Now Playing at the FTC: MoviePass Data Security Case and ROSCA Settlement
Time 3 Minute Read
Now Playing at the FTC: MoviePass Data Security Case and ROSCA Settlement

This week, the FTC voted 3–1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of data security issues and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.

MoviePass offered a subscription service that allowed consumers to see unlimited movies in theatres for a monthly fee. However, according to the FTC’s complaint, this business model proved unsuccessful, and, once this became apparent to MoviePass, the company implemented at least three strategies to make it more difficult for consumers to actually see movies:

  1. Invalidated passwords of the 75,000 heaviest users for false reasons, requiring them to undergo a complicated password reset process before they could use their subscription.
  2. Implemented a convoluted “ticket verification system,” requiring subscribers to submit pictures of their movie tickets within a certain time period.
  3. Set secret caps on the number of movies subscribers could attend.

Unfortunately, for subscribers to MoviePass, this settlement is not the end of the story. The FTC’s complaint alleges that significant personal information—including name, gender, billing address, and credit card information—was exposed for four months in 2019. Indeed, the information was stored such that it was “accessible to any parties with an internet connection.”

The FTC also alleged that MoviePass failed to disclose all the material terms when it did not tell consumers that it implemented strategies to make it more difficult to use their subscriptions. And, because those material terms were not disclosed, MoviePass failed to obtain consumers’ informed consent.

Commissioner Noah Phillips voted against the case, arguing in his dissenting statement against the FTC’s application of ROSCA to MoviePass, calling it a “novel” theory of liability. The Commissioner’s primary argument is that ROSCA is concerned with the negative option terms and transaction itself, rather than the underlying product or service. Commissioner Wilson’s concurring statement in support of the case offers a different view, quoting from the full ROSCA section to argue that this enforcement action is within the plain language of the law.

Both Commissioners also reference the Supreme Court’s recent decision in AMG Capital Mgmt., LLC v. F.T.C., which ruled that the FTC lacks authority to seek equitable relief under section 13(b) of the FTC Act. Whereas Commissioner Phillips seems to take AMG as a warning to limit FTC authority, Commissioner Wilson says that this ROSCA enforcement action “will serve as notice to the market, and future violations of this type may well warrant civil penalties,” perhaps viewing ROSCA as a partial substitute for authority lost at the Supreme Court.

Despite the ink spilled by Commissioners Phillips and Wilson, the FTC in general, and this blog, the settlement requires no fines, fees, or damages. Instead, it prohibits MoviePass from making certain misleading statements in the future and provides for additional reporting requirements and FTC oversight for future business ventures.

  • Partner

    A leader in the advertising bar with decades of experience both working at and practicing before the Federal Trade Commission (FTC), Phyllis brings a unique advertising and children’s privacy vantage point to our clients ...


Subscribe Arrow

Recent Posts





Jump to Page