Now playing at the FTC: MoviePass Data Security Case and ROSCA Settlement

As reported on the Hunton Retail Law Resource blog, the Federal Trade Commission this week voted 3 to 1 to a settlement agreement with MoviePass, Inc., its parent company, and two of the former employees of the now-defunct company on allegations of failure to take adequate safeguards of consumer data and fraudulent trading practices. The Commission brought an enforcement action against MoviePass under the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), which required disclosure of all material conditions, informed consumer consent and a simple mechanism to end the replay. Negative Option Services Marketing Fees.

MoviePass offered a subscription service that allowed consumers to watch unlimited movies in theaters for a monthly fee. However, according to the FTC’s complaint, that business model proved unsuccessful, and when MoviePass realized this, the company implemented at least three strategies to make it more difficult for consumers to actually watch movies:

  • The passwords of the 75,000 strongest users were invalidated for wrong reasons, so they had to go through a complicated password reset process before they could use their subscription.
  • A complicated “ticket verification system” has been implemented, whereby subscribers have to submit pictures of their cinema tickets within a certain period of time.
  • Set secret caps on the number of movies subscribers can watch.

The FTC’s complaint alleges that personal information – including name, gender, billing addresses, geolocation, and credit card information – was disclosed for four months in 2019. The data was allegedly stored in such a way that it would then be “accessible to all parties with an Internet connection”. MoviePass was unable to manage the security controls. In addition, the FTC alleged that MoviePass made false or misleading claims regarding the use of reasonable administrative, technical, physical and managerial measures to protect consumers’ personal information.

The FTC also alleged that MoviePass failed to disclose all material terms when failing to communicate to consumers that it had implemented strategies to make their subscriptions difficult to use. And because these key terms were not disclosed, MoviePass was unable to obtain informed consumer consent.

Commissioner Noah Phillips, in his dissenting opinion, voted against the FTC’s application of ROSCA to MoviePass against the case, calling it a “novel” liability theory. The Commissioner’s main argument is that ROSCA is dealing with the negative option terms and the transaction itself, not the underlying product or service. Commissioner Wilson’s consistent statement in support of the case offers a different point of view, quoting from the full ROSCA section to argue that these enforcement actions are in the clear text of the law.

Both commissioners also refer to the recent Supreme Court ruling in AMG Capital Mgmt., LLC v FTC, which found that the FTC has no authority to seek fair redress under Section 13 (b) of the FTC Act . While Commissioner Phillips apparently took AMG as a warning to curtail FTC authority, Commissioner Wilson said that this enforcement action by ROSCA “will serve as a notice to the market and future violations of this nature may well result in civil penalties,” which ROSCA may consider partial replacement for the authority lost in the Supreme Court.

The settlement does not require any fines, fees, or damages. Instead, MoviePass prohibits making certain misleading statements in the future and provides additional reporting and FTC oversight for future business ventures.

Comments are closed.