Skip to main content

Subscription Compliance

TL;DR

Subscription merchants face layered requirements: network rules (Visa, Mastercard mandates for consent, receipts, reminders), federal law (ROSCA, FTC Act), and state laws (California ARL is strictest). Key requirements include clear pre-enrollment disclosure, express consent capture, easy cancellation matching signup method, and advance notice before renewals. Non-compliance leads to chargebacks, network fines, FTC enforcement actions (up to ~$53K per violation), and state AG investigations.

Introduction

You're getting hit from three directions. Subscription merchants must comply with:

  • Card network rules: Visa and Mastercard set baseline requirements for stored credentials and recurring transactions, including consent capture, confirmation emails, and cancellation processes.

  • Federal law: ROSCA (Restore Online Shoppers' Confidence Act) and the FTC Act address deceptive practices in subscription enrollment and cancellation.

  • State laws: California's Automatic Renewal Law (ARL) is the strictest, but approximately 20+ states have some form of auto-renewal regulation.

The FTC's Click-to-Cancel Rule was finalized in October 2024 but vacated by the 8th Circuit in July 2025 on procedural grounds. However, enforcement continues under ROSCA, and the rule reflects the FTC's interpretation of existing law.

Regulatory Layers

LayerRequirement SourceKey Focus Areas
Network RulesVisa, Mastercard mandatesConsent capture, receipts, cancellation
Federal LawROSCA, FTC ActDisclosure, consent, simple cancellation
State LawsCA ARL, NY, CO, othersEnhanced disclosure, online cancel, annual reminders
Industry StandardsPCI DSSSecure credential storage

Who This Applies To

These requirements apply to any business with auto-renewing charges:

  • Subscription box services
  • SaaS companies
  • Streaming services
  • Membership organizations
  • Gym and fitness memberships
  • News and magazine subscriptions
  • Free trial to paid conversion models
  • Any recurring billing arrangement

Section Contents

Recurring Billing Requirements

Detailed compliance requirements for subscription merchants, covering:

  • Visa and Mastercard stored credential rules
  • Free trial conversion requirements
  • ROSCA obligations
  • California ARL requirements
  • Cancellation process requirements

Key Dates Timeline

DateEvent
2010ROSCA enacted
2018Visa/Mastercard stored credential mandate
2020Visa free trial rules enhanced
2022Mastercard subscription rules updated
Oct 2024FTC Click-to-Cancel Rule finalized
Jan 2025FTC Rule misrepresentation provisions effective
July 2025FTC Rule vacated by 8th Circuit; CA ARL amendments effective

Quick Compliance Checklist

Pre-Enrollment

  • Clear disclosure of all terms before collecting payment info
  • Price, frequency, and cancellation policy displayed prominently
  • Terms not buried in fine print or terms of service

At Enrollment

  • Express consent captured (checkbox, not pre-checked)
  • Consent retained for 3+ years (California requirement)
  • Separate consent for subscription vs. one-time purchase

Post-Enrollment

  • Confirmation sent immediately after enrollment
  • All subscription terms included in confirmation
  • Cancellation instructions provided

Before Trial Conversion

  • Advance notice sent 7+ days before first paid charge
  • Specific amount and date included
  • Cancellation method clearly stated

Ongoing

  • Easy cancellation (same method as signup)
  • Annual reminders (required by California for 12+ month terms)
  • Price change notifications in advance

Enforcement Risk

FTC Enforcement:

  • Up to ~$53,000 per violation (as of 2025 civil penalty adjustments)
  • Recent cases: Uber, Cleo AI, Care.com, Amazon (ongoing)

State Enforcement:

  • California AG, district attorneys
  • Private plaintiff class actions common
  • Other state AGs increasingly active

Network Enforcement:

  • Elevated chargebacks for subscription disputes
  • Potential VAMP/ECM enrollment
  • Merchant account termination risk
Last Verified: December 2024

Subscription compliance rules are evolving rapidly. The FTC Click-to-Cancel Rule status may change. California ARL requirements are strict and frequently enforced. Verify current requirements before making compliance decisions.

See Also