Every Subscription & Auto-Renewal Compliance Audit check

The FTC Negative Option Rule (2025) and California ARL both require subscription terms to be 'clear and conspicuous' before the consumer acts — not discoverable only after clicking through to Stripe. When billing frequency, price, and auto-renewal notice are absent from the pre-checkout screen, users reasonably believe they are making a one-time purchase. The resulting chargebacks and regulatory complaints are not recoverable by updating your Terms of Service retroactively; the disclosure must exist at the moment of decision. Under EU Consumer Rights Directive 2011/83/EU, failure to disclose recurring payment terms before order placement can make the contract voidable.

Why this severity: Critical because absent pre-purchase disclosure is the primary trigger for FTC enforcement actions and class-action suits under state ARL statutes, with civil penalties up to $50,120 per violation.

When checkout shows a base price and applies taxes silently on charge, the first time a user sees the true total is on their bank statement — a direct violation of FTC Negative Option Rule (2025) transparency requirements and EU Consumer Rights Directive 2011/83/EU Article 6 pre-contract information obligations. Jurisdictions with sales tax on SaaS (Texas, Ohio, Washington, and most EU member states) make this gap material and frequent. Silent tax additions are also the second most-cited cause of subscription chargebacks after unrecognized recurring charges.

Why this severity: High because silently adding taxes between the displayed price and the actual charge constitutes a material misrepresentation under both FTC rules and EU consumer law, triggering chargeback liability and regulatory exposure.

A CTA labeled 'Start free trial' with no stated duration, post-trial price, or auto-conversion notice is textbook negative option marketing under FTC Negative Option Rule (2025) — the consumer is not making an informed decision to authorize future recurring charges. California ARL Section 17601 requires that all three facts (trial length, conversion trigger, post-trial price) appear at the point of enrollment. When a user discovers an unexpected $29 charge weeks after forgetting a trial, the result is a chargeback, not a cancellation — and Stripe's dispute rate threshold is 0.75%.

Why this severity: High because withholding post-trial price and auto-conversion terms at the enrollment point constitutes the specific negative option pattern the FTC's 2025 rule targets for civil penalty enforcement.

The FTC's 'clear and conspicuous' standard for negative option disclosures has a functional definition: a reasonable consumer must notice and understand the terms in the normal course of browsing. Disclosing auto-renewal in 10px gray footnote text, behind a collapsed accordion, or inside a linked Terms of Service satisfies none of that standard. Both FTC Negative Option Rule (2025) and California ARL treat buried disclosures as equivalent to no disclosure — the location and presentation are part of the legal compliance, not just the presence of the text.

Why this severity: Medium because buried-but-present disclosure creates regulatory exposure and chargeback risk, but a detectable fix (CSS and placement changes) avoids the full-enforcement triggers that absent disclosure attracts.

Displaying an annual plan as '$24/month' without disclosing the $290 annual charge is a documented deceptive pattern under FTC Negative Option Rule (2025): the consumer commits to a $290 lump-sum charge while believing they authorized a $24 monthly payment. The FTC's Dot Com Disclosures guidance (2013) classifies missing-period qualifiers as material omissions. California ARL reinforces this by requiring the 'initial subscription fee' be clearly stated. A missing billing period label on a $29 price is the lowest-friction compliance gap in this category — one additional span element fixes it.

Why this severity: Low because the omission is typically isolated to label text and does not itself trigger the charge, but it feeds the misrepresentation chain that leads to chargebacks when the period is misunderstood.

FTC Negative Option Rule (2025) and MITA (Restore Online Shoppers' Confidence Act successor) require that the consumer's authorization of a recurring charge be unambiguous — a generic 'Pay' button without an adjacent charge acknowledgment does not meet the threshold. Pre-checked checkboxes are opt-out mechanisms, not opt-in consent, and are explicitly called out in the FTC's Dark Patterns Report (2022) as deceptive. Under California ARL, the subscription consent must be obtained separately from any other purchase consent. A form that can be submitted without the checkbox checked means the consent field is cosmetic, not functional.

Why this severity: Critical because absent or pre-checked consent for recurring charges is the specific pattern that triggers FTC enforcement under MITA and the 2025 Negative Option Rule, with per-violation civil penalties.

FTC Negative Option Rule (2025) and California ARL both require written confirmation of subscription enrollment including material terms — price, billing period, next billing date, and cancellation instructions. Stripe's default payment receipt satisfies the payment acknowledgment but does not include a cancellation path, which is the regulatory requirement most commonly cited in enforcement guidance. The confirmation email also serves as the user's primary reference if they want to cancel before the next billing date; without it, support tickets and chargebacks increase measurably.

Why this severity: Medium because the absence of a compliant confirmation email violates written-notice requirements under FTC rules and state ARL statutes, though the enrollment itself may have been validly consented to.

When a one-time purchase and a recurring subscription are combined in the same checkout step without visual or semantic separation, the consumer cannot clearly identify which portion of their agreement is recurring. FTC Negative Option Rule (2025) requires that recurring charge consent be obtained independently of any one-time purchase consent. The FTC Dark Patterns Report (2022) specifically flags pre-checked subscription add-ons in one-time checkout flows as a deceptive enrollment pattern. EU Consumer Rights Directive 2011/83/EU Article 22 prohibits pre-ticked boxes for additional charges of any kind.

Why this severity: Medium because the bundling creates ambiguity about the scope of recurring charge consent without necessarily preventing the user from cancelling, but it directly violates FTC negative option consent-separation requirements.

Negative option enrollment — where inaction, a pre-selected default, or a bundled account-creation agreement triggers a subscription — is the original target of the FTC Negative Option Rule and California ARL. A pre-checked 'Add Pro subscription' checkbox is an opt-out mechanism masquerading as user consent. A free trial that silently converts to paid using a payment method from a prior unrelated transaction is the most-complained-about pattern in the FTC's negative option enforcement history. Both patterns are documented in the FTC Dark Patterns Report (2022) as straightforward violations.

Why this severity: Low because the pattern often produces technically revocable subscriptions, but its presence is a per-enrollment regulatory violation with accumulated liability proportional to subscriber count.

The FTC Click-to-Cancel Rule (effective 2025) mandates that cancellation be available in the same number of steps — or fewer — as enrollment. Requiring users to email support to cancel while allowing online self-service enrollment is an automatic regulatory violation regardless of how simple the enrollment was. California ARL imposes the same requirement. Cancellation friction is also the primary driver of 'friendly fraud' chargebacks: users who cannot cancel quickly dispute the charge with their bank instead, and Stripe's 0.75% dispute threshold has real consequences.

Why this severity: Critical because requiring more steps to cancel than to enroll, or routing cancellation through support contact, is a per-subscriber regulatory violation under the FTC Click-to-Cancel Rule with civil penalties.

FTC Click-to-Cancel Rule (2024, effective 2025) requires that if a consumer enrolled online, cancellation must be available through the same online mechanism — routing to email or phone is an explicit violation. California ARL enforces the same standard for California-based consumers. A 'Cancel anytime' marketing claim paired with a `mailto:support@example.com` cancellation path is both a deceptive trade practice and a regulatory violation. The practical consequence is that support tickets spike at billing cycle, refund rates climb, and dispute rates follow because users who cannot self-cancel dispute the charge instead.

Why this severity: High because requiring support contact for online-enrolled subscriptions is a named violation category in the FTC Click-to-Cancel Rule, triggering enforcement without the proportionality analysis applied to step-count violations.

FTC Click-to-Cancel Rule (2024) requires that a cancellation confirmation be provided to the consumer immediately after cancellation — not only as a UI toast that disappears, but as a durable written record. California ARL and EU Consumer Rights Directive 2011/83/EU Article 12 both require confirmation of contract termination including the date through which access continues. Stripe's Billing Portal handles the portal UI but sends no custom cancellation email by default; the application must handle `customer.subscription.updated` (cancel_at_period_end) and `customer.subscription.deleted` webhooks to satisfy this requirement.

Why this severity: High because absent written cancellation confirmation violates durable-medium requirements under the FTC Click-to-Cancel Rule and EU Consumer Rights Directive, leaving the business unable to demonstrate consumer received confirmation.

When a consumer cancels an annual subscription mid-year and receives no information about whether a prorated refund is owed, the business is exposed under EU Consumer Rights Directive 2011/83/EU Article 14 (right of withdrawal) and FTC Negative Option Rule (2025) requirements that material terms include refund rights. A 'no refund' policy is legally permissible in most jurisdictions, but only if clearly disclosed before purchase — not just in the Terms of Service. Annual subscriptions that silently absorb unused months generate disproportionate chargebacks because consumers assert their right to a refund through their bank when the product refuses.

Why this severity: Medium because an undisclosed or absent refund policy for annual subscriptions creates chargeback liability and EU withdrawal-right violations, but does not itself constitute the unauthorized-charge pattern triggering highest-severity FTC enforcement.

The FTC Click-to-Cancel Rule (2024) permits retention offers during the cancellation flow only if they do not add mandatory friction — the consumer must be able to skip any retention step and complete cancellation without taking additional required actions. Absent retention alternatives (downgrade, pause), the application misses a business opportunity to retain users who would have accepted a lighter-weight option. Stripe's `pause_collection` API makes subscription pausing a low-effort implementation. Presenting alternatives also demonstrates good faith in regulatory context: a structured, skippable retention flow is evidence of intent to honor cancellation, which reduces FTC enforcement risk.

Why this severity: Low because absent retention alternatives fail a UX best practice and a weak FTC good-faith signal, but do not constitute an affirmative regulatory violation — the user can still cancel without them.

Renewal charges that arrive with no advance warning are the leading cause of subscription-related chargebacks and the behavioral trigger the FTC Negative Option Rule (2025) and California ARL target in their 'save offer' and notice requirements. A user who has forgotten they subscribed months ago and sees an unexpected $29 charge will dispute it with their bank rather than cancel — and Stripe's 0.75% dispute threshold affects payment processing eligibility. California ARL requires advance notice for annual charges; for monthly charges, renewal reminders are a strong chargeback-prevention measure even where not strictly mandated.

Why this severity: Low because monthly renewal reminders are a chargeback-prevention best practice and FTC good-faith signal rather than a per-violation enforcement target, but the absence of annual reminders specifically triggers California ARL exposure.

Charging a consumer at a higher price than they originally authorized — with no advance notice — violates the FTC Negative Option Rule (2025) requirement that material changes to subscription terms be communicated before they take effect. California ARL and EU Consumer Rights Directive 2011/83/EU both require that price increases be disclosed with sufficient advance notice for the consumer to cancel before the new rate applies. Silent price increases processed through Stripe Subscription Schedules without customer notification are the most common way well-intentioned teams inadvertently create regulatory exposure during pricing strategy updates.

Why this severity: Info because the violation requires a price change event to occur — no prior price change means no current violation — but the absence of a notification mechanism means any future price change immediately creates regulatory liability.

When a subscription payment fails silently — no email, no in-app alert, no documented grace period — the consumer's access may be revoked without warning while they believe the subscription is active. FTC Negative Option Rule (2025) requires that consumers be informed of failed charges and given an opportunity to resolve payment before losing access. The absence of a `invoice.payment_failed` webhook handler also means Stripe's Smart Retry window passes without the user knowing they need to update their payment method, converting a recoverable payment failure into a churned subscriber and a potential service disruption dispute.

Why this severity: Info because failed payment notification is a consumer-protection obligation under FTC rules but a violation only materializes when a specific payment fails without notice, not as an ongoing structural defect.

California Automatic Renewal Law (ARL) Business & Professions Code §17601 specifically requires that for annual subscriptions, customers receive an advance renewal notice before the charge — with sufficient lead time to cancel. A 3-day notice adequate for monthly charges does not satisfy the ARL for a $290 annual charge. EU Consumer Rights Directive 2011/83/EU similarly requires material pre-contractual information be provided for automatic contract extensions. Annual subscribers who receive a $290 charge without a prior reminder represent the highest-dollar, highest-dispute-rate segment of subscription chargebacks.

Why this severity: Info because non-compliance requires an annual renewal to occur without the mandated notice — but when it does occur, the California ARL civil penalty and chargeback exposure are disproportionate to the severity label.