DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Operators of MoviePass Subscription Service Agree to Settle FTC Allegations that They Limited Usage, Failed to Secure User Data

Posted on June 8, 2021 by Dissent

The operators of the MoviePass subscription service have agreed to settle Federal Trade Commission allegations they took steps to block subscribers from using the service as advertised, while also failing to secure subscribers’ personal data.

Under the proposed settlement, MoviePass, Inc., its parent company Helios and Matheson Analytics, Inc. (Helios), and their principals, Mitchell Lowe and Theodore Farnsworth, will be barred from misrepresenting their business and data security practices. In addition, any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.

“MoviePass and its executives went to great lengths to deny consumers access to the service they paid for while also failing to secure their personal information,” said Daniel Kaufman, the FTC’s Acting Director of the Bureau of Consumer Protection. “The FTC will continue working to protect consumers from deception and to ensure that businesses deliver on their promises.”

In its complaint, the FTC alleges that MoviePass, Inc.—along with its CEO, Lowe, as well as Helios and Farnsworth, CEO of Helios—deceptively marketed its “one movie per day” service promised to subscribers who paid for its $9.95 monthly service. The FTC alleges that MoviePass employed three tactics to prevent subscribers from using the service as advertised.

First, according to the FTC, MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected “suspicious activity or potential fraud” on the accounts. MoviePass’s operators did this even though some of its own executives raised questions about the scheme, according to the complaint.

Second, MoviePass’s operators launched a ticket verification program to discourage use of the service. This program required subscribers to take and submit pictures of their physical movie ticket stubs for approval through the MoviePass app within a certain timeframe. Subscribers who failed to submit their tickets could not view future movies and could have their subscriptions canceled if they failed to verify their tickets more than once. The program blocked thousands of subscribers from using the service because of problems with the verification system, according to the complaint.

Third, MoviePass’s operators used “trip wires” that blocked certain groups of users—typically those who viewed more than three movies per month—from utilizing the service after they collectively hit certain thresholds based on their monthly cost to the company, the FTC alleges.

The Commission’s complaint details how Lowe and Farnsworth were personally involved in this scheme. For example, Lowe is alleged to have personally ordered subscribers’ passwords to be disrupted, and even chose the number of consumers to be targeted. As for Farnsworth, the complaint alleges that an employee sent an email on Farnsworth’s behalf proposing a misleading consumer notice about the password disruption. Both executives knew their scheme was deceptive and harmful to consumers, according to the complaint.

The FTC alleges that MoviePass’s operators also violated the Restore Online Shoppers’ Confidence Act (ROSCA). ROSCA requires that firms be truthful with consumers when marketing negative option services—such as subscriptions—over the Internet. This means disclosing all material terms, and obtaining consumers’ informed consent before charging them.

As detailed in the Commission’s complaint, MoviePass’s operators failed to live up to both requirements. They pitched consumers on a “one movie per day” subscription, while hiding the ball about their elaborate efforts to prevent consumers from taking advantage of this service. And because consumers were not aware that the “one movie per day” promise was illusory, MoviePass’s operators failed to obtain their informed consent.

In addition, MoviePass’s operators also failed to take reasonable steps to secure personal information it collected from subscribers, such as their names, email addresses, birth dates, credit card numbers, and geolocation information, the FTC alleges. For example, the company stored consumers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on who could access personal data.

MoviePass noted in its privacy policy that it used reasonable measures to protect personal information including encrypting customer emails and payment information, according to the complaint. Despite these claims, MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorized access.

Lowe, Farnsworth, MoviePass, and its parent company are all bound by the proposed order. Under the proposed order, MoviePass’s operators are prohibited from misrepresenting the services they provide and must implement a comprehensive security program requiring them—and any businesses controlled by MoviePass, Helios, or Lowe—to identify external and internal security risks and take steps to address those risks. In addition, MoviePass’s operators must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of the program. Finally, MoviePass’s operators are required to notify the FTC of any future data breaches, and a senior executive must certify annually that MoviePass’s operators are complying with the data security requirements of the settlement. The order does not include monetary relief for consumers. Both MoviePass and its parent company, Helios, have filed for bankruptcy.

The Commission voted 3-1 to issue the administrative complaint and to accept the proposed consent agreement. Commissioner Noah Joshua Phillips voted no and issued a dissenting statement. Commissioner Christine S. Wilson issued a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,792.

The Federal Trade Commission works to promote competition and to protect and educate consumers. You can learn more about consumer topics and report scams, fraud, and bad business practices online at ReportFraud.ftc.gov. Like the FTC on Facebook(link is external), follow us on Twitter(link is external), get consumer alerts, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Source:  Federal Trade Commission

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
  • Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action; Also Agrees to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach
  • FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
Category: Business SectorOf Note

Post navigation

← Texas Passes Bill Establishing “Wall of Shame” for Data Breaches
Tech vendor that provides constituent newsletter services to dozens of House members hit by ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.