- The Federal Trade Commission (“FTC”) approved a settlement with movie ticket subscription service MoviePass, Inc., its parent company Helios and Matheson Analytics, Inc. (“Helios”), as well as Helios’s current and former chief executive officers (collectively “MoviePass”), over allegations that MoviePass did not honor its advertising promises and failed to secure subscribers’ personal data in violation of the FTC Act and the Restore Online Shoppers’ Confidence Act.
- The complaint alleged that MoviePass promised monthly subscribers that they could watch one movie in a movie theater every day, but in reality, deployed deceptive tactics geared to prevent subscribers from using the service as advertised, including invalidating subscribers’ passwords while falsely claiming detection of suspicious activity, employing a cumbersome ticket verification program to discourage customers from using their subscription, and blocking certain subscribers after they used the service three times in one month. The complaint also alleged that subscribers’ personal data was accessed without authorization through a MoviePass database where it was stored unencrypted and exposed.
- Under the terms of the consent agreement, MoviePass will be barred from misrepresenting its subscription offerings and will be required to implement a comprehensive information security program, including documenting in writing its data security policies and procedures, and assessing risks and testing the adequacy of its safeguards on a yearly basis or after a data breach incident. MoviePass will also be required to retain an independent third-party assessor of its information security program, designate a senior executive to certify annually that MoviePass is complying with its data security obligations under the terms of the consent agreement, and notify the FTC of any future data breaches, among other things.