC said, adding that the company “purposefully obscured cancel and refund features to make them more difficult to find.”

In its statement, Epic said, “We don’t want players to pay for something that they did not intend to.” According to the company, since May 2018, “Fortnite” has had a refund token system and an “undo-purchase” system. In addition, Epic said, it has updated its payment flows with a “hold-to-purchase mechanic” that reconfirms a player’s intent to buy as “an additional safeguard to prevent unintended purchases.”

Epic Games’ statement concluded, “The old status quo for in-game commerce and privacy has changed, and many developer practices should be reconsidered. We share the underlying principles of fairness, transparency and privacy that the FTC enforces, and the practices referenced in the FTC’s complaints are not how ‘Fortnite’ operates. We will continue to be upfront about what players can expect when making purchases, ensure cancellations and refunds are simple, and build safeguards that help keep our ecosystem safe and fun for audiences of all ages.”