Facebook’s own internal studies showed that children as young as kindergarten age were unwittingly putting hundreds or even thousands of dollars on their parents’ credit cards while playing games like Social Empires, Pocket God, and Angry Birds, newly released internal documents show.
But Facebook officials elected not to put speed bumps in its payment process that would reduce the unintended charges, for fear it would also cut into legitimate grown-up purchases, the documents show. At the same time, the company routinely refused refund requests from sticker-shocked parents.
“Unfortunately, because the unauthorized charge was made by someone in your household or by someone who is known to you, we cannot issue a refund per our terms of purchase,” reads one of Facebook’s scripted response letters.
The new details are found in roughly 140 pages of internal documents and depositions originally filed under seal in a class-action lawsuit against Facebook lodged by parents. Facebook settled the case in 2016, and last year the publication Reveal by the Center for Investigative Reporting asked the court to make the filings public. Some of the released documents still contain sizable redactions, and other papers in the case are still sealed.
At the core of the problem was Facebook’s practice of storing a user’s credit-card number after a purchase of any kind, making any subsequent spending child’s play. As with Facebook’s other contentious moves, this practice was only disclosed in the company’s terms-of-service, and parents were generally shocked to learn that their kids were able to spend freely with the click of a button—a trend Facebook dubbed “friendly fraud.”
“My daughter took my computer to buy credits, she is only 7 years old, she did not know that she really paid,” one parent complained to Facebook. “Do not store our credit card info,” read another complaint. “My child was able to click one button and make the purchase.”
In September 2013, Facebook staffers evaluating a refund request from a 15-year-old girl referred to her as a “whale,” a casino-industry term for a high-value gambler. The girl had rung up charges of $6,545 in 17 days. After a brief internal discussion, Facebook denied her a refund.
Facebook processed an estimated 14 million purchases by minors totaling $35 million between February 2008 and June 2014, according to the documents.
In many cases, “a parent permits his child to spend at a small denomination and doesn’t realize that the [credit card] info will be stored,” a Facebook worker wrote. As for the kids, many thought they were just spending game money. One Facebook employee noted that some apps set the default purchase amount so high “it doesn't necessarily look like ‘real’ money to a minor.”
In 2011, Facebook launched an internal assessment of “the financial impact of permitting minors to spend Facebook Credits.” Code-named Project Bootcamp, the investigation was focused on the bottom line. When a consumer successfully disputes a Facebook charge with PayPal or a credit-card company, Facebook takes a financial hit in processing fees and penalties.
That fall, the company tested a patch they called Verify_CC_FirstSix that would require minors to enter the first six digits of the stored credit-card number before spending more than $75 in a single transaction. “It forces the minor to prove he is in possession of the credit card,” wrote one Facebook worker. “It should keep kids from running rampant with their parents CC’s [credit cards], which is a problem in certain apps,” another seconded.
The test was dubbed a modest success. Chargebacks and refund demands fell to 27.8 percent for the kids required to enter the credit-card digits, down from 39.9 percent in a control group that was still spending with a single click. But in a 2014 deposition, Facebook’s director of risk and payment operations, Bill Richardson, said Verify_CC_FirstSix was never rolled out.
The released documents don’t say why, but another Facebook email around that time bluntly explained that reducing unauthorized child purchases carries a risk of reducing legitimate sales as well. “If we were to build risk models to reduce it, we would most likely block good TPV,” the memo notes, referring to the total payment volume of Facebook transactions.
That email came after the Finnish game developer Rovio released a version of Angry Birds to the Facebook platform, and almost immediately noticed an alarming amount of refund requests—as much as 10 percent of its transactions each day. The company asked Facebook what was going on, and Facebook determined that 93 percent of the refunds were for purchases made by kids without permission from a grownup.
“These were all being played on the parent or grandparent’s account,” wrote one Facebook employee who investigated the Angry Birds flap. “The parent had a stored credential either from previous game spend or from advertising on FB. Nearly all state that they were surprised that the child wasn’t prompted for some sort of authorization first.”
Facebook calculated that the average age of the child was 5 years old.