Epic Games $520 Million Settlement with FTC for Unfair Practices and COPPA Violations

In a recent agreement totaling $520 million, Epic Games, Inc. (Epic), maker of the popular Fortnite video game, settled allegations posed by the Federal Trade Commission (FTC) that it violated the Children’s Online Privacy Protection Act (COPPA). The FTC’s complaint alleged that Epic engaged in unfair trade practices by publicly broadcasting players’ names and connecting players in real-time using on-by-default settings in violation of COPPA, and knowingly used dark patterns in its video games that led to unfair billing practices under Section 5 of the FTC Act. The alleged COPPA violations resulted in a $275 million penalty, while the unfair billing practices resulted in $245 million in refunds.

Fortnite is free to download and play, but users also can pay for in-game items such as costumes and dance moves, giving it a consumer reach of more than 400 million users.

The FTC alleged that Epic violated COPPA by:

  • Failing to notify parents and obtain consent prior to collection of personal information from children under 13 and required parents who requested that their children’s personal information be deleted to take unreasonable, unwieldy actions in order to do so
  • The default settings enabled live text and voice communications between users and led to matching children and teens with adults who bullied, threatened, harassed, and exposed these minors to traumatizing issues

Epic must obtain affirmative consent from parents/guardians of all users ages 13 and under as well as delete information previously collected unless they obtain consent to retain such data.

The FTC also alleged that Epic violated Section 5 of the FTC Act by:

  • Tricking users into making in-game purchases using dark patterns -i.e., counter-intuitive, inconsistent, and confusing button configurations;
  • Charging child users without authorization; allowing children to press a button to make a purchase using a credit card with no parent/guardian consent; and
  • Blocking access to purchased content by users who disputed charges with their credit card companies and warning users that they might be banned for life if they continued to dispute charges.

To read the agreement and consent order, click here.

The Justice Department and the Security and Exchange Commission (SEC) have charged eight men of using their social media clout to manipulate investors in a stock pump-and-dump scheme [view related]. The defendants allegedly took to Twitter and Discord to promote themselves as seasoned stock traders and, according to the SEC’s press release, fed their followers a “steady diet of misinformation which resulted in fraudulent profits of approximately $100 million.” Seven of the individuals allegedly used their social media presence to promote the stocks, while the eighth has been charged with hosting a podcast and platforming the other defendants as stock trading experts.

The SEC also issued a bulletin warning potential investors of social media investment fraud. The SEC advises against making any investment decisions based on social media testimonials and endorsements. Some scammers may impersonate legitimate brokers, catfish users on dating sites, and push fraudulent “crypto” investment schemes. The bottom line is that scammers prey on trust. Potential investors should be wary of any individual relying on the strength of their personal brand or reputation over hard data. Consumers should consider checking the background of anyone selling or offering investments and confirm that the person is currently registered or licensed using the free and simple search tool on Investor.gov.

Chip manufacturer ARM reportedly won’t sell its latest Neoverse V series computer chips to Chinese tech giant Alibaba due to concerns over U.S. and UK export controls on certain classes of powerful chipsets. Among the most advanced chips on the market, sale of the Neoverse V chips would likely violate trade restrictions intended to keep civilian chips from being repurposed for military use.

ARM designs chipset architecture, but does not manufacture chips in its own facilities. Instead, ARM sells the designs to manufacturers such as TSMC and Samsung. This distinction is irrelevant for the export controls, which apply to all chips designed in the United States.

ARM’s decision not to sell its Neoverse V series chips in China could impact China’s cloud computing development. High-powered chips such as the Neoverse are valuable for cloud platform providers like Amazon Web Services, which uses the chips in servers to virtualize commercial cloud instances.

Colorado Attorney General Phil Weiser’s office recently published an updated version of the draft rules governing the Colorado Privacy Act, which goes into effect on July 1, 2023. The updates build upon the original draft rules published on October 10, 2022, and are based on input received by the AG’s office through December 2, 2022.

Written comments to the updated rules can be submitted through the AG’s website until February 1, 2023.
The Colorado Privacy Act is one we are keeping a close eye on, as it balances the stricter requirements of California and the more business-friendly, but effective, privacy law in Utah. The Colorado Privacy Act is one that other states will no doubt model.

Artificial intelligence (AI) development company, DoNotPay, developed an AI robot app, which will act as “The World’s First Robot Lawyer” by listening in on court proceedings via the defendant’s phone while the defendant listens through an earpiece. This AI Robot is, more simply put, a chatbot. The technology was originally designed to contest parking tickets, but it has expanded to other services in order to explain to consumers complicated topics such as college fee waivers, paying bills and rent, divorce certificates, connecting with inmates, etc. And now, the first AI court trial will be held in February, however, the specific dates and location are being withheld. The use of this AI robot lawyer is certainly an experiment (and creates risk for the defendant), but the results of this use and future AI development based on those results could open some interesting doors for AI technology in the future.

Several artists, frustrated with Artificially Intelligent (AI) image generators skirting copyright laws, are using similar image generators to produce images of Mickey Mouse and other copyrighted characters to challenge the current legal status of AI art. While an artist’s copyright in a work typically vests at the moment of fixation, including the right to prosecute copyright violation, AI-generated work complicates the issue by removing humans from the creative process. Courts have ruled that AI cannot hold copyright, which by corollary also means that AI-generated art sits in the public domain. This legal loophole has angered many professional artists whose art is used to train the AI. Many AI generators, such as Dall-E 2 and Midjourney, can render pieces in the style of a human artist, effectively automating the artist’s job.

Given Disney’s reputation for vigorously defending its intellectual property, these artists hope that monetizing these public-domain AI Mickeys on mugs and T-shirts will prompt a lawsuit. Ironically, provoking and losing a case in this vein may set a favorable precedent for the independent artist community. As AI becomes more advanced, society will likely need to address how increasingly intelligent and powerful AI can complicate and undermine existing law.

The FBI recently released a Public Service Announcement that all online shoppers should read.

The Announcement outlines a scary scheme by cyber criminals, who “are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.”

The cyber criminals purchase advertisements that appear in legitimate search engine results by using a domain that is similar to the real business. When a search is made for the legitimate business, the fake ads appear first in the search results. When a user clicks on the link, they are taken to a malicious website that spoofs the real one. The user is then prompted to download software that is malicious without their knowledge.

The FBI provides the following tips to respond to this threat:

The FBI recommends individuals take the following precautions:

  • Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Rather than search for a business or financial institution, type the business’s URL into an internet browser’s address bar to access the official website directly.
  • Use an ad blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.

Additionally, the FBI recommends businesses take the following precautions:

  • Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
  • Educate users about spoofed websites and the importance of confirming destination URLs are correct.
  • Educate users about where to find legitimate downloads for programs provided by the business.

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

According to the National Security Agency, actors backed by the Chinese government are actively targeting a zero-day vulnerability in two commonly-used Citrix networking devices.

The exploit (CVE-2022-27518) affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool. Both devices are standard in mid-to-large enterprise networks. Analysts at the National Institute for Standards and Technology (NIST) categorize the exploit as ”critical,” the highest risk level, for its broad potential impact and ease of execution.

Citrix pushed out an emergency patch for the vulnerability last week and is urging customers using affected builds of Citrix ADC and Citrix Gateway to install the updates immediately. Compliance Officers and Chief Information Security Officers may wish to consider heeding this warning and apply the firmware patch to affected devices ASAP, outside of regular update cycles if necessary.

The federal government has implemented a program in which each household can order four free COVID-19 test kits through the United States Postal Service (USPS). This is a perfect opportunity for scammers to spoof the USPS site to try to obtain personal information from unwary users.

It is very easy to order the four tests, and all you have to provide to register for the tests to be sent to you is your name and your address. NOTHING ELSE.

If you land on a website that looks like a website offering the free COVID-19 tests through USPS, but which asks for any personal information (such as date of birth, driver’s license number, or Social Security number), you are being targeted by scammers trying to obtain your personal information for fraudulent purposes. To learn more about how to protect yourself from fraud and to obtain the official link for free COVID-19 tests, click here.