In a 3–1 vote, with Commissioner Noah Phillips dissenting, the Federal Trade Commission (FTC) recently announced a settlement with the now-defunct subscription service company MoviePass, as well as its principals individually, regarding allegations that the company deceived its customers and failed to adequately protect their personal data. The settlement is particularly noteworthy because it signals the FTC’s intention to expand its traditional use of the Restore Online Shoppers’ Confidence Act of 2010 (ROSCA), which allows civil penalties for violations, likely to compensate, in part, for the limitations on the agency’s ability to obtain redress for harmed consumers under Section 13(b) of the FTC Act following the Supreme Court’s recent ruling in AMG Capital Management, LLC v. FTC.
MoviePass’s Deception and Vulnerable Data Security
In 2011, MoviePass launched its subscription service promising customers the ability to view “unlimited movies” at local theaters for a monthly subscription payment of $9.95. According to the FTC’s administrative complaint, MoviePass quickly incurred financial losses from covering its customers’ movie tickets. To control these losses, MoviePass implemented several measures to intentionally limit its frequent users’ ability to obtain “unlimited” tickets as advertised, including:
- Invalidating the passwords of MoviePass’s top 75,000 subscribers and programming its smartphone application to purposefully prevent customers from successfully resetting their passwords.
- Implementing a ticket verification program requiring the top 20 percent of its frequent users to submit pictures of their movie ticket stubs for approval through the MoviePass application within a certain timeframe.
- Limiting the number of tickets customers could use per month based on how frequently the customer used the service.
The FTC alleges that these measures were deceptive under Section 5 of the FTC Act and extended liability to MoviePass’s executives, Mitchell Lowe and Theodore Farnsworth, due to their personal involvement in the implementation of these deceptive programs.
Separate from the deceptive “throttles” on its services, the FTC also alleged that MoviePass failed to take reasonable measures to secure its customers’ data, resulting in a 2019 data breach that exposed 28,191 consumers’ financial and personal information between April and August of that year.
ROCSA: A New Path to Monetary Damages
In addition to alleging that MoviePass’ deceptive conduct violated Section 5 of the FTC Act, the agency also alleged a violation of ROSCA, a statute enacted in 2010 to protect customers purchasing goods and services online from deceptive practices. ROSCA, which governs online negative options sales, allows the FTC to pursue civil penalties amounting up to up to $43,792 per violation. Specifically, ROSCA requires sellers to clearly and conspicuously disclose all “material terms of the transaction” and obtain consumers’ express informed consent before charging them for online negative option features. While MoviePass subscriptions were paid through monthly recurring negative option charges, the FTC’s ROSCA claim did not allege a lack of consumer consent, or target MoviePass’s billing practices at all. Instead, the FTC used ROSCA for the first time to target deception around a product’s underlying characteristics—here, the deceptive practice of throttling its high-use customers’ access to the service.
The FTC’s new, expansive interpretation of ROSCA prompted Republican Commissioner Phillips to issue a dissent in which he noted that the MoviePass settlement marked the first time the Commission alleged a violation of ROSCA based on characteristics of a product or service. While the FTC chose not to impose civil penalties in this settlement, focusing instead on enjoining the MoviePass defendants from making misrepresentations about any products and services it offers in the future, the result going forward was clear to Commissioner Phillips: “The Commission is thus announcing that it may seek civil penalties against all businesses that use online negative option features where the Commission determines that there has been any material deception, whether relating to the negative option feature or a characteristic of the underlying product.”
Commissioner Phillip’s Republican colleague, Commissioner Christine Wilson, did not join the dissent, but instead issued a concurring statement of her own. Commissioner Wilson acknowledged that the MoviePass settlement was an “inaugural use of ROSCA for this purpose,” but she nonetheless agreed with the two Democrat Commissioners that the allegations fell within the authority of the statute. “ROSCA Section 8403 plainly states that for goods or services sold through a negative option feature, the seller must ‘clearly and conspicuously disclose all material terms of the transaction.’” Because the MoviePass defendants did not disclose all material terms of their subscription service, Commissioner Wilson agreed that a violation of ROSCA occurred.
While the FTC lost its ability to obtain consumer redress under Section 13(b) of the FTC Act, it is actively looking for other routes to monetary relief, including ROSCA. As a result, any company offering products or services through negative options and autorenewal payment programs online should take heed of this settlement. While the FTC declined to impose civil penalties in the current settlement with MoviePass, Commissioner Wilson warned that the novel use of ROSCA “will serve as notice to the market, and future violations of this type may well warrant civil penalties.”