On June 7, 2021, the Federal Trade Commission (FTC) announced a settlement with MoviePass relating to allegations that MoviePass and its executives took steps to block subscribers from using the service as advertised, and also failing to secure subscribers’ personal data.
A further analysis of the complaint and consent order are below, but key takeaways include:
- Leveraging existing rules in novel ways. The FTC included a count in the complaint alleging violations of the Restore Online Shoppers’ Confidence Act (ROSCA) for conduct that had not previously been held by the agency to violate that rule. This is consistent with the FTC’s renewed focus on rulemaking and maximizing the use of its existing rules, especially after the Supreme Court’s decision in AMG Capital Management. Companies should expect to see the FTC continue to stretch its existing rules to new scenarios in an effort to obtain civil penalties.
- Holding executives personally accountable. The consent order names the Chief Executive Officers of the companies charged with the unfair and deceptive conduct as respondents, and makes them subject to the injunctive terms of the agreement. This follows a trend of the FTC and other agencies pursuing theories of individual liability for violations of privacy and other consumer protection laws in order to maximize the deterrent effect of the settlement.
- Addressing a broad range of company (mis)behavior. The complaint included counts alleging that MoviePass and its executives employed tactics to prevent subscribers of the service from watching their promised “one movie per day,” as well as that the company had unreasonable data security practices. The FTC’s broad consumer protection mission means that investigations that may have begun as an inquiry into only one company practice may very well quickly expand into other areas.
FTC Act Section 5 Claims
MoviePass offered consumers a subscription service that allowed consumers to view movies at their local theaters for a monthly fee. MoviePass’s marketing materials promised “unlimited” movie views for $9.95 per month, automatically charging subscribers that fee each month.
The Administrative Complaint alleges that MoviePass deceived customers in violation of Section 5 of the FTC Act by offering “unlimited” movie viewings at theaters for $9.95 per month, but then employing tactics to prevent high volume customers from using the service as advertised. Specifically, the FTC alleges that (1) MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected “suspicious activity or potential fraud” on the accounts; (2) launched a ticket verification program to discourage use of the service; and (3) blocked certain groups of users from utilizing the service after the collectively hit certain thresholds. This had the effect of throttling the service for high volume customers and reducing their ability to screen movies on a truly “unlimited basis,” which the FTC alleges was deception.
Restore Online Shoppers’ Confidence Act (ROSCA) Claims
The FTC further alleged that the throttling tactics described above violated ROSCA. That rule requires that firms disclose all material terms to consumers when marketing a negative option feature1—such as online subscriptions that automatically renew and are charged monthly—over the Internet. According to the FTC’s theory of liability, the fact of the throttling was material to the consumers’ decision to purchase the subscription, and MoviePass failed to obtain express informed consent (since there can be no “informed consent” if a consumer is not given notice of the material terms of the offer). Although the FTC can seek civil penalties for a violation of ROSCA, it declined to do so in this instance.
As noted in Commissioner Wilson’s concurring statement, this is a new approach to a ROSCA claim. In the past, the FTC has focused on the negative option feature itself—for example, whether consumers understood the terms of the negative option feature, had given consent to those terms, or were able to cancel the agreement in a simple way. Here, the Commission alleged “a violation of ROSCA where the undisclosed material terms do not relate specifically to the negative option feature, but instead on the underlying good or service marketed through that feature.” According to Commissioner Wilson, who concurred, the decision not to seek civil penalties in this matter was fundamentally one of fairness so that businesses would have notice of how the law would be enforced by the FTC going forward and be given the ability to contest this new use of authority, presumably during the public comment period.
Deceptive Failure to Take Reasonable Measures to Protect Customer Data Claims
The FTC also alleges in the complaint that MoviePass misrepresented their data security practices, and that they failed to take to use reasonable administrative, technical, physical, and managerial measures to protect consumers’ personal data from unauthorized access. These allegedly lax data security practices led to a 2019 data breach in which a server containing a large amount of personal information was left exposed and was accessed several times from countries where the company does not operate or otherwise have relationships. Despite representing that it “takes information security very seriously” and “uses reasonable administrative technical, physical, and managerial measures to protect [consumers’] personal details from unauthorized access,” the FTC identified the following shortcomings:
- Storing consumers’ personal information, including financial information and email addresses in clear text;
- Failing to assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;
- Failing to maintain and manage security controls that protect and restrict access to consumers’ personal information. For example, Respondent MoviePass disabled its firewall and loaded consumers’ personal information onto a server in April 2019 in a manner that left the information accessible to any parties with an internet connection;
- Failing to provide adequate security training to its employees; and
- Failing to implement safeguards to detect anomalous activity and/or cybersecurity events, such as an adequate intrusion prevention or detection system to alert of potentially unauthorized access to Respondent MoviePass’s network or servers.
As part of the settlement, MoviePass, its parent company, and its executives agreed to implement a comprehensive information security program for any enterprise that collects consumers’ personal information, requiring among other things:
- That the information security program contain safeguards that are based on the volume and sensitivity of the personal information at risk;
- That testing and monitoring of the safeguards are conducted regularly but no less often than once a year; and
- That the information security program be documented, evaluated, and adjusted in light of any changes to business operations or new technological advancements.
In addition, MoviePass, its parent company, and its executives agreed to obtain an initial and then biennial third-party information security assessments, and report compliance to the FTC annually.
1 A “negative option feature” is defined under the Telemarketing Sales Rule and is “an offer or agreement to sell or provide any goods or services, a provision under which the customer’s silence or failure to take an affirmative action to reject goods or service or to cancel the agreement is interpreted by the seller as acceptance of the offer.” 16 C.F.R. §310.2(w).