What are the institutional and regulatory implications of this document?

1) REGULATORY LANDSCAPE: This policy engages GDPR for EU/EEA users (Epic identifies itself as data controller and references legal bases for processing), CCPA and the California Privacy Rights Act for California residents, COPPA and the Children's Online Privacy Protection Rule (16 CFR 312.2) for users under 13, and potentially the EU Digital Services Act and applicable national youth protection laws given the policy's explicit age-segmentation architecture. The FTC is the primary enforcement a…

How does Unreal Engine's Epic Games Privacy Policy affect users?

The agreement authorizes collection of identifiers, device information, gameplay and usage data, voice chat snippets, purchase information, and images for character generation across all Epic Services and platforms. Under these terms, voice chat snippets stored on user devices may be transmitted to Epic when a violation is reported, and user inputs into AI-powered features may be used to generate outputs that could identify the user. Users in regions with applicable privacy rights, including EU…

How often is Unreal Engine's Epic Games Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Unreal Engine updates this document?

Yes. Monitor subscribers ($19/month) can add Unreal Engine to their watchlist and receive same-day email alerts whenever this document or any other Unreal Engine document changes.

CA-D-000086

Epic Games Privacy Policy

Unreal Engine

Last change detected May 1, 2026 Privacy policy

SHA-256: 7b6379aa109ecff327d… 4 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Unreal Engine ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

2 High severity

6 Medium severity

2 Low severity

Summary

This is the Epic Games Privacy Policy, covering all Epic Services including Fortnite, Rocket League, Unreal Engine, MetaHuman, the Epic Games Store, and Fab, and describing how Epic collects, uses, shares, and retains personal information about all users including children. The policy authorizes collection of identifiers, device information, browsing and gameplay data, purchase details, voice chat snippets (which may be transmitted to Epic if a violation is reported), location data, images for MetaHuman character generation, and user inputs into AI-powered features. For users under 13 (or the applicable age of digital consent), the policy establishes a Cabined Account system that restricts features like voice chat and real money purchases, requires parental consent for expanded access, and beginning April 2026 provides for deletion of personal information from accounts inactive for 18 months.

Technical / Legal Breakdown

This document is the Epic Games Privacy Policy, governing the collection, use, disclosure, retention, and processing of personal information across Epic Services including games (Fortnite, Rocket League, Fall Guys), marketplaces (Epic Games Store, Fab), developer tools (Unreal Engine, MetaHuman, UEFN), applications, websites, and live events, with Epic Games, Inc. as the stated data controller. The policy states that Epic collects identifiers, device information, usage and gameplay data, purchase and payment information, voice chat snippets, location data, communications content, and biometric-adjacent image data for MetaHuman character generation, and authorizes disclosure to subsidiaries, service providers, advertising and analytics partners, gaming platform operators, publishers, and law enforcement. The policy asserts broad collection of persistent identifiers from children in Cabined Accounts including IP address, device IDs, platform account IDs, and website tracking data, and separately authorizes use of user inputs in AI-powered features to generate outputs, though the operational scope of AI data retention and training use is not explicitly addressed in the excerpted text. The policy engages GDPR (for EU/EEA users), CCPA and COPPA (for US users, particularly California residents and users under 13), and references the Children's Online Privacy Protection Rule (16 CFR 312.2) specifically regarding inactive account data deletion timelines commencing April 2026. Material compliance considerations include the adequacy of parental consent mechanisms for Cabined Accounts under COPPA, the lawfulness of processing bases asserted under GDPR for non-EU subsidiaries, the handling of voice chat snippet retention and transmission as potential audio surveillance data under state wiretapping frameworks, and the cross-border data transfer mechanisms applicable to a globally distributed operation.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

4 versions captured · Last updated: May 2026

May 1, 2026

low

What changed Unreal Engine updated its privacy policy contact information on May 1, 2026, replacing old email addresses with new ones across its contact details section. The main privacy contact email changed from privacy@support.epicgames.com to a new address, and data protection officer emails changed from dpo@support.epicgames.com to a new format. This is an administrative update that affects where users and regulators send privacy inquiries and exercise data rights.

Why this matters Unreal Engine replaced its privacy and data protection officer email addresses with new contact information across its privacy policy. This change affects how users exercise their data subject rights, including requests to access, correct, or delete personal data. You should note the new email addresses if you plan to contact Epic Games about your data or privacy concerns.

View full change record →

April 23, 2026

low

What changed Epic Games updated its privacy policy on April 23, 2026 with clarifications focused on how it collects and uses data from children's accounts (called Cabined Accounts). The policy now specifies that persistent identifiers like IP addresses and device IDs are used for authentication, security, and service improvement, and adds language stating these identifiers are not repurposed for other uses. Language also shifted from 'child user' to 'child' throughout, and removed a previous statement about deleting personal information after inquiry resolution.

Why this matters The updated policy clarifies how Epic Games collects and uses persistent identifiers (IP addresses, device IDs, account IDs) for children's accounts. The revised language specifies that these identifiers are used for authentication, security, analytics, and service personalization, and adds an explicit statement that technical and organizational means are in place to ensure these identifiers are not repurposed for other uses. Parent email addresses are collected for notice and consent but are no longer stated to be automatically deleted after 14 days if the parent does not respond.

View full change record →

April 19, 2026 low

Epic Games updated contact email addresses across its privacy policy, consolidating multiple department-specific addresses into centralized support emails. Previously, users had to email different addresses for privacy inquiries (privacy@epicgames.com), data …

View change record →

High — 2 provisions

Cabined Account Children's Data Collection Compare →

The policy establishes a Cabined Account structure for users identified as children, collecting date of birth, hashed email address, parent/guardian email, and persistent identifiers including IP address, device IDs, platform account IDs, and tracking technology data. These identifiers are used for service provision, analytics, authentication, security, legal compliance, personalization, and user preference maintenance.

Added May 21, 2026 Standard Seen across 284 platforms
MetaHuman Image Collection for Character Generation Compare →

The policy states that images submitted by users to MetaHuman for character creation are collected to generate a 3D mesh for the requested in-game functionality, and asserts that the images are not used to identify the user.

Added May 21, 2026 Standard Seen across 284 platforms

Medium — 6 provisions

Voice Chat Snippet Recording and Transmission Compare →

The policy states that when voice reporting is enabled in a voice channel, voice chat snippets are recorded and stored locally on user devices. If a violation is reported by any participant, those stored snippets may be transmitted to Epic for review and policy enforcement purposes.

Added May 7, 2026 Standard Seen across 284 platforms
AI-Powered Feature Input and Output Processing Compare →

The policy states that user inputs submitted to AI-powered features, which may include personally identifying information, are used to generate outputs. The policy does not specify whether inputs are used for AI model training, retained beyond the session, or shared with third-party AI providers.

Added May 9, 2026 Standard Seen across 284 platforms
Parental Consent and Verification via Kids Web Services Compare →

The policy states that Epic uses Kids Web Services Ltd, a subsidiary, to verify parent/guardian email addresses and user ages for Cabined Account consent purposes. Once verified, the KWS system recognizes the verified email across all services using KWS technology, eliminating repeat verification.

Added May 21, 2026 Standard Seen across 262 platforms
18-Month Inactive Account Data Deletion for Children Compare →

Beginning April 2026, the policy states that personal information associated with children's accounts inactive for 18 consecutive months will be deleted, as defined by the Children's Online Privacy Protection Rule.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Disclosure of Children's Account Information Compare →

The policy authorizes disclosure of children's account information to gaming console operators, app publishers on the Epic Games Store, professional advisors, and law enforcement for operational and protective purposes, and to additional third parties with parent/guardian permission for account linking and third-party sign-in.

Added May 21, 2026 Standard Seen across 284 platforms
Support-A-Creator and Developer Program Payout Information Collection Compare →

The policy states that users participating in the Support-A-Creator program or Fortnite Developer program provide application information and other identifying information, which Epic collects to verify eligibility and process financial payouts.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Information Collection from Third Parties Compare →

The policy states that Epic collects personal information not only from users directly and through automated means, but also from third parties. The specific categories of third parties and the types of information obtained from them are described in Section 3 of the policy.

Added May 21, 2026 Standard Seen across 284 platforms
Cross-Subsidiary Data Controller Structure Compare →

The policy defines the data controller as Epic Games, Inc. and its subsidiaries and affiliates that provide the Epic Services, with specific controller identity determined by Section 12. This structure means the applicable data controller may vary depending on the Epic Service the user is accessing.

Added May 21, 2026 Standard Seen across 284 platforms