June 8, 2018 | Authored by: Vindicia Team Blogs
Subscription businesses need to understand California's Auto Renewal Law and GDPR
Subscription businesses need to be up front with customers about their policies for canceling and renewing subscriptions. Such transparency is not only positive for user experience and expected by consumers, but it is also mandated by law. This fact is witnessed by the updated California Auto Renewal Law (ARL) and the EU-legislated General Data Protection Regulation (GDPR) that became effective in late May and which affects all organizations around the globe doing business with people residing in EU countries.
We have written here before on the importance and value of making canceling a subscription simple; and now the growing amount of regulation that subscription services must comply with justifies a deeper dive into requirements and best practices, beyond just cancellation.
California law update requires easy canceling
While California is not the only state to have an Auto Renewal Law (ARL) on the books — in fact, just fewer than half of all states have such renewal laws — the Golden State is known for having among the strongest and most progressive consumer protections in the country, sometimes acting as a bellwether. California indeed has one of the most built-out codes for ARL.
Originally enacted in 2010, California's ARL required auto-renewing consumer contracts to clearly disclose terms, obtain consent before charge, and notify customers of cancellation methods and policies. The state Legislature recently expanded on those foundations with Senate Bill 313, which contained a number of changes that address aspects relevant to the boom in online services: free trials and gift subscriptions.
A primary takeaway for subscription companies is that come July 1, 2018, business must convey a "clear and conspicuous explanation of the price that will be charged after the trial ends or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial." The free trial/gift-specific requirements are added onto the pre-established ARL mandate to provide information about the renewal process of the base subscription itself, such as the recurring price, length of service period and cancellation policy. Consent must also be acquired before charging at a discount price.
The second noteworthy change to come with Senate Bill 313 is that services must make it possible for customers to cancel online any subscription that was accepted online. Previous statutes had allowed for toll-free phone numbers, snail mail and other mechanisms before without an internet-based option. New language added to the ARL says that "A consumer who accepts an automatic renewal or continuous service offer online shall be allowed to terminate the automatic renewal or continuous service exclusively online."
GDPR signals further action needed
The General Data Protection Regulation (GDPR), which came into effect May 25, 2018, is the product of a multiyear process undertaken by the European Union designed to improve data privacy regulations and increase punishment for noncompliance. The end result is a robust set of protections that "applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location." That means any subscription service with even a single European customer will be held to GDPR mandates for acquiring, processing, retaining and protecting personal data.
GDPR affects subscription operations in a few ways. For one, if deemed "data controllers," businesses must acquire explicit consent from European customers to store their personal data. Companies must find justified cause for storing certain data, as well, and delete information when there is no basis to hold onto it (like after a customer has cancelled). Subscription services that bill by credit card numbers on a recurring basis need to maintain fluid and detail-oriented data practices to ensure they don't infringe on GDPR codes.
Data protection rights are also greatly expanded under GDPR. As a result, subscription businesses will need to prepare operations to fulfill certain duties including:
- Providing notification of data breaches within 72 hours of first becoming aware.
- Extending to European customers the Right to Access their information, as well as the Right to Be Forgotten and have their data deleted.
- Appointing a Data Protection Officer (DPO) to supervise activities, if large enough scale requires it.
When looking to navigate the swift and complex waters of domestic and international regulations, subscription businesses can greatly benefit from the help of an experienced and adept subscription partner. Being the Subscription People, Vindicia has accumulated the knowledge and experience to aid companies in complying with laws, local and national.
Contact us today to learn more about our suite of solutions and how we can help your subscription business thrive in a bustling environment.
Which billing platform is right for B2C subscriptions?Download