Passed by Congress in 2010, the Restore Online Shoppers’ Confidence Act (“ROSCA”) was intended to, among other things, regulate the deceptive billing practices of online businesses. Among the main targets of ROSCA were billing practices that allowed billing without a consumer’s explicit consent, including automatic renewal provisions that locked consumers into automatic payments from which they struggled to escape. Like many such statutes, the regulatory regime was a notice/disclosure/consent regime. That is, the solution to the abusive practices was to require businesses to provide notices and disclosures to consumers and obtain their consent to the respective billing practices involved. As is typical of these regulatory regimes, ROSCA requires that the notice/disclosure be “clear and conspicuous” and that the online business obtain “express” and “informed” consent from the consumer before these recurring charges can begin. Further, notice/disclosure and consent had to be given and obtained prior to the collection of the consumer’s billing information. With respect to recurring charges, the statute requires a business to disclose:

• That recurring charges existed
• That, unless a consumer took action, the consumer would be automatically charged
• The amount of the recurring charges
• The frequency of such recurring charges
• The date such recurring charges are charged
• Any date by which the consumer must take action to stop the recurring charges
• All information necessary to entirely cancel the recurring charges

The federal regulatory agency tasked with enforcement of ROSCA was the Federal Trade Commission (“FTC”). Over the years, the FTC clarified many of the ROSCA statutory requirements. For example, the FTC issued regulations requiring that the notices for recurring charges be given separately from other notices and that at least two consents were necessary: one for the recurring charges and one for the whole originating transaction. In addition, ROSCA’s requirements are also deemed violations of the Federal Trade Commission Act. This means that violations of ROSCA are deemed to be deceptive and unfair business practices.

In any event, for consumers, the major problem has always been cancellation and how to escape being charged every month without enormous hassles and wait times. ROSCA requires that the cancellation mechanism be “at least as easy” as the sign-up mechanism. But that leaves a lot of maneuvering room. For profit and revenue reasons, businesses have deep incentives to make cancellation difficult for consumers. Obviously, a successful cancellation is recurring revenue that “escapes.” Businesses have been inventive in creating strategies and tactics for discouraging cancellation. Efforts have included:

• Burying the cancellation link or button
• Making the process cumbersome
• Requiring extra data and personal information before cancellation can be processed (in a claimed effort to “protect” the consumer from fraud)
• Requiring the consumer to verify the cancellation through text or call and email verification procedures
• Offering new deals or other products to “distract” the consumer from cancellation
• And more

In mid-2024, the FTC adopted a new Final Rule that attempts — yet again — to help consumers. In the past, the FTC’s regulations focused on mechanisms that were “at least as easy” as the signup. The FTC has moved beyond that and requires businesses to “provide a simple mechanism to cancel the negative option feature and immediately halt charges…” This is the so-called “click-to-cancel.” The Rule has three variations dealing with the three most common forms of sign-up: internet, telephone, and in-person. The new rule requires that the same method be available for sign-up as for cancellation. For each, the cancellation method must be “simple” — a “click” for online and a simple statement for a telephone or in-person sign-up. The new Rule also requires that the cancellation take effect immediately.

Compliance Checklist for Online Businesses Under ROSCA and the Click-to-Cancel Rule

The FTC’s 2024 amendments to the Negative Option Rule create concrete obligations for any online business that offers subscription products or services. Non-compliance exposes businesses to civil penalties under Section 5 of the FTC Act (15 U.S.C. § 45), which the FTC has authority to seek in federal court. With per-violation penalties available exceeding $50,000, and with each individual subscriber potentially constituting a separate violation, the financial exposure from a systematic compliance failure is substantial.

The Four Pillars of the Revised Negative Option Rule

The FTC’s revised Negative Option Rule (16 C.F.R. Part 425) organizes compliance obligations around four core requirements:

• Disclosure. All material terms of the negative option offer must be disclosed clearly and conspicuously before the consumer submits payment information. “Clearly and conspicuous” means the disclosure must be unavoidable — it cannot appear only in fine print, in a hyperlinked document, or after the consumer has already provided billing information. The required disclosures must include: the fact that recurring charges will occur; the amount and frequency of charges; the deadline to cancel to avoid the next charge; and how to cancel.
• Consent. The business must obtain affirmative express consent to the negative option feature separately from consent to the broader transaction. A single checkbox that says “I agree to the Terms of Service” that buries the subscription terms is insufficient. The negative option must be presented for separate, affirmative consent — meaning the consumer must take a deliberate action (checking a box, clicking a button) specifically to authorize the recurring charge.
• Annual reminders. For subscription services that are indefinite in duration or that renew annually, the revised rule requires annual reminders to subscribers of the subscription’s existence, its price, and how to cancel. This provision targets “zombie subscriptions” that consumers forgot they signed up for.
• Simple cancellation. The click-to-cancel requirement is the most operationally significant change. Cancellation must be as easy as sign-up. If sign-up occurs online, cancellation must be available online via a simple mechanism. If sign-up occurs by phone, a telephone cancellation option must exist. The revised rule prohibits routing online cancellation requests through phone trees, requiring live agent conversations, or imposing waiting periods before cancellation takes effect.

Dark Pattern Prohibition

The revised rule explicitly addresses so-called “dark patterns” — user interface design choices that are intended to manipulate users into signing up for or retaining subscriptions they did not fully intend to purchase. Specific dark patterns that the FTC has indicated constitute deceptive practices under ROSCA and the revised rule include:

• Confirming cancellation only after requiring the consumer to navigate multiple pages or screens (“roach motel” design)
• Forcing consumers to speak with a retention agent before cancellation can proceed
• Using interface design to make the “cancel” button visually less prominent than a “continue subscription” button
• Making cancellation available only during limited business hours when sign-up is available 24/7

State Law Overlay

ROSCA sets a federal floor, but several states have enacted additional automatic renewal law requirements. California’s Automatic Renewal Law (Cal. Bus. & Prof. Code §§ 17600 et seq.) is among the most demanding, requiring pre-enrollment disclosures in a specified font size and format, affirmative consent to renewal terms, an acknowledgment email at the time of subscription, and a clear and conspicuous cancellation mechanism. California courts and the California Attorney General have actively enforced these requirements, with settlements in the tens of millions of dollars in some cases. New York, Illinois, Oregon, and a growing number of other states have similar automatic renewal laws that businesses must comply with in addition to ROSCA.

If your business uses subscriptions, free trials with automatic conversion, or any negative option billing arrangement, now is the time to audit your disclosures, consent flows, and cancellation mechanisms. Contact the FTC and Internet Law attorneys at Revision Legal or visit our internet law practice page to ensure your business is compliant.

Contact the FTC Attorneys at Revision Legal

For more information, contact the experienced FTC Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.