Subscription Billing Compliance: ROSCA, the FTC Click-to-Cancel Rule, and What DTC Brands Must Do Now
The FTC's 2024 click-to-cancel rule was vacated by the Eighth Circuit in July 2025 — but ROSCA, Section 5, and state automatic-renewal laws remain fully operative. This guide covers what DTC brands and subscription operators need to know, from California's AB 2863 to the $100M Vonage settlement.
ROSCA: The Federal Baseline for Subscription Billing
Every subscription DTC brand selling to U.S. consumers operates under a federal law most founders have never read: the Restore Online Shoppers' Confidence Act (15 U.S.C. § 8403), enacted in December 2010. ROSCA was written specifically for internet-based negative option programs — the structure where a consumer's silence or inaction authorizes recurring charges. If your business bills a card on a recurring basis after any kind of trial, introductory offer, or opt-in flow, ROSCA applies to you.
The statute imposes three concrete requirements on any seller that charges consumers through a negative option feature. First, the seller must clearly and conspicuously disclose all material terms of the transaction before obtaining the consumer's billing information. Second, the seller must obtain the consumer's express informed consent to the charges. Third, the seller must provide a simple mechanism that allows the consumer to stop recurring charges. All three requirements must be satisfied — satisfying two out of three is not compliance.
On the consent requirement, the FTC has been explicit: a pre-checked checkbox does not constitute affirmative consent. Equally important, the name of the billing entity — the company that will actually appear on the consumer's credit card statement — must be disclosed before payment information is collected. Buried disclosures, footnoted asterisks, and post-purchase confirmation emails do not fix a checkout flow that omits this information upfront.
Enforcement authority sits with the FTC under § 8404, and the agency's track record gives the statute real teeth. Violations have resulted in injunctive relief, twenty-year compliance monitoring periods, personal liability for company officers, and substantial monetary penalties. That last point deserves emphasis: founders and executives are not automatically shielded by corporate structure. If you control the billing practices of a company that violates ROSCA, you can be held personally liable.
The FTC's 2024 Negative Option Rule: What It Required and Where Things Stand
In October 2024, the FTC finalized sweeping updates to its Negative Option Rule, published at 89 Fed. Reg. 90476 and codified at 16 C.F.R. Part 425. The rule was designed to translate ROSCA's cancellation mandate into concrete operational requirements — requirements that subscription businesses would have to build into their checkout and account-management flows. Understanding what the rule demanded still matters, even though it is no longer in effect as a federal regulation.
What the 2024 Rule Required
The rule's most consequential provision was a strict click-to-cancel standard: businesses had to offer a cancellation mechanism that was at least as easy to use as the enrollment mechanism, and available through the same channel. If a customer signed up online, cancellation had to be available online — not hidden behind a phone call or a customer service queue. Save flows (retention offers presented during cancellation) were permissible, but could not delay access to the actual cancellation mechanism.
The rule took effect in two stages. A prohibition on misrepresenting subscription terms became effective January 14, 2025. The substantive provisions — including the click-to-cancel requirement and disclosure mandates — were set to take effect May 14, 2025. Annual reminder requirements were deferred to a later compliance date. Neither deadline ultimately produced operative law — the Eighth Circuit's July 2025 vacatur struck down the entire 2024 rule, including the earlier-effective misrepresentation prohibition.
The Eighth Circuit Vacated It
The FTC responded by restarting the rulemaking process. On March 11, 2026, the agency issued an Advance Notice of Proposed Rulemaking (ANPRM) signaling its intent to re-promulgate the rule — this time with the procedural record intact. A final rule is realistically years away, and its ultimate scope may shift depending on the agency's composition and the political environment.
What This Means for Your Compliance Program
The vacatur creates a gap between the legal floor and the practical standard. The legal floor — what regulators can enforce today — is ROSCA's simple, prompt cancellation requirement, the FTC's pre-2024 Negative Option Rule, and the FTC's broad authority under Section 5 to pursue unfair or deceptive acts. But the 2024 rule's design specifications represent what FTC staff considers best practice, and they mirror what California, New York, and other states already require under their own negative option statutes. A DTC brand that builds its cancellation flow to the 2024 rule's standard is substantially protected against both federal enforcement and state regulatory action — even though the federal mandate itself has lapsed.
State Laws: California ARL and the Growing Patchwork
While federal enforcement sets a floor, states have been building a ceiling — and California is raising it highest. California's Automatic Renewal Law (Cal. Bus. & Prof. Code §§ 17600–17606), as amended by AB 2863 effective July 1, 2025, now requires businesses to obtain express consent to auto-renewal terms before charging, display a prominently placed click-to-cancel button, send 7-to-30-day advance notice of any material fee change, deliver annual reminders that include the charge amount and cancellation instructions, and retain records of consumer consent for at least three years. Free trials are explicitly covered, and all material misrepresentations about subscription terms are independently actionable — not just those that also violate ROSCA.
New York followed close behind. Under Gen. Business Law §§ 527 and 527-A (effective November 5, 2025), businesses must provide an online cancellation mechanism, give consumers 5-to-30-day notice before any price increase along with a prorated refund option if they cancel, obtain affirmative consent before the initial charge, and send renewal reminders 15 to 45 days before any annual or longer subscription renews. Colorado's SB 25-145 (effective February 16, 2026) goes further on the cancellation mechanics: it requires a one-step online cancellation link and — notably for DTC brands that run save-the-sale flows — permits retention offers only if the cancellation link remains simultaneously visible throughout. Colorado also extended its ARL obligations to B2B subscriptions, not just consumer ones.
Other states have layered on narrower requirements. Virginia's H.B. 744 (effective July 1, 2024) mandates 30-to-60-day renewal notice for any contract that auto-renews beyond 12 months. Minnesota and Utah, both effective January 1, 2025, added free trial notification requirements and annual renewal notices. The coverage varies, the trigger thresholds differ, and no two state regimes are identical.
The practical response is to treat California as your national compliance baseline. California's ARL is the most stringent consumer-facing framework currently in force, and a subscription flow built to satisfy it — express consent, click-to-cancel, fee-change notice, annual reminders, three-year record retention — will satisfy or closely approximate the requirements in New York, Colorado, Virginia, Minnesota, and Utah. Building to the least demanding state in your customer base is not a compliance strategy; it is a liability accumulation plan.
What FTC Enforcement Actually Looks Like
Three enforcement actions define the practical boundaries of ROSCA compliance better than any regulatory text. Each one targeted a specific UX failure — not the existence of a subscription, but the mechanics of enrolling and canceling it.
ABCmouse: $10 Million for Hiding the Exit
In 2023, the FTC settled with Age of Learning (operator of ABCmouse) for $10 million after finding that the company buried its cancellation path behind multiple clicks, disabled the cancel button at key moments, and continued charging consumers who had already explicitly requested cancellation. The violation was not that ABCmouse charged a subscription fee — it was that the cancellation mechanism was not "simple" by any reasonable measure. Every additional step between a consumer's intent to cancel and a confirmed cancellation is potential enforcement exposure.
Amazon Prime: $25 Million for One-Click Enrollment Without Consent
The FTC's 2023 Amazon settlement is the clearest statement of what ROSCA's "express informed consent" requirement means in practice. The agency alleged that Amazon's one-click checkout flow enrolled consumers in Prime without the affirmative consent ROSCA requires, and that its cancellation flow was a multi-step sequence designed, according to the FTC's complaint, to exhaust consumers into staying subscribed. The result: a $25 million civil penalty, a $52 million consumer refund fund, and an injunction requiring affirmative consent before enrollment. For any brand using express checkout or bundled-subscription upsells at checkout, this case is a direct analog.
Vonage: $100 Million for an Impossible Cancel Path
Vonage's 2022 settlement — $100 million — arose from a cancellation process the FTC described as an intentional maze: phone-only cancellation lines with extended hold times, repeated transfers, and deliberate disconnects. The company had no online cancellation option. The lesson for subscription operators is structural: if a consumer cannot cancel through the same channel they used to sign up, or through an online mechanism of equivalent ease, the process is legally vulnerable regardless of whether cancellation is technically possible somewhere.
The Common Thread — and the Personal Stakes
Across all three cases, the FTC's theory of liability was the same: the process of enrollment or cancellation was itself the violation. Regulators are not asking whether your subscription product is legitimate. They are asking whether a reasonable consumer could easily understand what they signed up for and easily get out. The FTC has also obtained personal liability against individual officers in ROSCA enforcement actions — meaning founders and executives can be named alongside the corporate entity, with personal assets at risk. That is not a theoretical threat in a $100 million settlement environment.
The Compliance Checklist: Signup Flow and Cancellation UX
The enforcement record from ABCmouse to Amazon to Vonage tells a consistent story: regulators are not reading your terms of service, they are clicking through your checkout. The question they ask is whether a reasonable consumer could understand and exit a subscription without assistance. Build your signup and cancellation flows to answer that question before an investigator does.
Signup Flow Requirements
ROSCA §8403 requires that material subscription terms appear clearly and conspicuously — meaning they must be visible to a consumer at the moment they are deciding, not buried in footer links or accessible only by scrolling after the fact. Every signup flow must display the following in visual proximity to the payment consent button:
- Price — the amount that will be charged, not the trial rate alone
- Billing frequency — weekly, monthly, annually
- Next billing date — the specific date the first full charge occurs
- Trial end date — if a free or reduced-price trial applies, state when it ends before payment information is entered
- Name of billing entity — especially important where a third-party processor or parent entity will appear on the statement
- How to cancel — method and general process, stated affirmatively
Consent must be express and affirmative before billing information is collected. Pre-checked boxes do not satisfy this standard — the FTC's position is that a pre-checked box records a default, not a consumer decision. The order confirmation email must restate all material subscription terms, not just the order total.
Cancellation UX Requirements
ROSCA §8403's "simple mechanism" requirement means cancellation must be available through the same channel the consumer used to enroll. Web-based enrollment cannot route cancellation to a telephone number. Enforcement actions have specifically targeted flows that funnel online subscribers into call-center queues — that pattern is the clearest path to an FTC investigation.
The cancellation path itself must resolve in one or two steps. Retention offers — a discounted rate, a pause option, a downgrade — are permissible, but only if the actual cancel option remains visible alongside the offer. Colorado's SB 25-145 codifies this explicitly, including for B2B subscriptions: the cancel link must be visible even while a retention offer is displayed. California imposes the same structure. Once a consumer completes cancellation, immediate written confirmation is required.
State-Specific Layers
Federal compliance is the floor. Depending on where your subscribers are located, additional obligations apply:
- California (AB 2863): A dedicated click-to-cancel button, 7–30 days advance notice before any fee increase, annual renewal reminders for ongoing subscriptions, and three years of subscription records retained
- New York (§§ 527/527-A): 5–30 days advance notice of price increases, a prorated refund option upon cancellation after a price change, and renewal reminders for subscriptions running one year or longer
- Colorado (SB 25-145): One-step cancellation link, cancel link visible alongside any retention offer — and unlike most state ARLs, this applies to business-to-business subscriptions as well
A Three-Question Audit
Before launching or updating a subscription flow, run these three tests internally:
- Can a subscriber locate and complete cancellation in under 60 seconds without calling anyone?
- Is the trial end date disclosed before payment information is entered — not after?
- Are all material subscription terms visible without scrolling or clicking through to linked terms?
What DTC Brands Should Do Now
The FTC's click-to-cancel rule is gone, but the enforcement apparatus is not. ROSCA, Section 5 of the FTC Act, and a growing lattice of state automatic-renewal laws remain fully operative — and regulators have demonstrated they will use them. The brands caught in the ABCmouse, Amazon Prime, and Vonage actions were not operating in a legal vacuum; they were operating without a compliance program. That is the exposure you are closing now.
- Audit your signup flow against the ROSCA disclosure checklist. Price, billing frequency, next billing date, and the method of cancellation must all appear in clear and conspicuous terms — in visual proximity to the consent mechanism, before the consumer is charged. If any of those four elements requires scrolling, clicking to expand, or reading fine print, the flow is legally exposed.
- Time your cancellation path. Walk through your own offboarding flow as a new user. If cancellation takes more than 60 seconds, requires a phone call, or routes through a support ticket queue, it fails the simple mechanism standard that regulators have consistently applied in enforcement actions. Fix it before a complaint surfaces.
- Build a consent record before you need one. Log and retain a timestamped screenshot of exactly what the user sees at checkout — the disclosure, the consent checkbox or button, the offer terms. If you operate in California, your retention obligation runs three years. Set up that infrastructure now; reconstructing it after a regulatory inquiry is expensive and often incomplete.
- If you sell B2B subscriptions, audit under Colorado SB 25-145. Most subscription brands assume business-to-business sales fall outside automatic-renewal law. Colorado's 2025 legislation extended ARL obligations to business customers — with its own notice and cancellation requirements. If any portion of your customer base is a business entity, verify your Colorado compliance separately.
- Before deploying any save-the-sale retention flow, confirm the cancel link stays visible. Retention modals, pause offers, and downgrade prompts are legally permissible. Burying or removing the cancellation option behind them is not. The cancel mechanism must remain accessible throughout the retention sequence — not restored only after the subscriber declines every offer.
The rulemaking that produced the 2024 click-to-cancel rule will restart, and the state patchwork — California, New York, Colorado, Virginia, Minnesota, Utah — is only getting denser. Every compliance layer added now costs a fraction of what retrofit costs under an active investigation. The enforcement record shows regulators have no difficulty reaching nine-figure settlement figures when the violations are systemic.
If your subscription signup flow or cancellation path has not been reviewed against ROSCA, your state's automatic-renewal law, and current FTC enforcement priorities, that review is overdue. Promise Legal works with DTC brands and subscription operators on compliance audits before regulators come calling.