The Federal Trade Commission (FTC) has agreed a settlement with MoviePass’s operators over allegations the online subscription service failed to secure customers’ personal information and deceptively marketed its promised one-movie-per-day service.

The United States’ consumer watchdog claims the company failed to take reasonable steps to secure personal information it collected from subscribers, such as their names, email addresses, birth dates, credit card numbers and geolocation information.

“For example, the company stored consumers’ personal data including financial information and email addresses in plain text and failed to impose restrictions on who could access personal data,” the FTC said.

“MoviePass noted in its privacy policy that it used reasonable measures to protect personal information including encrypting customer emails and payment information …

“Despite these claims, MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorised access.”

Under the settlement, MoviePass, parent company Helios and Matheson Analytics and their principals, Mitchell Lowe and Theodore Farnsworth, must implement a comprehensive security programme which includes identifying external and internal security risks and taking steps to address those risks.

They are also required to obtain biennial assessments of the company’s information security programme by a third party and notify the FTC of any future data breaches.

In addition, MoviePass’s operators are prohibited from misrepresenting the company’s services.

The FTC alleges the service’s operators took steps to block subscribers from using the service as advertised (a movie a day) by invalidating passwords, launching a ticket verification programme and using ‘trip wires’ to block groups of users, such as those who viewed more than three films per month.

The FTC’s settlement order does not include monetary relief for consumers. MoviePass and Helios have filed for bankruptcy.

Under US law, following publication in the Federal Register there is a 30-day public consultation period about the proposed agreement.

 

PrivSec Global

Register to PrivSec Global and hear the “Why the Future of Trust Must Be Built on Data Transparency” on June 22 at 1:00pm BST | 2:00pm CEST | 8:00pm HK.

Speakers include:

  • Tilman Harmeling, Entrepreneur in Residence, Usercentrics
  • Tianna Powell, Director, DPO Group
  • Sana Naman, Data Protection Lead, Harvey Nichols
  • Christian Lawaetz Halvorsen, CTO & Co-founder, Valuer.ai

Register now