Federal Trade Commission fines EPIC $275 million for privacy violations and requires it to refund customers another $245 million for tricking users
December 22, 2022 |
The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough. Compared to the Australian Information Commissioner it is frenetic and hyper aggressive. In a field where the breaches are many most regulators are subject to criticism of not doing enough. But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.
EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent. It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.
As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.
The statement of the FTC provides:
The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.
How much money can a company take in by selling virtual costumes, dance moves, and piñatas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.
For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.
According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:
-
- “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
- “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”
Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC.
Another dark pattern alleged in the FTC’s lawsuit is Epic’s design of in-game purchases in a way that made it easy for an inadvertent button push to lead to unwanted charges. For example, for users playing Fortnite on the small screen of a smartphone, the company placed the button to preview merchandise very close to the purchase button. The upshot: One misaligned click by a user still in the window shopping phase and Epic immediately deducted the cost of the item from the player’s V-Bucks balance. Users also reported unwanted purchases when the game was waking from sleep mode or in a loading screen.
What’s more, the FTC says Epic used inconsistent and often counterintuitive designations for the buttons, an alleged digital dark pattern that also led to unauthorized charges. For example, when playing Fortnite using the PlayStation controller, the button to preview merchandise has a cross on it while the button to buy certain items has a square. But for other items, those functions are reversed. Users who press the square can preview items, but users who press the cross are charged.
Epic was undoubtedly aware of the consequences of its design choices, given what users were reporting to the company:
-
- “I’d like to raise a concern I have with the in-game store – there is no ‘confirm purchase’ button when you go to buy a skin/glider/axe….The reason I say this is because about 2 months ago I accidentally misclicked ‘purchase’ on a glider I had no intentions of buying. It instantly just took the V-Bucks and that was that….”
- “I accidentally purchased a skin using my V-Bucks when I just meant to rotate it and check it out. Fat-fingered the ‘Square’ button on the PS4.”
- “We are really disappointed that you are unable to help us as we feel my Sons V Buck accidental spend would have been avoided if your systems had more confirmation steps before buying items. Most other games companies have clear steps before you can purchase, e.g. item goes into basket, then questions asking ‘are you sure you want to purchase this?’, ‘Press this button to complete your purchase’. Your purchase process has none of these steps and we believe that it’s designed to take advantage of young users and accidental purchase.”
All told, the company received more than a million complaints about unwanted charges. And it wasn’t just customers. Epic’s own employees raised concerns about unwanted charges and repeatedly recommended measures to address them. For example, one employee described the company’s failure to include a confirmation screen for sales as “a bit of a dark UX [user experience] pattern.” But among Epic’s reasons for rejecting that suggestion was a concern it would reduce the number of “impulse purchases.”
In addition, the FTC alleges that Epic set up roadblocks that hindered users’ ability to reverse unauthorized charges. For certain purchases, Epic imposed a flat “no refunds” policy. For other inadvertent buys, the FTC says Epic “deliberately requires consumers to find and navigate a difficult and lengthy path to request a refund through the Fortnite app,” hiding the button in a hard-to-find location under the “Settings” tab.
What if users went to their credit card companies to dispute unauthorized charges? According to the complaint, Epic locked them out of their Fortnite accounts, denying them access to the merchandise they bought that wasn’t the subject of the credit card dispute.
To settle the case, Epic has agreed to pay $245 million, which will be used to provide refunds for consumers. In addition, the proposed order mandates an overhaul of the company’s billing and dispute practices and bars the use of dark patterns to get consumers’ consent. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
The message for other companies should be clear. Take steps to avoid the dark patterns alleged in the Fortnite complaint and others outlined in the FTC report, Bringing Dark Patterns to Light.
Look at your website or app through the eyes of consumers. UX – user experience – is the current term, but it harkens back to a consumer protection fundamental: Be transparent about your billing practices. Consumers who check their accounts or view their credit card statements should never be taken by surprise.
Exercise particular care where kids are concerned. When it comes to box fighting or bunny hopping, kids may be skilled Fortnite players. But it’s a mistake to presume they have a similar sophistication about how in-game purchases work.
Rethink your refund practices. According to the complaint, an Epic employee who helped design the refund request path reported that during testing, he put the link in an obscure location in an “attempt to obfuscate the existence of the feature” and that “not a single player found this option in the most recent round of UX testing.” When the designer asked if he should make the feature easier to find, he was told by a superior, “it is perfect where it is at.” The moral of the story: Hiding the method customers must use to ask for a refund isn’t a good look for a company, and it’s not a strategy your business should implement.
Read your mail and listen to your employees. In many of those one million complaints Epic received, users gave the company an earful about exactly how its billing practices let them down – and Epic’s own employees echoed the same concerns. Companies that want to foster goodwill and avoid legal hot water should listen more carefully to customers and staffers.
The proposed orders provide:
ORDER
I. INJUNCTION CONCERNING THE COLLECTION OF PERSONAL INFORMATION FROM CHILDREN
IT IS FURTHER ORDERED that, no later than the Compliance Date, Defendant and Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with being an Operator of any Website or Online Service Directed to Children or of any website or online service with actual knowledge that it is Collecting or maintaining Personal Information from a Child, are hereby permanently restrained and enjoined from:
Failing to make reasonable efforts, taking into account available technology, to ensure that a Parent of a Child receives direct notice of the Operator’s practices with regard to the Collection, use, or Disclosure of Personal Information from Children, including notice of any material change in the Collection, use, or Disclosure practices to which the Parent has previously consented, unless the COPPA Rule (attached as Appendix A), provides an exception to providing such notice;
Failing to post a prominent and clearly labeled link to an online notice of the Operator’s information practices with regard to Children, if any, on the home or landing page or screen of its website or online service, and at each area of the website or online service where Personal Information is Collected from Children, unless the COPPA Rule (attached as Appendix A), provides an exception to providing such notice;
Failing to Obtain Verifiable Parental Consent before any Collection, use, or Disclosure of Personal Information from Children, including consent to any material change in the Collection, use, or Disclosure practices to which the Parent has previously consented, unless the COPPA Rule (attached as Appendix A), provides an exception to Obtaining Verifiable Parental Consent;
Failing to Delete a Child’s Personal Information at the request of a Parent;
Retaining a Child’s Personal Information for longer than is reasonably necessary to fulfill the purpose for which the information was Collected; and
Violating the COPPA Rule (attached as Appendix A).
II. INJUNCTION CONCERNING CHILDREN’S PERSONAL INFORMATION PREVIOUSLY COLLECTED
IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, must:
A. Within sixty (60) days of the Compliance Date, Delete all Personal Information that is associated, at the time of the Compliance Date, with any Fortnite user, unless:
1. the user has provided age information through a neutral age gate identifying the user as age 13 or older; or
2. Defendant has provided direct notice and Obtained Verifiable Parental Consent; and
B. Within ninety (90) days of the Compliance Date, provide a written statement to the Commission, sworn under penalty of perjury, that:
1. Describes all processes through which Defendant provided direct notice and sought to Obtain Verifiable Parental consent for any accounts covered by this Provision II;
2. Identifies the total number of accounts for which (i) direct notice was provided; (ii) Defendant Obtained Verifiable Parental Consent; (iii) verifiable parental consent was affirmatively declined; and (iv) no response was provided;
3. Describes in detail any Personal Information Defendant retains in accordance with sub-Provisions II.C or II.D, the basis for such retention, and, as applicable, the specific government agency, law, regulation, or court order that requires such retention; and
4. Confirms that all Personal Information required to be Deleted by this Provision II has been Deleted. Provided, however, that:
C. Persistent Identifiers that Defendant is otherwise required to Delete by this Provision II need not be Deleted to the extent they are used solely for Support for the Internal Operations of the Website or Online Service; and
D. Personal Information that Defendant is otherwise required to Delete by this Provision II may be retained, and may be disclosed, as requested by a government agency or required by law, regulation, or court order. Within thirty (30) days after the obligation to retain any such Personal Information has ended, Defendant shall Delete such Personal Information and provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Defendant has Deleted such Personal Information.
III. DEFAULT PRIVACY SETTINGS FOR CHILDREN AND TEENS
IT IS FURTHER ORDERED that, within thirty (30) days of the Compliance Date, Defendant, Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this.
The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough. Compared to the Australian Information Commissioner it is frenetic and hyper aggressive. In a field where the breaches are many most regulators are subject to criticism of not doing enough. But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.
EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent. It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.
The proposed orders provide:
ORDER
I. INJUNCTION CONCERNING THE COLLECTION OF PERSONAL INFORMATION FROM CHILDREN
IT IS FURTHER ORDERED that, no later than the Compliance Date, Defendant and Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with being an Operator of any Website or Online Service Directed to Children or of any website or online service with actual knowledge that it is Collecting or maintaining Personal Information from a Child, are hereby permanently restrained and enjoined from:
Failing to make reasonable efforts, taking into account available technology, to ensure that a Parent of a Child receives direct notice of the Operator’s practices with regard to the Collection, use, or Disclosure of Personal Information from Children, including notice of any material change in the Collection, use, or Disclosure practices to which the Parent
has previously consented, unless the COPPA Rule (attached as Appendix A), provides an exception to providing such notice;
Failing to post a prominent and clearly labeled link to an online notice of the Operator’s information practices with regard to Children, if any, on the home or landing page or screen of its website or online service, and at each area of the website or online service where Personal Information is Collected from Children, unless the COPPA Rule (attached as Appendix A), provides an exception to providing such notice;
Failing to Obtain Verifiable Parental Consent before any Collection, use, or Disclosure of Personal Information from Children, including consent to any material change in the Collection, use, or Disclosure practices to which the Parent has previously consented, unless the COPPA Rule (attached as Appendix A), provides an exception to Obtaining Verifiable Parental Consent;
Failing to Delete a Child’s Personal Information at the request of a Parent;
Retaining a Child’s Personal Information for longer than is reasonably necessary to fulfill the purpose for which the information was Collected; and
Violating the COPPA Rule (attached as Appendix A).
II. INJUNCTION CONCERNING CHILDREN’S PERSONAL INFORMATION PREVIOUSLY COLLECTED
IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, must:
A. Within sixty (60) days of the Compliance Date, Delete all Personal Information that is associated, at the time of the Compliance Date, with any Fortnite user, unless:
1. the user has provided age information through a neutral age gate identifying the user as age 13 or older; or
2. Defendant has provided direct notice and Obtained Verifiable Parental Consent; and
B. Within ninety (90) days of the Compliance Date, provide a written statement to the Commission, sworn under penalty of perjury, that:
1. Describes all processes through which Defendant provided direct notice and sought to Obtain Verifiable Parental consent for any accounts covered by this Provision II;
2. Identifies the total number of accounts for which (i) direct notice was provided; (ii) Defendant Obtained Verifiable Parental Consent; (iii) verifiable parental consent was affirmatively declined; and (iv) no response was provided;
3. Describes in detail any Personal Information Defendant retains in accordance with sub-Provisions II.C or II.D, the basis for such retention, and, as applicable, the specific government agency, law, regulation, or court order that requires such retention; and
4. Confirms that all Personal Information required to be Deleted by this Provision II has been Deleted. Provided, however, that:
C. Persistent Identifiers that Defendant is otherwise required to Delete by this Provision II need not be Deleted to the extent they are used solely for Support for the Internal Operations of the Website or Online Service; and
D. Personal Information that Defendant is otherwise required to Delete by this Provision II may be retained, and may be disclosed, as requested by a government agency or required by law, regulation, or court order. Within thirty (30) days after the obligation to retain any such Personal Information has ended, Defendant shall Delete such Personal Information and provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Defendant has Deleted such Personal Information.
III. DEFAULT PRIVACY SETTINGS FOR CHILDREN AND TEENS
IT IS FURTHER ORDERED that, within thirty (30) days of the Compliance Date, Defendant, Defendant’s officers, agents, employees, and attorneys, and all other Persons in active concert or participation with any of them, who receive actual notice of this Order, in connection with any Covered Product or Service, are permanently restrained
and enjoined from disclosing a Child’s or Teen’s Covered Information to, enabling a Child or Teen to disclose their Covered Information to, or enabling a Child or Teen to converse with or be party to conversations between or among, any other user of the Covered Product or Service, unless:
A. For a Child user, the Child’s Parent has provided, and not withdrawn, their Affirmative Express Consent through an easily-located Privacy Setting; and
B. For a Teen user, the Teen (or the Teen’s Parent) has provided, and not withdrawn, their Affirmative Express Consent through an easily-located Privacy Setting.
C. Each Clear and Conspicuous disclosure required pursuant to sub-Provisions
III.A. and III.B. must identify: (1) each type of Covered Information that will be disclosed; (2) each category of Persons to which each type of Covered Information will be disclosed; (3) each type of communication the Child or Teen will be able to make or receive; and (4) each category of Persons to, or from which, the Child or Teen will be able to make, or receive, each type of communication.
D. For the purposes of this Provision III:
1. Any user of any Covered Product or Service that is a Website or Online Service Directed to Children must be deemed a Child, provided, however, that for any such Covered Product or Service that does not target Children as its primary audience, Defendant may collect age information from users before collecting any other Covered Information
and treat each user accordingly unless and until Defendant has actual knowledge that the user is a Child or Teen;
2. Any user of any Covered Product or Service that is not a Website or Online Service Directed to Children may be treated as neither a Child nor a Teen unless and until Defendant has actual knowledge that the user is a Child or Teen; and
3. To the extent that a display name of a Child or Teen is disclosed in a multiuser game or other interactive multiuser experience to identify participating users, such display name will not be considered Covered Information. Provided, however, Defendant must describe: (i) in a direct notice to parents, any such disclosure of a Child’s display name; and (ii) in Defendant’s privacy policy, any such disclosure of a Child’s or Teen’s display name.
IV. MANDATED PRIVACY PROGRAM
IT IS FURTHER ORDERED that each Covered Business, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within thirty (30) days of the Compliance Date, establish and implement, and thereafter maintain, a comprehensive privacy program (the “Privacy Program”) that protects the privacy of such Covered Information. To satisfy this requirement, each Covered Business must, at a minimum:
A. Document in writing the content, implementation, and maintenance of the
Privacy Program;
B. Provide the written program and any evaluations thereof or updates thereto to its board of directors or governing body, or if no such board or equivalent governing body exists, to a senior officer responsible for the Privacy Program at least once every twelve (12) months;
C. Designate a qualified employee or employees to coordinate and be responsible for the Privacy Program;
D. Assess and document, at least once every twelve (12) months, internal and external risks to the privacy of Covered Information that could result in the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information;
E. Design, implement, maintain, and document safeguards that control for the material internal and external risks the Covered Business identifies to the privacy of Covered Information identified in response to sub-Provision
IV.D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information. Such safeguards must include:
1. Policies, procedures, and technical measures to comply with COPPA
and the COPPA Rule;
2. Policies, procedures, and technical measures to comply with Provision III;
3. Regular COPPA Rule training on at least an annual basis for all employees and contractors providing services to the Covered Business whose responsibilities include any of the following: (a) access to Covered Information; (b) Covered Products or Services design, engineering, or implementation; or (c) Privacy Settings design, engineering, or implementation; and
4. Regular privacy training programs for all employees and contractors providing services to the Covered Business, updated on at least an annual basis to address any identified material internal or external risks and safeguards implemented pursuant to this Order;
F. Assess, at least once every twelve (12) months, the sufficiency of any safeguards in place to address the internal and external risks to the privacy of Covered Information, and modify the Privacy Program as needed based on the results;
G. Test and monitor the effectiveness of the safeguards at least once every twelve (12) months, and modify the Privacy Program as needed based on the results;
H. Select and retain service providers capable of safeguarding Covered Information they access through or receive from the Covered Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy of Covered Information; and
I. Evaluate and adjust the Privacy Program in light of any changes to the Covered Business’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in sub-Provision IV.D of this Order, or any other circumstances that the Covered Business knows or has reason to know may have an impact on the effectiveness of the Privacy Program or any of its individual safeguards. At a minimum, the Covered Business must evaluate the Privacy Program at least once every twelve (12) months and modify the Privacy Program as needed based on the results.
V. PRIVACY ASSESSMENTS BY A THIRD PARTY
IT IS FURTHER ORDERED that, in connection with Provision IV of this Order titled Mandated Privacy Program, Defendant must obtain initial and biennial assessments (“Assessments”):
A. The Assessment must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Privacy Program; (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment; and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. The Assessor may not withhold any documents from the Commission on the
basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim.
B. For each Assessment, Defendant must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.
C. The reporting period for the Assessments must cover: (1) the first 180 days after the Privacy Program has been put in place for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after the entry date of the Order for the biennial Assessments.
D. Each Assessment must, for the entire assessment period:
1. Determine whether each Covered Business has implemented and maintained the Privacy Program required by Provision IV of this Order, titled Mandated Privacy Program;
2. Assess the effectiveness of each Covered Business’s implementation and maintenance of sub-Provisions IV.A-I;
3. Identify any gaps or weaknesses in, or instances of material noncompliance with, the Privacy Program;
4. Address the status of gaps or weaknesses in, or instances of material non-compliance with, the Privacy Program that were identified in any prior Assessment required by this Order; and
5. Identify specific evidence (including but not limited to documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is: (a) appropriate for assessing an enterprise of the Covered Business’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by a Covered Business’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Privacy Program and did not rely primarily on assertions or attestations by a Covered Business’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that a Covered Business adds, materially revises, or materially updates one or more safeguards required under Provision IV of this Order during an Assessment period, the Assessment must assess the effectiveness of the added, materially revised, or materially updated safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each additional, materially revised, or materially updated safeguard.
E. Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure of the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Epic Games, Inc., FTC File No. 2223087.” Defendant must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy suitable for public disclosure of each subsequent biennial Assessment until the Order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.
VI. COOPERATION WITH THIRD-PARTY PRIVACY ASSESSOR
IT IS FURTHER ORDERED that Defendant, whether acting directly or indirectly, in connection with any Assessment required by Provision V of this Order titled Privacy Assessments by a Third Party, must:
A. Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;
B. Provide or otherwise make available to the Assessor information about each Covered Business’s network(s), and all of each Covered Business’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and
C. Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s:
(1) determination of whether Defendant has implemented and maintained the Privacy Program required by Provision IV of this Order, titled Mandated Privacy Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Privacy Program.
VII. ANNUAL CERTIFICATION
IT IS FURTHER ORDERED that, one year after the Compliance Date, and each year thereafter for ten (10) years after the Compliance Date:
A. Defendant must provide the Commission with a certification from the Principal Executive Officer that: (1) Defendant has established, implemented, and maintained the requirements of this Order; and (2) Defendant is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the Principal Executive Officer or subject matter experts upon whom the Principal Executive Officer reasonably relies in making the certification.
B. Defendant must provide the Commission with a certification from a senior officer of each Covered Business other than Defendant responsible for each such Covered Business’s Privacy Program that: (1) each Covered Business other than Defendant has established, implemented, and maintained the requirements of this Order; and (2) each Covered Business other than Defendant is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.
C. Unless otherwise directed by a Commission representative in writing,
submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Epic Games, Inc., FTC File No. 2223087.”
VIII. MONETARY JUDGMENT FOR CIVIL PENALTY
IT IS FURTHER ORDERED that:
Judgment in the amount of two hundred seventy five million dollars ($275,000,000) is entered in favor of Plaintiff against Defendant as a civil penalty.
Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, two hundred seventy five million dollars ($275,000,000), which, as Defendant stipulates, its undersigned counsel holds in escrow for no purpose other than payment to Plaintiff. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of Plaintiff.
Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
The facts alleged in the Complaint will be taken as true, without further
proof, in any subsequent civil litigation by or on behalf of the Commission in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.
Defendant acknowledges that its Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers), which Defendant must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. §7701.
IX. ORDER ACKNOWLEDGMENTS
IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this Order:
Defendant, within seven (7) days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
For five (5) years after entry of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reporting. Delivery must occur within seven (7) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.
X. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:
One (1) year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury:
1. Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant; (b) identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Defendant is in compliance with each provision of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.
For ten (10) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following:
1. Defendant must report any change in: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within fourteen (14) days of its filing.
Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States f America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.
Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin:
“United States v. Epic Games, Inc., FTC File No. 2223087.”
XI. RECORDKEEPING
IT IS FURTHER ORDERED that Defendant must create certain records for ten
(10) years after entry of the Order, and retain each such record for five (5) years. Specifically, Defendant must create and retain the following records:
Accounting records showing the revenues from all goods or services sold in connection to any Covered Product or Service;
Personnel records showing, for each Person providing services in connection to any Covered Product or Service, whether as an employee or otherwise, that Person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;
Copies or records of all consumer complaints and refund requests concerning the subject matter of the Order, whether received directly or through any domestic government regulatory authority; and
All
records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.
XII. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance with this Order:
A. Within fourteen (14) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendant must: submit
additional compliance reports or other requested information, which must
be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69, provided that Defendant, after attempting to resolve a dispute without court action and for good cause shown, may file a motion with this Court seeking an order for one or more of the protections set forth in Rule 26(c).
B. For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview any employee or other Person affiliated with Defendant who has agreed to such an interview. The Person interviewed may have counsel present.
C. The Commission and Plaintiff may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.