If your business charges customers on a recurring basis, your subscription terms are under more legal pressure right now than at any point in the past decade. Federal and state regulators have made auto-renewal practices a top enforcement priority, and the legal landscape shifted significantly in 2025 and 2026.
The FTC's "click-to-cancel" rule was vacated by the Eighth Circuit in July 2025. That sounds like a win for subscription businesses, but it is not. The vacatur removed one specific federal rule while leaving the FTC's broader enforcement authority intact and triggering a wave of state-level enforcement actions.
Here is what SaaS founders, e-commerce operators, and subscription-based businesses need to fix right now to stay compliant and avoid regulatory action.
The FTC Click-to-Cancel Rule: What Actually Happened
The FTC finalized its "click-to-cancel" rule in late 2024, requiring businesses to make cancellation as simple as sign-up. If a customer can subscribe with one click, they must be able to cancel with one click. The rule also required clear disclosure of subscription terms before enrollment and prohibited certain negative-option practices.
In July 2025, the Eighth Circuit Court of Appeals vacated the rule on procedural grounds. The court found that the FTC had not followed the proper rulemaking procedures required by the FTC Act. The substantive requirements of the rule were not addressed on the merits.
The FTC responded quickly. In January 2026, it issued an ANPRM to restart the rulemaking process through the correct procedural channels. The agency is rebuilding the same rule with a procedurally sound foundation. Expect a new finalized rule by late 2026 or early 2027.
More importantly, the vacatur did not strip the FTC of its existing enforcement tools. The agency retains full authority to pursue deceptive and unfair subscription practices under Section 5 of the FTC Act, ROSCA (Restore Online Shoppers' Confidence Act), and the Telemarketing Sales Rule. The $2.5 billion Walmart settlement in 2025 was brought under these existing authorities, not the vacated rule.
State Auto-Renewal Laws Are the Real Enforcement Engine
While businesses focus on the federal rulemaking drama, state attorneys general are actively enforcing their own auto-renewal laws. These laws existed before the FTC rule and continue to operate independently.
California's Automatic Renewal Law (ARL), codified under Business and Professions Code Sections 17600-17606, is the strictest in the country. It requires clear and conspicuous disclosure of auto-renewal terms before the consumer agrees, affirmative consent to the terms, a simple cancellation method, and notice before a free trial converts to a paid subscription. California's ARL also specifically prohibits dark patterns that make cancellation difficult.
New York's auto-renewal statute (General Business Law Section 527) requires clear pre-purchase disclosure and easy cancellation for consumers who subscribed online. Several other states, including Texas, Virginia, and Colorado, have similar requirements that went into effect between 2022 and 2025.
If you sell subscriptions to customers across multiple states, you are subject to every state ARL where your customers reside. Compliance with the most restrictive state law (California) generally ensures compliance with most others, but a SaaS lawyer can confirm which state-specific requirements apply to your business.
What Your Terms of Service Must Include for Subscriptions
Your terms and conditions must address auto-renewal directly and specifically. Burying renewal language inside a wall of text does not satisfy the "clear and conspicuous" standard required by California and most other state ARLs.
At minimum, your subscription terms should clearly state that the subscription will automatically renew unless the customer cancels before the renewal date, the renewal price (including any price changes that will apply at renewal), the frequency of renewal billing, the cancellation deadline and how to cancel, and a link or direct path to the cancellation mechanism.
Your terms should also describe the cancellation process in plain language. Telling customers to "contact support" is not specific enough. You need to state exactly how cancellation works, including whether it can be done in-app, via a link in the customer portal, or through another specific method.
For SaaS companies, the terms should also address what happens to the customer's data after cancellation. Does the customer get a grace period to export their data? How long is it retained after cancellation? These provisions are both a legal requirement under various privacy laws and a practical customer experience consideration.
Cancellation Flow Requirements: How Easy Is "Easy Enough"?
The legal standard across most state ARLs is that cancellation must be at least as easy as sign-up. If a customer can subscribe online in three clicks, cancellation must be achievable in three clicks or fewer. This is a functional standard, not just a written one.
Requiring customers to call a phone number during limited business hours to cancel an online subscription is a litigation waiting to happen. Several class action settlements in 2024 and 2025 were triggered specifically by phone-only cancellation requirements. Courts and regulators have consistently found this practice to be unfair.
The safest approach is to offer an in-account cancellation option that the customer can complete without contacting support. A "cancel subscription" button in the account settings page, accessible in two or three clicks from the dashboard, meets the standard in virtually every jurisdiction.
Document your cancellation flow. If your company is ever investigated, you will need to demonstrate exactly what the customer experience is at each step. Screenshots with timestamps showing the number of clicks, the language at each step, and the confirmation message are essential documentation.
Dark Patterns and Deceptive Design Liability
Dark patterns in subscription management have become a primary target for both the FTC and state regulators. A dark pattern is a user interface design that manipulates users into taking actions they did not intend, such as making cancellation difficult, hiding the cancel button, or using guilt-tripping language to retain subscribers.
Common dark patterns that regulators are targeting include pre-checked boxes that enroll users in recurring charges, confusing button placement that makes the "continue subscription" button more prominent than "cancel," mandatory exit surveys or confirmation steps that are not required for sign-up, and language that frames cancellation as something harmful to the user.
California's amendments to its ARL specifically address dark patterns. The FTC's enforcement actions under ROSCA have cited dark patterns as evidence of unfair and deceptive practices. The standard is whether the overall design makes it harder to cancel than to subscribe, regardless of whether any individual element is technically compliant.
If your UX team is designing retention flows or trial-to-paid conversions, have a technology lawyer review those designs before launch. The legal risk from a dark-pattern enforcement action is not limited to fines. Class action exposure from dark-pattern subscription practices has resulted in nine-figure settlements.
Free Trial to Paid Conversion: The Compliance Minefield
Free trials that automatically convert to paid subscriptions are one of the most heavily regulated areas of subscription law. Both the FTC and state regulators have brought multiple enforcement actions specifically targeting trial-to-paid conversion practices.
Before the trial begins, you must clearly disclose that the trial will convert to a paid subscription. You must state the specific price that will be charged, the date the charge will occur, and the method by which the customer can cancel before being charged. This disclosure must be conspicuous, meaning it cannot be in fine print or buried in your terms of service.
Many businesses satisfy this requirement at sign-up but fail to send a reminder before the trial ends. California requires a reminder notification before a free trial converts to a paid subscription. The reminder must include the price, the conversion date, and instructions for cancellation. Several other states have similar requirements that went into effect in 2024 and 2025.
If you collect payment information during a free trial sign-up, your terms must make this absolutely clear. Users should not be surprised that they provided payment information until they see a charge on their credit card statement. Requiring users to enter payment information at sign-up while downplaying or obscuring the fact that they will be charged after the trial is a consistent target for regulatory action.
Practical Compliance Steps for 2026
Here is a concrete checklist for SaaS and e-commerce companies to address auto-renewal compliance this year.
First, audit your current terms of service. Check whether your renewal terms, pricing disclosures, and cancellation instructions meet the standards described above. If your terms were last updated before 2024, they almost certainly need revision.
Second, review your cancellation flow. Map out every step a customer takes from clicking "cancel" to confirmation. Count the clicks. Compare it to your sign-up flow. If cancellation requires more steps than sign-up, fix it.
Third, implement pre-renewal notifications. Send an email or in-app notification before each renewal that states the renewal amount, the renewal date, and a direct link to the cancellation mechanism. For free trials converting to paid, send this notification at least 3-7 days before the conversion date.
Fourth, fix your free trial flows. Ensure that trial-to-paid disclosures are prominent, not buried in fine print. Send a pre-conversion reminder. Make sure the reminder includes the specific charge amount and a direct cancel link, not just a link to your account settings page.
Fifth, get your terms reviewed by an attorney who specializes in SaaS agreements. Template terms downloaded from the internet do not include state-specific auto-renewal disclosures or the updated FTC compliance language. A technology attorney can update your terms to match current requirements and flag any dark-pattern risks in your UI.
What Happens If You Do Not Comply
The consequences of non-compliance are not theoretical. The FTC's $2.5 billion settlement in 2025 is the largest subscription enforcement action in history, but smaller businesses face significant exposure as well. California's ARL allows consumers to recover restitution and statutory penalties, and the state attorney general can seek civil penalties of $2,500 per violation.
Beyond government enforcement, non-compliant auto-renewal terms expose your company to class action lawsuits. Plaintiffs' attorneys have been aggressive in bringing class actions under California's ARL and similar state statutes. These cases settle for significant amounts even when the underlying subscription practices were not malicious.
There is also the chargeback problem. When customers feel trapped in a subscription they cannot easily cancel, they dispute the charges with their credit card companies. High chargeback rates can result in your merchant account being terminated by your payment processor, which is an existential threat to a subscription business.
Frequently Asked Questions
Did the Eighth Circuit's vacatur of the FTC click-to-cancel rule mean auto-renewal regulations are gone?
No. The vacatur removed one specific federal rule on procedural grounds. State auto-renewal laws remain fully in effect, and the FTC retains enforcement authority under Section 5, ROSCA, and other existing statutes. The FTC is actively rebuilding the rule through proper procedures. Regulatory enforcement of auto-renewal practices is continuing and, in many states, accelerating.
Which state auto-renewal law is the strictest?
California's Automatic Renewal Law is widely considered the strictest. It applies to any business that charges California residents on a recurring basis, regardless of where the business is located. Compliance with California's ARL generally ensures compliance with most other state laws, but check your specific states.
Can I require customers to call a phone number to cancel a subscription they signed up for online?
This is increasingly risky and likely non-compliant in California and several other states. The legal standard is that cancellation must be at least as easy as sign-up. If customers subscribed online, a phone-only cancellation option does not meet that standard. Online cancellation capability is strongly recommended for any subscription business with customers in California or New York.
Do I need to send a reminder before a free trial converts to a paid subscription?
California requires it, and several other states have similar requirements. Even where not legally required, sending a pre-conversion reminder is a best practice that reduces chargebacks, improves customer satisfaction, and demonstrates good faith in any regulatory inquiry. It is also required by the FTC's pending rulemaking, so building it now avoids a future compliance scramble.
What should I do if my current terms of service do not address auto-renewal compliance?
Fix them immediately. Have a technology attorney review and update your terms and conditions to include the required auto-renewal disclosures, cancellation instructions, and data handling provisions. Also review your sign-up flow, free trial flow, and cancellation flow for dark-pattern risks. Non-compliance is an ongoing liability that grows with every subscription you process.
Get Your Subscription Terms Right
Auto-renewal compliance is not a one-time checkbox. It is an ongoing obligation that changes as federal and state regulations evolve. The businesses that get enforcement actions are not necessarily the ones with the worst practices. They are the ones that did not update their terms and flows when the law changed.
Hansen Tong at TOS Lawyer works with SaaS companies, e-commerce businesses, and subscription platforms to draft and update subscription terms, review cancellation flows, and address auto-renewal compliance under current federal and state law. Contact TOS Lawyer to get your subscription terms and cancellation practices reviewed before they become a regulatory problem.