On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).