FTC Settlement with MoviePass Highlights Increased Use of Consumer Protection Rules | WilmerHale
On June 7, 2021, the Federal Trade Commission (FTC) announced a settlement with MoviePass over allegations that MoviePass and its executives took steps to prevent subscribers from using the service as advertised, and also failing to secure them. personal data of subscribers.
A more in-depth analysis of the complaint and the consent order is presented below, but the main takeaways are as follows:
- Exploit existing rules in an innovative way. The FTC included one count in the complaint alleging violations of the Restore Online Shoppers’ Confidence Act (ROSCA) for conduct that had not previously been considered by the agency to violate that rule. This is consistent with the FTC’s renewed emphasis on rule-making and maximizing the use of its existing rules, especially after the Supreme Court ruling in AMG capital management. Businesses should expect the FTC to continue to expand its existing rules to new scenarios in an effort to secure civil penalties.
- Hold leaders personally accountable. The consent order names the CEOs of companies accused of unfair and deceptive conduct as respondents, and subjects them to the injunction conditions of the agreement. This follows a trend of the FTC and other agencies pursuing theories of individual liability for privacy breaches and other consumer protection laws to maximize the deterrent effect of the regulation.
- Address a wide range of (bad) business behaviors. The complaint included charges alleging that MoviePass and its executives used tactics to prevent service subscribers from watching their promised “one movie per day”, as well as that the company had unreasonable data security practices. The FTC’s broad consumer protection mission means that investigations that may have started as an investigation into a single business practice may very well spread to other areas quickly.
Claims under Section 5 of the FTC Act
MoviePass offered consumers a subscription service that allowed them to view movies in their local theaters for a monthly fee. MoviePass’ marketing materials promised “unlimited” movie views for $ 9.95 per month, automatically charging subscribers this fee each month.
the Administrative complaint alleges that MoviePass deceived customers in violation of Section 5 of the FTC by offering “unlimited” movie views in theaters for $ 9.95 per month, but then using tactics to keep customers from volume high to use the service as advertised. Specifically, the FTC alleges that (1) MoviePass operators invalidated subscriber passwords while falsely claiming to have detected “suspicious activity or potential fraud” on the accounts; (2) initiated a ticket verification program to discourage use of the service; and (3) blocked certain groups of users from using the service after collectively reaching certain thresholds. This has had the effect of strangling service for high volume customers and reducing their ability to show movies on a truly “unlimited” basis, which the FTC claims to be a deception.
Restore Online Shopper Trust Act (ROSCA) Claims
The FTC further alleged that the choke tactics described above violated ROSCA. This rule requires companies to disclose all material terms to consumers when marketing a negative option option.1—Such as online subscriptions that renew automatically and are billed monthly — on the Internet. According to the FTC’s liability theory, the fact of the limitation was decisive in consumers’ decision to purchase the subscription, and MoviePass did not obtain express informed consent (since there can be no ” informed consent ”if a consumer is not informed of the material terms of the offer). Although the FTC can seek civil penalties for a violation of ROSCA, it has refused to do so in this case.
As stated in Commissioner Wilson’s concurring statement, this is a new approach to a ROSCA claim. In the past, the FTC has focused on the negative option feature itself – for example, whether consumers understood the terms of the negative option feature, had given their consent to those terms, or were able to ‘cancel the agreement in a simple way. Here, the Commission alleged “a violation of ROSCA where the undisclosed material conditions do not relate specifically to the negative option functionality, but rather to the underlying good or service marketed through that functionality”. According to Commissioner Wilson, who agreed, the decision not to seek civil penalties in this case was fundamentally a decision of fairness so that companies were made aware of how the law would be applied by the FTC to the future and have the opportunity to challenge this new use of authority, presumably during the public comment period.
Deceptive failure to take reasonable steps to protect customer data claims
The FTC also alleges in the complaint that MoviePass has distorted its data security practices and failed to take reasonable administrative, technical, physical and managerial measures to protect consumers’ personal data from unauthorized access. These allegedly lax data security practices led to a data breach in 2019 in which a server with a large amount of personal information was left exposed and was repeatedly accessed from countries where the company does not. ‘does not operate or maintain relationships. Although it states that it “takes information security very seriously” and “uses reasonable administrative, technical, physical and managerial measures to protect [consumers’] personal data against unauthorized access ”, the FTC has identified the following shortcomings:
- Store personal information of consumers, including financial information and email addresses in clear text;
- Failing to assess risks to personal information stored on its network, for example by performing periodic risk assessments or performing network vulnerability and penetration tests;
- Fail to maintain and manage security controls that protect and restrict access to consumers’ personal information. For example, the Respondent MoviePass disabled its firewall and uploaded consumers’ personal information to a server in April 2019 in a way that left the information accessible to all parties with an Internet connection;
- Failing to provide adequate safety training to its employees; and
- Failing to implement protective measures to detect abnormal activities and / or cybersecurity events, such as an adequate intrusion prevention or detection system to alert of potentially unauthorized access to the network or to the servers of the responding MoviePass.
As part of the settlement, MoviePass, its parent company and its executives have agreed to implement a comprehensive information security program for any business that collects personal information from consumers, requiring, among other things:
- That the information security program contain safeguards based on the volume and sensitivity of personal information at risk;
- That the testing and monitoring of guarantees be carried out regularly, but not less than once a year; and
- That the information security program be documented, evaluated and adjusted in light of any changes in business operations or new technological advances.
In addition, MoviePass, its parent company and executives have agreed to obtain an initial and then biennial third-party information security assessment, and to report annually on compliance to the FTC.
1 A “negative option feature” is defined in the Telemarketing Rule and is “an offer or agreement to sell or provide goods or services, a provision under which the customer’s silence or omission to take positive action to reject goods or terminate the contract is interpreted by the seller as acceptance of the offer. 16 CFR §310.2 (w).