The operators of the MoviePass subscription service have agreed to settle Federal Trade Commission allegations they took steps to block subscribers from using the service as advertised, while also failing to secure subscribers’ personal data.
Under the proposed settlement, MoviePass, Inc., its parent company Helios and Matheson Analytics, Inc. (Helios), and their principals, Mitchell Lowe and Theodore Farnsworth, will be barred from misrepresenting their business and data security practices. In addition, any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.
“MoviePass and its executives went to great lengths to deny consumers access to the service they paid for while also failing to secure their personal information,” said Daniel Kaufman, the FTC’s Acting Director of the Bureau of Consumer Protection. “The FTC will continue working to protect consumers from deception and to ensure that businesses deliver on their promises.”
In its complaint, the FTC alleges that MoviePass, Inc.—along with its CEO, Lowe, as well as Helios and Farnsworth, CEO of Helios—deceptively marketed its “one movie per day” service promised to subscribers who paid for its $9.95 monthly service. The FTC alleges that MoviePass employed three tactics to prevent subscribers from using the service as advertised.
First, according to the FTC, MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected “suspicious activity or potential fraud” on the accounts. MoviePass’s operators did this even though some of its own executives raised questions about the scheme, according to the complaint.
Second, MoviePass’s operators launched a ticket verification program to discourage use of the service. This program required subscribers to take and submit pictures of their physical movie ticket stubs for approval through the MoviePass app within a certain timeframe. Subscribers who failed to submit their tickets could not view future movies and could have their subscriptions canceled if they failed to verify their tickets more than once. The program blocked thousands of subscribers from using the service because of problems with the verification system, according to the complaint.
Third, MoviePass’s operators used “trip wires” that blocked certain groups of users—typically those who viewed more than three movies per month—from utilizing the service after they collectively hit certain thresholds based on their monthly cost to the company, the FTC alleges.
The Commission’s complaint details how Lowe and Farnsworth were personally involved in this scheme. For example, Lowe is alleged to have personally ordered subscribers’ passwords to be disrupted, and even chose the number of consumers to be targeted. As for Farnsworth, the complaint alleges that an employee sent an email on Farnsworth’s behalf proposing a misleading consumer notice about the password disruption. Both executives knew their scheme was deceptive and harmful to consumers, according to the complaint.
The FTC alleges that MoviePass’s operators also violated the Restore Online Shoppers’ Confidence Act (ROSCA). ROSCA requires that firms be truthful with consumers when marketing negative option services—such as subscriptions—over the Internet. This means disclosing all material terms, and obtaining consumers’ informed consent before charging them.
As detailed in the Commission’s complaint, MoviePass’s operators failed to live up to both requirements. They pitched consumers on a “one movie per day” subscription, while hiding the ball about their elaborate efforts to prevent consumers from taking advantage of this service. And because consumers were not aware that the “one movie per day” promise was illusory, MoviePass’s operators failed to obtain their informed consent.
In addition, MoviePass’s operators also failed to take reasonable steps to secure personal information it collected from subscribers, such as their names, email addresses, birth dates, credit card numbers, and geolocation information, the FTC alleges. For example, the company stored consumers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on who could access personal data.
MoviePass noted in its privacy policy that it used reasonable measures to protect personal information including encrypting customer emails and payment information, according to the complaint. Despite these claims, MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorized access.
Lowe, Farnsworth, MoviePass, and its parent company are all bound by the proposed order. Under the proposed order, MoviePass’s operators are prohibited from misrepresenting the services they provide and must implement a comprehensive security program requiring them—and any businesses controlled by MoviePass, Helios, or Lowe—to identify external and internal security risks and take steps to address those risks. In addition, MoviePass’s operators must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of the program. Finally, MoviePass’s operators are required to notify the FTC of any future data breaches, and a senior executive must certify annually that MoviePass’s operators are complying with the data security requirements of the settlement. The order does not include monetary relief for consumers. Both MoviePass and its parent company, Helios, have filed for bankruptcy.
The Commission voted 3-1 to issue the administrative complaint and to accept the proposed consent agreement. Commissioner Noah Joshua Phillips voted no and issued a dissenting statement. Commissioner Christine S. Wilson issued a concurring statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,792.
The Federal Trade Commission works to promote competition and to protect and educate consumers. You can learn more about consumer topics and report scams, fraud, and bad business practices online at ReportFraud.ftc.gov. Like the FTC on Facebook, follow us on Twitter, get consumer alerts, read our blogs, and subscribe to press releases for the latest FTC news and resources.