The Federal Trade Commission (FTC) finalized a settlement with MoviePass, the much-maligned subscription app that promised users the ability to see unlimited movies for a monthly fee. The agency alleged that the operators of the app took steps to block subscribers from using the app as advertised and didn’t secure users’ personal data.
In June, MoviePass agreed to settle with the FTC over the allegations. The agency finalized the settlement on Tuesday.
MoviePass first promised users the ability to see unlimited movies per month for a subscription fee. However, the app soon faced numerous issues including changing its pricing plans and not providing tickets for major film releases. The app’s woes became somewhat of a meme online. The New York Attorney General opened an investigation into MoviePass to see whether it misled investors.
In a complaint against the company, the FTC alleged that MoviePass invalidated users’ passwords while falsely claiming that there was “suspicious activity” on their accounts. The agency also alleged that MoviePass caused “thousands” of subscribers to be blocked from using their service because of issues with a verification system the company implemented that required users to take a photo of their tickets within a certain time frame.
Finally, the FTC said Movie Pass used “trip wires” that blocked its most active users—people who saw three or more movies a month—once they hit “certain thresholds based on their monthly cost to the company.”
The FTC also alleged that the company stored personal information of users in plain text, leaving names, email addresses, birth dates, credit card information, and geolocation information unencrypted. A security researcher found an exposed database of the customer information on a server that didn’t have a password, according to TechCrunch.
Under the finalized settlement, MoviePass, its CEO Mitchell Lowe, and parent company Helios and Matheson Analytics, will be barred from misrepresenting their business and data security practices. Any business controlled by MoviePass, Helios and Matheson Analytics, or the CEO will also be required have “comprehensive information security programs.” They will also need to notify the FTC of future data breaches, and must annually certify that it is complying with the settlement. If they violate the order, they face penalties of $43,792 per violation every day.
Helios filed for bankruptcy in January 2020. Because the FTC’s settlement agreement came after the company went under, the FTC was not able to obtain financial restitution for users of MoviePass who were duped by the service.