As the fast-talking talent scout said in a hundred Hollywood classics, “I’m gonna put you in the movies!” MoviePass promised to put consumers in the movies – or at least in movie theaters – with its $9.95 per month “one movie per day” subscription plan. A proposed settlement outlines three concerns the FTC had with the company’s practices: 1) illegal tactics that MoviePass employed to block subscribers from using the service as advertised; 2) violations of the Restore Online Shoppers’ Confidence Act (ROSCA); and 3) MoviePass’s failure to take reasonable steps to secure subscribers’ personal information.
When MoviePass advertised “Unlimited movies for only $9.95/month” and “ANY MOVIE ANY THEATER ANY DAY. Only $9.95 per month,” more than three million film buffs put down the popcorn and picked up their credit cards to enroll. But the FTC says MoviePass implemented three roadblocks to prevent subscribers from using the service as advertised.
Roadblock #1 was the company’s “password disruption” policy. According to the complaint, MoviePass invalidated the passwords of the 75,000 subscribers who used the service most often while falsely claiming that the company had “detected suspicious activity or potential fraud” on their accounts. To reinstate their accounts, the password disruption program required those subscribers to maneuver through an obstacle course worthy of a blockbuster action flick – a process complicated by the fact that MoviePass’s password reset process often failed.
The complaint alleges the company had received in-house warnings about its password disruption program. In the words of one executive, “[T]here is a high risk this would catch the FTC’s attention (and State AG’s attention) and could reinvigorate their questioning of MoviePass, this time from a Consumer Protection standpoint.”
Second, MoviePass launched a “ticket verification” program that required about 20% of subscribers – approximately 450,000 consumers – to submit photos of their ticket stubs within a certain timeframe. Although the company told consumers they had been “randomly selected” for the program, the FTC says MoviePass imposed the additional obstacle on subscribers who used the service most frequently. And woe be unto the subscribers who simply stuffed their stubs in a pocket because MoviePass responded to their failure to submit a timely ticket by barring them from going to more movies and, in some circumstances, even cancelling their subscriptions.
Third, MoviePass imposed what it called a “trip wire” system that prevented some consumers from continuing to use their subscriptions once they reached a certain undisclosed threshold. According to the complaint, the company typically activated the trip wire on people who watched more than three movies per month – far fewer that the advertised “one movie per day” limit. The FTC says some subscribers didn’t learn they had been barred until they were already at the theater.
The complaint alleges that MoviePass’s practices rendered its “one movie per day” promise false or misleading. What’s more, the FTC says MoviePass violated ROSCA by failing to clearly disclose all material terms of the transaction – that consumers would not actually be able to see “one movie per day” – before getting consumers’ billing information. And because consumers didn’t know that the promise of “one movie per day” was illusory, MoviePass failed to get consumers’ express informed consent before charging their credit or debit cards.
Furthermore, MoviePass collected lots of personal information from consumers in connection with their subscriptions – full name, mailing address, credit card information, date of birth, and the movies they attended, just for starters – while assuring consumers the company “takes information security very seriously” and “uses reasonable administrative technical, physical, and managerial measures to protect personal details from unauthorized access.” MoviePass also claimed to store consumers’ email addresses and payment information in “an encrypted form.” You’ll want to read the complaint for details, but the FTC says MoviePass left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorized access. According to the complaint, that made MoviePass’ security claims false or misleading.
The lawsuit names MoviePass; parent company Helios and Matheson Analytics, Inc.; and corporate officers Mitchell Lowe and Theodore Farnsworth. (The data security allegation names only MoviePass, Helios, and Lowe.) The proposed settlement prohibits the respondents from misrepresenting any product or service in the future. In addition, it requires that MoviePass and Helios, any business that MoviePass or Helios directly or indirectly controls, and any business that Lowe directly or indirectly controls and that collects or maintains consumers’ personal information must implement a comprehensive security program. Both MoviePass and parent company Helios have filed for bankruptcy.
Once the proposed order appears in the Federal Register, you’ll have 30 days to file a public comment.
The lesson of the MoviePass action extends far beyond the facts of the case. The fact that they were in the red – rather than on the Red Carpet – didn’t justify MoviePass’s conduct. Just as consumers are expected to deal honestly and transparently with their financial miscalculations, so must companies.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.