This is Epic Games' privacy policy covering how the company collects and uses your personal data across all its products, including Fortnite, the Epic Games Store, and Unreal Engine. Most notably, Epic records voice chat snippets on your device and may send them to Epic if a violation is reported, and it collects facial images if you use MetaHuman — two data types that go beyond typical gaming data practices. If you are a parent of a child who plays Epic games, you should set up parental controls through your Epic account to limit your child's data exposure and restrict features like voice chat.
This document is the Epic Games Privacy Policy (last updated November 28, 2025), governing the collection, use, retention, disclosure, and processing of personal information across all Epic Services — including Fortnite, Rocket League, Fall Guys, the Epic Games Store, Unreal Engine, MetaHuman, and live events — with legal bases grounded in contractual necessity, legitimate interests, consent, and legal obligation depending on jurisdiction. Epic's most significant obligations include operating a 'Cabined Account' system for child users that restricts data collection to limited categories and disables voice chat and real-money purchases pending verifiable parental consent, and providing data subject rights including access, correction, deletion, portability, and objection across multiple jurisdictions. Notable provisions include the use of voice snippet recording and storage on user devices with potential transmission to Epic upon violation reports, facial image collection via MetaHuman for face mesh generation, cross-platform account linking that triggers inbound data sharing from third parties (PlayStation, Xbox, Facebook, Steam), and broad advertising and analytics data sharing with unspecified third-party ad partners. The Policy engages GDPR (Articles 6, 7, 8, 13, 17), UK GDPR, COPPA (15 U.S.C. §6501 et seq.), CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), and implicitly the FTC Act Section 5; material compliance considerations include the adequacy of Epic's verifiable parental consent mechanism via Kids Web Services (a subsidiary), the scope of legitimate interests relied upon for advertising and analytics, and the breadth of third-party data sharing with ad partners which may require opt-out mechanisms under CCPA.
REGULATORY EXPOSURE: This policy directly engages GDPR Articles 6 (lawful basis), 7 (consent), 8 (child consent), 13 (transparency), 17 (erasure), and 20 (portability), enforced by EU supervisory aut…
REGULATORY EXPOSURE: This policy directly engages GDPR Articles 6 (lawful basis), 7 (consent), 8 (child consent), 13 (transparency), 17 (erasure), and 20 (portability), enforced by EU supervisory authorities; UK GDPR under the Data Protection Act 2018, enforced by the ICO; COPPA (15 U.S.C. §6501) e…
Compliance intelligence locked
Regulatory exposure, material risk, and due diligence action items.