Epic Games, the maker of “Fortnite” a very popular online computer game, has been hit with a $520M fine by the US Department of Justice. The main issue was the collection of privacy information of children without their consent, or more importantly, the consent of their parents.  Epic Games actively collected children’s names, email addresses and identifiers that kept track of their progress, purchases, settings and friends lists without notifying parents that it was doing so, according to the U.S. government, thereby allegedly violating the Children’s Online Privacy Protection Act. 

As Ann Cavoukian observed in a Toronto Star interview this week, the US has the “Children’s Online Privacy Protection Act” but in Canada we don’t have any similar protecting legislation for children. Why not, is a good question. See the Star article on line here:  

The U.S. government said one of the mechanisms Epic Games used to collect children’s personal information was a default privacy setting that automatically broadcasted children’s display names and “put children and teens in direct, real-time communication with adult Fortnite players”.  This goes to show that one must be vigilant and on top of the online gaming industry for sure. This case demonstrates how gaming companies will look for a way to get a “leg up” on their competition and tap into privacy settings of its users, breaking regulatory authorities along the way and thus turning a blind eye to the rule of law. As discussed in the article, it is not sufficient to give people an option to protect their data, one must proactively take steps to private data especially when children are involved. 

The Digital Charter Implementation Act that was tabled this past June, 2022 will replace the current law that dates back to the year 2000, PIPEDA. It is long overdue as the internet has changed the landscape of online business in a radical manner. 

Some of the changes implemented by Epic include making players explicitly opt-in to have their payment information saved and a “hold-to-purchase” button that re-confirms a player’s intent to make a purchase. In regard to privacy, in September it implemented new privacy settings for players under 18, which include setting default chat permissions to “nobody” and setting profile details default to “hidden”. 

In the USA there was new amendments made to the Breach of Personal Information Notification Act. Known as Act 151, it expands the requirements for entities to report such breaches. An entity that maintains, stores, or manages computerized data of personal information must notify individuals about a breach without unreasonable delay; however, if a state agency, county, municipality, or public school (“local agencies”) suffers a breach they must send notice of the breach within seven business days following determination of the breach, and they must also concurrently notify the Office of the Attorney General. It is important to note that Act 151 requires these local agencies to act only upon an official determination, which is newly defined as “a verification or reasonable certainty that a breach of the security of the system has occurred.” A contractor of any local agency must notify the agency upon any discovery of a breach. 

One of the biggest challenges for local agencies will be complying with Section 4 of the Act by requiring all entities that maintain, store, or manage computerized data to utilize encryption to protect personal data. This may require a systems upgrade or software purchases for smaller local agencies.  And agencies should carefully vet vendors to ensure they are familiar with these requirements and able to meet them.

David H. Davis of Davis Cyber Law specializes in strategic risk management, incident response, privacy & data protection, and advocacy. He can be reached by email at or by telephone at 204-956-2336. We are also on the web at