MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act, which impacts the offering of “negative option” (subscription) services.

With respect to the security allegations, MoviePass’s privacy policy stated that it used reasonable measures to protection personal information. Statements included that the company “takes information security very seriously,” that it “uses reasonable administrative, technical, physical, and managerial measures to protect [consumers’] personal details from unauthorized access” and that email addresses and payment information were encrypted. Notwithstanding these statements, the FTC said the company failed to take security sufficiently seriously.  Of particular concern, a database containing subscribers’ personal information, including emails and payment information, was both unencrypted and exposed, resulting in a 2019 data breach impacting about 28,000 individuals’ financial details.

Under the proposed order, with respect to the alleged security violations, MoviePass’s operators must implement a comprehensive information security program. The program must have a “qualified” employee who oversees it, it needs to be designed to address risks that face the company, must provide for employee training, and will be subject to FTC oversight and biennial third-party audits.  The order also requires that senior executives annually certify the program, and that the company notify the FTC directly of any future data breaches. The settlement terms will be in effect for 20 years, and are with the company, its parent, as well as the two principal owners, who will be required to follow its terms for any business they control.

Putting it Into Practice:  This settlement is a reminder that the FTC will use security statements in a company’s privacy policy to enforce its expectations under theories of deception. Also of interest is the defunct nature of the company. The FTC often brings claims -and seeks settlement- against both the company and its owners. Here, though, since the company is no longer operational, the practical effect will be that this settlement is principally against the owners.