Privacy & Information Security Law Blog

As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.

MoviePass offered a subscription service that allowed consumers to see unlimited movies in theatres for a monthly fee. However, according to the FTC’s complaint, this business model proved unsuccessful, and, once this became apparent to MoviePass, the company implemented at least three strategies to make it more difficult for consumers to actually see movies:

• Invalidated passwords of the 75,000 heaviest users for false reasons, requiring them to undergo a complicated password reset process before they could use their subscription.
• Implemented a convoluted “ticket verification system,” requiring subscribers to submit pictures of their movie tickets within a certain time period.
• Set secret caps on the number of movies subscribers could attend.

The FTC’s complaint alleges that personal information—including names, gender, billing addresses, geolocation and credit card information—was exposed for four months in 2019. The information allegedly was stored such that it was “accessible to any parties with an internet connection” after MoviePass failed to maintain and manage security controls. Moreover, the FTC alleged that MoviePass made false or misleading misrepresentation with respect to its use of reasonable administrative, technical, physical, and managerial measures to protect consumers’ personal information.

The FTC also alleged that MoviePass failed to disclose all the material terms when it did not tell consumers that it implemented strategies to make it more difficult to use their subscriptions. And, because those material terms were not disclosed, MoviePass failed to obtain consumers’ informed consent.

Commissioner Noah Phillips voted against the case,  in his dissenting statement against the FTC’s application of ROSCA to MoviePass, calling it a “novel” theory of liability. The Commissioner’s primary argument is that ROSCA is concerned with the negative option terms and transaction itself, rather than the underlying product or service. Commissioner Wilson’s concurring statement in support of the case offers a different view, quoting from the full ROSCA section to argue that this enforcement action is within the plain language of the law.

Both Commissioners also reference the Supreme Court’s recent decision in AMG Capital Mgmt., LLC v. F.T.C., which ruled that the FTC lacks authority to seek equitable relief under section 13(b) of the FTC Act. Whereas Commissioner Phillips appeared to take AMG as a warning to limit FTC authority, Commissioner Wilson said that this ROSCA enforcement action “will serve as notice to the market, and future violations of this type may well warrant civil penalties,” perhaps viewing ROSCA as a partial substitute for authority lost at the Supreme Court.

The settlement requires no fines, fees or damages. Instead, it prohibits MoviePass from making certain misleading statements in the future and provides for additional reporting requirements and FTC oversight for future business ventures.

Update: On October 5, 2021, the FTC finalized its settlement with MoviePass over allegations that the company failed to take reasonable measures to secure consumers’ personal information and engaged in deceptive trade practices. The FTC voted 4-1 in the approval of the complaint and order, with Commissioner Phillips voting no.