The FTC Click-to-Cancel rule and ROSCA (Restore Online Shoppers' Confidence Act) both require affirmative explicit consent before a consumer is enrolled in a recurring charge. GDPR Art. 7 adds the requirement that consent be freely given, specific, informed, and unambiguous — a pre-checked checkbox satisfies none of these criteria. A checkout form where the billing consent checkbox is pre-checked (defaultChecked={true}) or where consent is inferred from accepting generic Terms is not compliant under any of these three frameworks. The business impact is concrete: Visa and Mastercard both treat pre-authorization failures as chargeback-eligible events under their dispute guidelines.
Low because the failure is a UI-level consent defect rather than a missing disclosure, but pre-checked or absent billing consent is a ROSCA and FTC violation that chargeback processors specifically flag.
Replace any generic terms checkbox with a dedicated, unchecked-by-default billing consent element in app/checkout/page.tsx:
// app/checkout/page.tsx
<div className="billing-consent">
<label className="consent-label">
<input
type="checkbox"
name="billing_consent"
required
defaultChecked={false}
/>
<span>
I authorize monthly charges of $9.99 USD. I can cancel anytime at
Account Settings → Billing with no penalty.
</span>
</label>
</div>
The consent text must explicitly state the amount and frequency. Do not combine this with a generic "I agree to the Terms" checkbox — the billing authorization must be a separate, standalone element.
ID: finserv-disclosure.presentation-quality.preauth-consent
Severity: low
What to look for: List all checkout or signup forms that initiate recurring billing. For each form, check for an explicit consent mechanism (checkbox with defaultChecked={false} or checked={false}, confirmation button, or separate consent step). Verify the consent element is required on the form and is not pre-checked. The consent text must mention at least 2 of: billing amount, frequency, and cancellation method.
Pass criteria: Every checkout form with recurring billing has an unchecked-by-default consent checkbox (or equivalent) that is marked required. The consent text explicitly mentions the billing amount, frequency, and how to cancel. Quote the consent text and file path where it appears.
Fail criteria: Pre-authorization consent is missing entirely, or the consent checkbox is pre-checked (defaultChecked={true} or checked={true}), or consent is assumed without explicit user action, or the consent text omits the billing amount or frequency.
Do NOT pass when: The only consent mechanism is a generic "I agree to the Terms" checkbox that does not specifically mention recurring charges — this is NOT a valid pre-authorization consent.
Skip (N/A) when: The product has no recurring charges, subscriptions, or auto-renewal of any kind.
Detail on fail: Quote the checkout form file path and describe the issue. Example: "Checkout form at app/checkout/page.tsx has a pre-checked 'I agree to the terms' checkbox (defaultChecked={true}). No separate consent for recurring billing. Terms mention recurring charges but the form does not require explicit agreement."
Remediation: Implement explicit pre-authorization for recurring charges in app/checkout/page.tsx:
// app/checkout/page.tsx
<form onSubmit={handleSubscribe}>
<input type="email" placeholder="Email" required />
<input type="password" placeholder="Password" required />
<div className="billing-consent">
<label>
<input
type="checkbox"
name="billing_consent"
required
defaultChecked={false}
/>
I authorize monthly charges of $9.99 USD to my account. I can cancel
anytime without penalty at Account Settings → Billing.
</label>
</div>
<button type="submit">Create Account & Subscribe</button>
</form>
Cross-reference: For subscription auto-renewal compliance including FTC Click-to-Cancel rules, the Subscription Compliance audit covers consent patterns and cancellation flow requirements.