Congress enacted the Restore Online Shoppers’ Confidence Act (“ROSCA”) back in the early 2010s. ROSCA had two main purposes. First, it was intended to protect online consumers and purchasing by banning “payment data passing.” This occurred when merchants sold or passed along consumer payment and billing data without the consent of the consumer. This often happened without even the knowledge of the consumer. Some merchants then used the unauthorized payment and billing data to charge the consumer for other and additional goods or services. Since the consumer was not required to reenter payment and billing information, many consumers were charged and received products that they did not want. All of this has been given the cumbersome name of “internet-based post-transaction third-party sales.” ROSCA bans and prohibits such transactions.

More specifically, ROSCA prohibits the so-called “data pass.” That is, the initial online merchant is not allowed to share or disclose payment/billing data, such as payment card and bank account numbers, to another merchant/third-party seller for use in a sale by said merchant/third-party seller. As another protection, ROSCA provides that if such merchant/third-party seller wants to attempt a sale, then it cannot obtain the “data pass” without providing various notices and obtaining express consent from the consumer.

Since the enactment of ROSCA, several States have enacted their own consumer data privacy and protection statutes. One of the most famous is the California Consumer Protection Act which has been amended and strengthened in recent years. As another example, the state of Indiana has recently passed its own consumer data privacy/protection statute called the Indiana Consumer Data Protection Act (“ICDPA”). All of these state-level statutes ban the sharing of consumer data — such as billing and payment information — for any use other than disclosed business purposes. More to the point, these statutes also ban the selling or sharing of consumer data where the consumer has not consented to the selling/sharing. In effect, these State-level statutes also ban the “data pass” between online merchants, which is outlawed by ROSCA.

ROSCA also had a second purpose which was to regulate what are called “negative option features” in online product and service sales. “Negative option” refers to a legal concept where a consumer’s consent to purchase or continue receiving a product is INFERRED from a customer’s silence, failure to cancel a product/service or, or failure to take some other affirmative action to reject those goods or services. For example, consider some “PRODUCT of the Month” internet sales (like maybe types of coffee). These might be “fun” for the first couple of months. However, such sales become very problematic if the consumer wants to cancel the ongoing product/service but cannot find an easy method of cancellation. Worse still are those products or services bought online where the consumer thinks the purchase is “one-off.” However, a month later, there is another charge and another product arrives.

ROSCA prohibits the use of such negative options in online sales agreements unless:

• The full and complete terms of the transaction are fully and conspicuously disclosed BEFORE billing and other information is collected
• The seller obtains express consent and
• The consumer has a simple mechanism to cancel or otherwise stop the recurring charges

Contact the Internet Attorneys at Revision Legal

For more information, contact the experienced Ecommerce Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

The FTC’s 2024 ‘Click-to-Cancel’ Rule: ROSCA’s Regulatory Amplification

ROSCA’s negative option provisions have been significantly amplified by the Federal Trade Commission’s rulemaking activity. In October 2024, the FTC finalized its updated Negative Option Rule (16 C.F.R. Part 425), sometimes called the “click-to-cancel” rule. It requires that sellers: (1) disclose all material terms of a negative option offer clearly and conspicuously before obtaining the consumer’s payment information; (2) obtain the consumer’s express informed consent to the negative option feature before charging; and (3) provide a simple cancellation mechanism no more difficult to use than the enrollment mechanism.

The “no harder to cancel than to enroll” standard is the rule’s most significant operational requirement. If a consumer can subscribe in three clicks online, the cancellation mechanism must be comparably simple — an online cancellation option must be available if the consumer enrolled online, and it cannot require a phone call to cancel an internet subscription. Many businesses have been required to overhaul customer service systems, cancel flows, and subscription management portals to comply. The FTC has authority to bring civil penalty actions under ROSCA of up to $51,744 per violation (adjusted annually for inflation), and Negative Option Rule violations are also enforceable under Section 5 of the FTC Act.

Recent FTC Enforcement Actions Under ROSCA

The FTC has used ROSCA aggressively against companies employing deceptive subscription practices. Notable enforcement actions include:

• FTC v. Vonage Holdings Corp. (2022) — Vonage paid $100 million to settle FTC allegations that it used illegal dark patterns to prevent customers from canceling VoIP service subscriptions, violating ROSCA’s requirement for simple cancellation mechanisms.
• FTC v. Amazon.com, Inc. (2023) — The FTC filed suit alleging that Amazon enrolled consumers in Amazon Prime through manipulative design choices (“dark patterns”) and made cancellation deliberately difficult. The case resolved with a $25 million civil penalty and injunctive relief requiring simplified cancellation.
• FTC v. Benefytt Technologies (2022) — The court entered a $100 million judgment against Benefytt for using negative option marketing to sell health benefit memberships without adequate disclosure and without simple cancellation.

State Automatic Renewal Laws: Additional Compliance Layer

In addition to federal ROSCA enforcement, most states have enacted automatic renewal laws (ARLs) that impose requirements on subscription businesses operating in those states. California’s ARL (Cal. Bus. & Prof. Code § 17600 et seq.) is among the most demanding, requiring specific pre-enrollment disclosures, email confirmation of subscriptions, and annual reminders for ongoing subscriptions. New York, Illinois, and Utah have similarly robust ARLs. Violation of state ARLs can give rise to class action litigation — California’s ARL has generated significant class action exposure for subscription businesses.

A comprehensive compliance program for subscription and recurring charge businesses must address both federal ROSCA requirements and applicable state ARLs. Because state ARLs vary in their specific requirements — including the content of required disclosures, the timing of reminder notices, and required cancellation mechanisms — multi-state compliance requires a state-by-state analysis. Revision Legal’s e-commerce attorneys can conduct that analysis and help your business build a compliant subscription program. Contact us at (855) 473-8474.