FTC Settles Deceptive Marketing and Lax Data Security Complaint With MoviePass

The Federal Trade Commission (FTC) announced a proposed consent agreement with MoviePass Inc., its parent company Helios and Matheson Analytics Inc., and two of Helios’s principals, Mitchell Lowe and Theodore Farnsworth, on Monday. The FTC’s complaint alleged that the defendants hindered MoviePass subscribers’ ability to use the service as advertised and failed to secure their personal data.

The press release explained that MoviePass offered consumers the ability to watch one movie per day, in-person, at American cinemas in exchange for a monthly fee of $3.95. Yet, the commission stated in its complaint, the companies violated the Restore Online Shoppers’ Confidence Act (ROSCA) by “pitch(ing) consumers on a ‘one movie per day’ subscription, while hiding the ball about their elaborate efforts to prevent consumers from taking advantage of this service.”

The complaint described how the corporate and individual defendants employed three tactics to prevent subscribers from using the service as advertised. First, the subscription service’s operators allegedly invalidated member passwords while falsely claiming to have identified “suspicious activity or potential fraud” on the accounts.

Second, the defendants reportedly launched a ticket verification program to discourage movie goers. According to the complaint, the program required subscribers to photograph and submit ticket stubs, but prevented thousands of members from using the service because of problems therewith. Third, the FTC alleged, MoviePass operators set up “trip wires” that blocked certain groups of users, mainly those who viewed more than three movies per month, from using MoviePass after they cumulatively hit certain thresholds based on their monthly costs to the company.

In addition, the complaint detailed how the two executive defendants, Lowe and Farnsworth, were personally involved in the supposedly unscrupulous behavior by ordering password disruption and “proposing a misleading consumer notice about the password disruption.” Finally, the complaint set forth the improper data security practices the defendants engaged in. As an example, the FTC stated that the defendants stored subscribers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on access to the data.

The proposed consent order bars the defendants from engaging in the aforementioned misconduct and requires the company to improve its consumer transparency and its data security practices. The FTC reportedly voted 3-1 to issue the administrative complaint and to accept the proposed consent agreement. Commissioner Noah Joshua Phillips voted no and issued a dissenting statement, contending that the decision rests on a “novel theory of liability” under the ROSCA that “accomplishes nothing for consumers and reduces clarity for businesses seeking to follow the law.”