Subscription Compliance Made Easy — Think of Your Customers

Subscription compliance is complicated, but it doesn’t need to be. We noted in our digest last month the trouble facing unscrupulous subscription companies.  Not only are their practices against the law, but they destroy the confidence of customers online everywhere. As jurisdictions adopt legislation to protect customers from abusive practices, staying out ahead of the rules may seem like an enormous task.

In order to fully understand the challenges facing subscription companies who seek recurring payments from customers, it’s important to consider three things: relevant legislation, industry standards and settlement agreements. These three areas interact to create a framework for companies to stay on the good side of the law, the payment brands and regulatory bodies. In order to do it right, companies need to manage how they obtain consent from customers for recurring transactions, when and how they send payment reminders to customers, and how customers can cancel unwanted subscriptions. The penalties for companies who don’t comply can be stiff.

As we show below, using common sense and putting customer relationships first will keep your company one step ahead of the shoe shine and keep your customers satisfied. In every case, putting customer experience first will keep you compliant.



To address deceptive and coercive practices in online sales, the United States passed the Restore Online Shoppers’ Confidence Act (ROSCA) in 2010. The law addresses several practices and defines what companies must do to avoid these proscribed activities and stay on the right side of the law.

Though we’ve covered ROSCA before, the law remains relevant, even as the market shifts to subscription business models. The practice known as negative option marketing, wherein customers are automatically signed up for a recurring payment agreement, is strictly regulated. Companies like Adore Me were in direct violation of ROSCA’s provisions when they did not clearly and conspicuously disclose the terms of their agreement to customers (not buried in fine print). They ran afoul again by not providing a simple mechanism for customers to stop recurring charges.

subscription compliance
Negative option billing provision from ROSCA

State Laws

In addition to the federal ROSCA legislation, several states have laws that directly govern online commerce and recurring transactions. These laws vary in strenuousness; some are less strict than the federal standard, but many go further. Like ROSCA, most define a recurring billing agreement relationship, require a clear communication of any terms and a convenient method for cancellation. Some states establish specific penalties as well.

In California, for example, their Business and Professional Code defines recurring transactions and how merchants may obtain authorization for the charges. They also include a specific provision that deems any product sold through an unauthorized transaction to be considered an unconditional gift from the merchant to the consumer. So not only will a non-compliant company in California need to refund the customer, but the customer will be able to continue using the product for free for life.

subscription compliance
California Business and Professional Code, Section 17603

European Law

The EU consumer protection law is generally applied whether customers purchase online or in a physical store. Certain provisions address online practices directly, though. Chapter IV of the law addresses: “fees for the use of certain means of payment (e.g. credit or debit cards) and regarding the charges for calling telephone hotlines operated by traders as well as a prohibition to use pre-ticked boxes on websites for charging extra payments.”

Penalties for violating these laws are decided by the individual EU member states in consonance with chapter V of the EU’s Directive on Consumer Rights, and may be decided by a combination of:

(a) public bodies or their representatives;
(b) consumer organisations having a legitimate interest in protecting consumers;
(c) professional organisations having a legitimate interest in acting.

Payment Industry Standards

The major payment brands also have standards governing recurring transactions that companies need to follow. For instance, VISA Europe has a set of guidelines that govern recurring transactions that require a payment reminder be sent to the customer before any recurring transaction (RT) is processed. Their policy states:

Merchants must use the agreed method of communication and provide notification to the customer at least seven working days prior to a RT if any of the following apply:

• More than six months have elapsed since the previous RT
• A trial period, introductory offer or any promotional activity has expired
• The RT agreement has been changed, including:

– any change to the amount of the RT;
– any change to the date of the RT.

It is recommended that merchants also notify customers when processing the first payment. At the same time as providing this notification, the merchant must also advise the customer how to cancel the payment.

VISA’s guidelines aren’t mere suggestions. Merchants who do not follow these guidelines but charge anyway are considered to be processing unauthorized transactions. VISA promises to take action against any merchant processing unauthorized transactions.

subscription compliance
Source: VISA Europe Risk Management

The last pieces of the puzzle are regulatory rulings and legal settlements resulting from regulatory complaints and consumer lawsuits.

Settlement Agreements

Without the stringent regulations of the EU, US companies may feel that they have fewer strings attached to their activities, but this can be dangerous. The US has robust resolution procedures. So, while the government may not be directly implementing standards on companies, their customers have every right to redress any grievances they have with the company in court. This can be costly and damaging to your company’s brand.

While consumers may lodge complaints with the FTC or sue a company they feel has violated their rights, not every case ends with a jury verdict. In fact, though ROSCA was passed in 2010, the first case tried under it didn’t begin until October 2014. The majority of cases are settled not with a verdict but with a binding decree. The resulting consent decrees, though only binding on the company involved in the lawsuit, shed light on how regulatory bodies view the spirit of the law.

In one case, an online dating service was ordered to provide a clear method to cancel subscriptions. Going further than the ROSCA legislation, the decree requires the defendant to provide a way to cancel via the channel through which the customer originally subscribed. So, if a customer signed up over the phone, they need to be able to cancel over the phone.

subscription compliance
Source: FTC Settlement with JDI Dating

Subscription Compliance Made Easy — Think of Your Customers

But remaining compliant is easy if you put your customers first. The laws in the EU and those in the various states, as well as ROSCA all highlight what should be obvious: give customers accurate information, help them have a satisfying experience and if they’re not having one – make it clear how to exit the relationship. You don’t need a supreme court ruling to figure this one out. All you need is to put yourself in your customers’ shoes.


Would you want to know exactly what kind of agreement you’re entering into? Or would you like to find surprise charges in the future? Would you like to know exactly what you’ll receive for your payment and then actually receive it? Would you like a clear and simple method for cancelling the agreement when it no longer suits you? Or would you like to keep making payments against your will for a product or service you don’t need or want? These answers are common sense. Applying the golden rule of treating the customer how you would like to be treated is the easiest way to stay compliant.