FTC proposes consent order against MoviePass for fraudulent operations and not securing data

It was a cool experiment, but the theater-subscription service that was MoviePass was a fatally flawed business model. Its lack of sustainability led its executives to try some shady money-saving tactics. The FTC did not take kindly to the shenanigans. It concluded its probe into the company with a stifling consent order.

On Monday, The Federal Trade Commission (FTC) announced that it had concluded an investigation into the now-defunct subscription movie service MoviePass and had reached a settlement for its alleged actions. The FTC charged parent company Helios and Matheson Analytics and operators Mitchell Lowe and Theodore Farnsworth with blocking paying users from accessing the service as advertised and for not securing customer information.

“MoviePass and its executives went to great lengths to deny consumers access to the service they paid for while also failing to secure their personal information,” said Daniel Kaufman, the FTC’s Acting Director of the Bureau of Consumer Protection. “The FTC will continue working to protect consumers from deception and to ensure that businesses deliver on their promises.”

In 2019, the struggling platform allegedly invalidated the passwords of “power users,” citing “suspicious activity or potential fraud.” Insiders claimed executives knew the move was wrong but were desperate to slow down their losses and blamed Mitch Lowe for the dishonest act.

“Before Mitch [Lowe] came on, it was, ‘How do we slow down those users?'” one insider said. “With Mitch, it was just, ‘F— those guys.'”

The FTC said the company used a buggy ticket verification system to discourage users from using the service, employing a one-strike rule that allowed the company to cancel subscriptions when users did not submit verification on time.

The commission also found MoviePass guilty of using “trip wires” [sic] to block certain user groups. In general, these were subscribers that viewed more than three movies per month. The tripwires prevented users from using the service whenever the group collectively hit certain company loss levels in a given month.

These tactics violate the Restore Online Shoppers’ Confidence Act (ROSCA), which demands truth in advertising over the internet. It also requires user notification and consent when making changes to services in a subscription.

Finally, the FTC ruled that MoviePass failed to properly secure user account information, including credit card numbers. The company allegedly stored all customer-related data in plain text and did not restrict access to the database. The 2019 data breach, which exposed at least 58,000 records, is evidence of this claim. A sample of 1,000 leaked database entries showed more than half included credit and debit card numbers and their expiration dates.

As part of the consent agreement, Lowe, Farnsworth, MoviePass, Helios, and all involved operators are prohibited from misrepresenting any prospective services under strict FTC oversight. They must have “a comprehensive security program” in place for any future businesses, which a third-party firm will audit biennially. Any breaches or security risks encountered must be reported to the FTC immediately upon discovery. A senior executive must annually notify the commission that all security requirements are met.

Unfortunately for disgruntled customers, the proposed order does not contain any monetary compensation. Both MoviePass and Helios have filed Chapter 7 bankruptcy, dissolving both businesses shortly after shutting down the service with very little notice.