While many of us were preparing for the winter holidays, the Federal Trade Commission (FTC) was busy preparing its version of a holiday gift for Epic Games, Inc. the developer and distributor of the popular game Fortnite. This “gift” came in the form of 2 settlement orders, requiring Epic Games to cough up $520 million for legal violations.
Since Fortnite has made its way into schools, it’s helpful to understand what happened, why, and importantly, what it might mean for your school system.
What Happened?
There were actually 2 complaints against Epic Games:
Fortnite was deemed to be directed to children, and Epic Games did not provide the required COPPA notices to parents, and Epic Games made it rather challenging for parents to exercise their rights under COPPA. For example, apparently when some parents asked to delete their child’s personal information (a right permitted under COPPA), they were asked to verify that they were in fact, the parent, by providing what one could probably only describe as a ridiculous amount of information (such as all the IP addresses that the child had ever used when playing the game). In addition, per FTC, “As early as 2017, Epic employees urged the company to change the default settings to require users to opt in for voice chat, citing concern about the impact on children in particular. Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings.”
There’s more, but for the COPPA violations, here’s a breakdown of the key penalties:
- Epic Games is permanently enjoined from engaging in the noncompliant practices;
- Within 60 days of the settlement, Epic must delete all personal information unless the user has provided information indicating that they are 13+ or for which a parent has been provided with notice and consent, and confirm to FTC that this has been done;
- Within 30 days, Epic must fix its COPPA issues (which FTC described as “dilatory”;
- Within 30 days, it must establish and implement a comprehensive privacy program that meets certain minimum specifications;
- They must engage a third party to conduct privacy assessments every two years for 20 years, with results submitted to FTC (and they cannot withhold materials from FTC by claiming attorney-client privilege);
- The CEO must certify to FTC that the company has complied with the order on an annual basis for 20 years;
- They will pay $275 million to the US Treasury.
Are you still with me? Because there’s more.
In the second complaint, Epic Games was found to be in violation of Section 5 of the FTC Act, which prohibits, “unfair or deceptive acts or practices in or affecting commerce.” This type of violation can take a number of forms, but in this case, what it meant was that Epic Games used, “dark patterns” (design tricks that often fool people into taking certain actions – typically making a purchase). In this case, Epic Games had at least 1 design in which clicking on a “purchase” button meant money was automatically charged to the credit card on file. (Typically, the user is asked to confirm the purchase before the charge goes through.) When consumers disputed unauthorized charges with their credit-card providers, Epic Games banned many of them from accessing content they had previously paid for.
For this type of violation, Epic Games will pay $245 million to FTC, which will use the money for consumer refunds. Of course, Epic Games must also fix their practices and maintain records of compliance for the next 10 years.
It’s an expensive and operationally disruptive lesson for Epic Games, and you can be sure that other companies are sitting up and taking notice.
What Should EdTech Leaders Do Now?
It’s all too easy to get drawn into the headlines and start to worry. In fact, most privacy headlines have an air of “breathlessness” about them that prompts us to click on the news with a feeling of panic. In this case, the headlines were reflective of the scope of the problem, but that’s not always the case.
So, take a deep breath. Stress and worry don’t help. Instead, continue to learn about the practices your school system needs to put in place to build and grow your data privacy program. The more one’s internal practices are in order, the easier it is to understand – and impact – what is required of vendors.
Be wary of using consumer tech in schools (no matter how much your students like it or teachers want it), and continue to build on your vendor assessment process so that you can understand each vendor’s actual practices before you put what must be well-informed data protection agreements in place with all that will be processing personal information. When we learn and build and grow the right practices internally, we not only know what’s needed to protect personal data wherever it goes, but we also grow the knowledge needed to make that happen.
For more on how to assess privacy news, CoSN Members are invited to download the CoSN Member Brief: Reacting to Privacy News What School System Tech Leaders Need to Know.
Author: Linnette Attai, Project Director for CoSN’s Student Data Privacy Initiative and Trusted Learning Environment Program
Linnette Attai is Project Director for CoSN’s Student Data Privacy Initiative and Trusted Learning Environment Program. As founder of the global compliance consulting firm PlayWell, LLC, Linnette delivers strategic advice and training, policy development, and technology assessments, and builds cultures of compliance across a wide range of organizations. She also serves as virtual chief privacy officer and GDPR data protection officer to select clients. Linnette is a recognized expert in the youth and education sectors and speaks nationally on data privacy matters. She is a TEDx speaker and author of the books, “Student Data Privacy: Building a School Compliance Program,” “Protecting Student Data Privacy: Classroom Fundamentals” and “Student Data Privacy: Managing Vendor Relationships
Published on: January 11, 2023
CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.
