If your business charges customers on a recurring basis, your subscription terms are under more legal pressure right now than at any point in the last decade. The regulatory ground shifted dramatically in 2025, and it has not settled yet.
The FTC’s “click-to-cancel” rule was vacated by the Eighth Circuit in July 2025. That sounds like a win for subscription companies. It is not. The FTC restarted rulemaking in January 2026 with a new Advance Notice of Proposed Rulemaking (ANPRM), signaling that stronger federal rules are on the way. Meanwhile, state auto-renewal laws (ARLs) remain fully enforceable, and enforcement actions are accelerating.
Here is what SaaS founders, e-commerce operators, and subscription-based businesses need to fix right now to stay compliant and avoid costly enforcement actions.
1. The FTC Click-to-Cancel Rule: What Actually Happened
The FTC finalized its “click-to-cancel” rule in late 2024, requiring businesses to make cancellation as simple as sign-up. The rule would have applied to nearly every subscription product sold in the United States.
In July 2025, the Eighth Circuit Court of Appeals vacated the rule on procedural grounds. The court found that the FTC had not followed the correct rulemaking process under the Magnuson-Moss Warranty Act. The substance of the rule was not struck down on its merits.
The FTC responded quickly. In January 2026, it issued an ANPRM to restart the rulemaking process through the correct procedural channels. This means a revised federal auto-renewal rule is still coming. Businesses that relaxed their compliance efforts after the vacatur are making a serious mistake.
More importantly, the vacatur did not strip the FTC of its existing enforcement tools. The agency retains full authority under the Restore Online Shoppers’ Confidence Act (ROSCA) and Section 5 of the FTC Act. That authority has real teeth. In 2025, the FTC secured a $2.5 billion settlement against a major retailer over deceptive subscription practices. That enforcement action relied on ROSCA, not the vacated rule.
2. State Auto-Renewal Laws Are the Real Enforcement Engine
While businesses focus on the federal rulemaking drama, state attorneys general are actively enforcing their own auto-renewal laws. These laws were never affected by the federal vacatur. They are independent, fully operative, and in many states, carry significant penalties.
California’s Automatic Renewal Law (ARL), codified under Business and Professions Code Sections 17600-17606, is the strictest in the nation. It requires clear and conspicuous disclosure of automatic renewal terms before a consumer agrees. It mandates an acknowledgment or consent mechanism separate from the general terms of service. It requires a post-transaction confirmation that includes cancellation instructions. Violations can result in the subscription being treated as an unconditional gift to the consumer.
New York’s auto-renewal statute (General Business Law Section 527) requires clear pre-purchase disclosure and easy cancellation methods. Illinois’s Automatic Contract Renewal Act demands similar disclosures and provides consumers a right to cancel within a set period after renewal. Virginia enacted its own ARL in 2024, adding another layer of compliance for businesses selling subscriptions nationwide.
If you sell subscriptions to customers across multiple states, you are subject to every state ARL where your customers reside. A single set of terms that only satisfies one state’s requirements will leave you exposed in others.
3. What Your Terms of Service Must Include for Subscriptions
Your terms and conditions must address auto-renewal directly and specifically. Burying renewal language inside a wall of legal text does not satisfy disclosure requirements under any major state ARL.
At minimum, your subscription terms should clearly state that the subscription will automatically renew unless the customer cancels before the renewal date. They should specify the renewal period (monthly, annual, etc.) and the exact price the customer will be charged at renewal. If the price can change, the terms must explain how and when the customer will be notified of any price increase before it takes effect.
Your terms should also describe the cancellation process in plain language. Telling customers to “contact support” is not sufficient in most states. You need to specify the exact method: an account settings page, a cancellation link, or another clearly accessible mechanism.
For SaaS companies, the terms should also address what happens to the customer’s data after cancellation. Does the customer retain access to export data during a grace period? Is data deleted immediately? These provisions matter for compliance and for reducing post-cancellation disputes. Review a SaaS agreement attorney’s guidance to ensure your contract covers these scenarios.
4. Cancellation Flow Requirements: How Easy Is “Easy Enough”?
The legal standard across most state ARLs is that cancellation must be at least as easy as sign-up. If a customer can subscribe with two clicks on your website, they should be able to cancel with a similar effort.
Requiring customers to call a phone number during limited business hours to cancel an online subscription is a litigation risk. Forcing customers through multiple retention screens, countdown timers, or guilt-driven prompts (“Are you sure you want to lose all your data?”) can be classified as a dark pattern under both state consumer protection statutes and the FTC’s enforcement framework.
The safest approach is to offer an in-account cancellation option that the customer can complete without contacting support. If you use a retention flow (offering a discount or plan change before cancellation), keep it to one screen and always give the customer a clear, immediate option to proceed with cancellation without engaging.
Document your cancellation flow. If your company is ever investigated, you will need to demonstrate exactly what the customer experience looked like at the time of the complaint. Screenshots, user flow diagrams, and timestamped design records are valuable evidence.
5. Dark Patterns and Deceptive Design Liability
Dark patterns in subscription management have become a primary target for both the FTC and state regulators. A dark pattern is any design choice that manipulates the user into a decision they did not intend to make, such as subscribing, failing to cancel, or upgrading to a higher-priced plan.
Common dark patterns that regulators are targeting include pre-checked boxes that enroll users in recurring charges. They also include confusing cancellation flows where the “cancel” button is hidden or labeled ambiguously. Forced continuity, where a free trial converts to a paid subscription without a clear reminder, is another major enforcement trigger. Bait-and-switch pricing, where the renewal price is higher than the introductory price without adequate disclosure, rounds out the list of frequent violations.
California’s amendments to its ARL specifically address dark patterns. The FTC’s enforcement actions under ROSCA have cited deceptive design as a basis for liability even without a specific dark-patterns rule on the books.
If your UX team is designing retention flows or trial-to-paid conversions, have a lawyer review those designs before launch. What looks like smart conversion optimization to a product team can look like consumer fraud to a regulator.
6. Free Trial to Paid Conversion: The Compliance Minefield
Free trials that automatically convert to paid subscriptions are one of the most heavily regulated areas of subscription commerce. Nearly every state ARL and the FTC’s ROSCA framework impose specific requirements on trial-to-paid transitions.
Before the trial begins, you must clearly disclose that the trial will convert to a paid subscription. You must state the exact price the customer will be charged and the date the first charge will occur. You must explain how to cancel before the conversion happens.
Many businesses satisfy this requirement at sign-up but fail to send a reminder before the trial ends. California requires a reminder notification before the first charge. Several other states have similar requirements or are considering them. Even where not legally required, sending a pre-conversion reminder is a best practice that reduces chargebacks, complaints, and regulatory risk.
If you collect payment information during a free trial sign-up, your terms must make this absolutely clear. Users should understand why their credit card is being collected and what will happen if they do not cancel.
7. Practical Compliance Steps for 2026
Here is a concrete checklist for SaaS and e-commerce companies to address auto-renewal compliance this year.
First, audit your current terms of service. Check whether your renewal terms, pricing disclosures, and cancellation instructions meet the requirements of California, New York, Illinois, and Virginia ARLs. If you sell to customers in all 50 states, default to the strictest standard.
Second, review your cancellation flow. Map out every step a customer takes from clicking “cancel” to confirmation. Count the clicks. Count the screens. Remove any step that does not serve a legitimate business purpose or that a regulator could characterize as an obstruction.
Third, implement pre-renewal notifications. Send an email or in-app notification before each renewal that states the renewal date, the charge amount, and how to cancel. Do this even if your state does not require it yet.
Fourth, fix your free trial flows. Ensure that trial-to-paid disclosures are prominent, not buried in fine print. Send a reminder 3 to 7 days before the trial converts. Make cancellation available without contacting support.
Fifth, get your terms reviewed by an attorney who specializes in technology law. Template terms downloaded from the internet will not account for the current regulatory environment or your specific business model.
8. What Happens If You Do Not Comply
The consequences of non-compliance are not theoretical. The FTC’s $2.5 billion settlement in 2025 is the largest subscription-related enforcement action in US history. State attorneys general have brought their own cases, with penalties ranging from thousands to millions of dollars depending on the number of affected consumers.
Beyond government enforcement, non-compliant auto-renewal terms expose your company to class action lawsuits. Plaintiffs’ attorneys actively look for subscription businesses with deficient cancellation flows or inadequate disclosures. A single class action can cost more to defend than it would have cost to fix the terms in the first place.
There is also the chargeback problem. When customers feel trapped in a subscription they cannot easily cancel, they dispute the charge with their bank. High chargeback rates lead to higher payment processing fees, account holds, or termination by your payment processor. Compliance is not just a legal issue. It directly affects your revenue infrastructure.
Frequently Asked Questions
Did the Eighth Circuit’s vacatur of the FTC click-to-cancel rule mean auto-renewal regulations are gone?
No. The vacatur only struck down the specific rule the FTC finalized in 2024, and it did so on procedural grounds. The FTC still enforces auto-renewal requirements through ROSCA and Section 5 of the FTC Act. Every state auto-renewal law remains fully in effect and enforceable.
Which state auto-renewal law is the strictest?
California’s Automatic Renewal Law is widely considered the strictest. It requires pre-purchase disclosure, separate consent for auto-renewal terms, post-transaction confirmation with cancellation instructions, and treats violations as making the subscription an unconditional gift. If you sell nationwide, complying with California’s law is the safest baseline.
Can I require customers to call a phone number to cancel a subscription they signed up for online?
This is increasingly risky. Multiple state ARLs require that cancellation be as easy as sign-up. If sign-up happens online, cancellation should be available online. Requiring a phone call for an online subscription has been cited in enforcement actions as evidence of a deceptive practice.
Do I need to send a reminder before a free trial converts to a paid subscription?
California requires it, and several other states have similar requirements or pending legislation. Even where not legally mandated, sending a pre-conversion reminder significantly reduces your regulatory risk, chargeback rate, and customer complaints. It should be standard practice for every subscription business.
What should I do if my current terms of service do not address auto-renewal compliance?
Fix them immediately. Have a technology attorney review your subscription terms, cancellation flow, and disclosure practices against the current requirements of major state ARLs and federal law. The cost of a legal review is a fraction of the cost of an enforcement action or class action lawsuit.
Get Your Subscription Terms Right
Auto-renewal compliance is not a one-time checkbox. It is an ongoing obligation that changes as federal and state regulations evolve. If your subscription terms, cancellation flows, or trial conversions have not been reviewed by a technology attorney in the last 12 months, they are likely out of date.
Hansen Tong at TOS Lawyer works with SaaS companies, e-commerce businesses, and subscription platforms to draft and update terms that satisfy current federal and state auto-renewal requirements. Contact TOS Lawyer to schedule a consultation and get your subscription compliance in order before regulators or plaintiffs’ attorneys do it for you.