.svg)
Subscription-based business models have become a defining feature of digital commerce, prompting increased regulatory scrutiny of recurring payment practices. As recurring billing has expanded across sectors, including media, fintechs, and retail memberships, regulators are increasingly focused on consumer protection issues such as transparency of pricing and renewal terms, informed consumer consent, ease of cancellation, and prevention of so-called “subscription traps”.
In December 2025, Mexico adopted a presidential decree amending the Federal Consumer Protection Law (LFPC), introducing reforms that aim to give consumers more control and transparency over subscriptions and memberships. The decree updates the obligations of suppliers, particularly those operating in e-commerce, to require express consent for recurring charges, mandatory renewal notifications, and simplified cancellation mechanisms.
As recurring payments expand across digital commerce, merchants and payment processors must understand how rules such as click-to-cancel affect operations and compliance.
The bigger picture
Across the globe, legislators and regulators alike are taking a closer look at subscription-based business models and the consumer protection issues that accompany them.
Beyond Mexico, Latin America lacks uniform subscription laws, but consumer protection authorities have taken steps to address deceptive practices, reflecting a broader regulatory trend globally. In 2024, the consumer protection authorities of Chile, Colombia, Mexico, and Peru entered into a multilateral agreement with the US Federal Trade Commission (FTC) to promote cooperation among the agencies to protect consumers from cross-border fraud, deception, and other illegal practices, suggesting a regional shift toward coordinated enforcement. Meanwhile, Argentina's consumer protection laws were amended in 2025 to require a “Botón de Baja de Servicios”, requiring suppliers that market goods and services through websites to have a service cancellation button in a prominent place, through which consumers can request the cancellation of the contracted service.
In the United States, while the rule itself remains in legislative limbo, the FTC’s “Negative Option Rule”, commonly referred to as the “click-to-cancel” rule, sought to strengthen requirements around consent, disclosures, and cancellation. Even without the rule, the FTC continues to act under existing statutes such as the Unfair, Deceptive, or Abusive Acts or Practices Act with enforcement. In 2025, the FTC and 21 states and the District of Columbia filed an amended complaint against Uber Technologies, alleging the company engaged in unfair and deceptive practices related to its Uber One subscription program. The complaint alleges that Uber enrolled customers into the recurring-payment service without adequate disclosures and burdensome cancellation mechanisms, invoking the FTC’s authority to protect consumers even in the absence of a finalized click-to-cancel rule. That same year, the FTC secured a historic $2.5bn settlement against Amazon for similar violations, finding that the technology giant used deceptive methods to sign up consumers for Prime subscriptions and made it exceedingly difficult to cancel.
While federal regulations are in flux, states are imposing their own distinct set of regulatory requirements. Several states, including California, Connecticut, New York, Virginia, Utah and Massachusetts, have adopted automatic renewal laws (ARLs) with their own distinct consumer protection requirements. State ARLs can mirror or exceed the principles of the federal click-to-cancel rule, impose stricter notice requirements, require renewal reminders, or mandate specific formatting for disclosures. The result is a patchwork compliance landscape requiring careful jurisdiction-by-jurisdiction analysis to ensure regulatory alignment and mitigation of legal risk.
The EU largely enforces subscription protections via the Unfair Commercial Practices Directive (UCPD) and Consumer Rights Directive (CRD), interpreted to require easy cancellation and transparent disclosure. Meanwhile, the Digital Services Act targets interfaces, commonly referred to as “dark patterns”, that make cancellations difficult. In 2023, the EU Consumer Protection Cooperation (CPC) Network asked major card networks to introduce a series of changes in their rules, to ensure that traders provide clear information to consumers on recurring payments before a consumer signs up, highlighting that click-to-cancel requirements do not rest solely with the merchant. The absence of a single EU subscription law creates a multi-jurisdictional compliance obligation, where payment processors must support merchants in providing compliant cancellation options in different countries.
Elsewhere, the UK is emerging as the leader for recurring payment innovation through its rollout of variable recurring payments (VRPs) under the open banking framework. By enabling consumers to authorize flexible, merchant-initiated payments directly from bank accounts with clear consent parameters and easy revocation, the UK is perhaps setting a global benchmark that may shape how other jurisdictions approach recurring payment governance.
In Australia, the Australian Competition and Consumer Commission (ACCC) has brought enforcement actions over alleged subscription traps, finding that businesses using confusing and complicated subscription cancellation policies is a matter of significant public concern and a violation of Australian consumer law. According to the ACCC’s 2025-26 compliance and enforcement priorities, addressing manipulative and false practices in digital markets is a key regulatory priority, signaling a continued focus on subscription business models and the consumer protection issues that accompany them.
Enforcement actions such as those in Australia, the EU’s interpretation of the UCPD and CRD, and the FTC’s use of UDAAP all signal that enforcement risk extends beyond formal rulemaking. Regulators are using existing unfair practices frameworks to send the message that compliance is not limited to formal subscription laws, but extends to how recurring payment models are designed and implemented in practice.
Why should you care?
Recurring payment rules are not just legal checkboxes, they have real implications for anyone facilitating subscriptions, from merchants to payment processors and third-party providers. How recurring charges are structured, disclosed, and managed can directly affect customer trust, brand reputation, and operational risk.
- Merchants are the first point of contact for consumers and therefore bear the brunt of regulatory and reputation risk. To stay ahead:
- Ensure customers are explicitly informed about recurring charges, renewal terms, and pricing before any billing occurs.
- Align cancellation mechanisms with sign-up simplicity.
- Evaluate website and app interfaces for potential “dark pattern” risk.
- Collaborate across teams. Compliance, product, and engineering should work together to assess and implement changes.
- Payment processors and third-party providers play a dual role as enablers of merchant compliance and risk managers at the platform level. To stay ahead:
- Review merchant onboarding and monitoring frameworks.
- Update terms of service agreements to reflect evolving expectations for recurring billing, cancellations, and disclosures.
- Anticipate potential secondary liability or reputational risk.
- Consider incorporating subscription compliance into broader risk-based monitoring models.
Merchants and payment processors alike should be aware that two regulatory dynamics are now shaping the oversight of recurring payments. Although some jurisdictions, such as Mexico, are adopting legal frameworks directly addressing subscription billing, others are increasingly using existing consumer protection frameworks to scrutinize subscription practices where billing structures, disclosures, or cancellation processes may disadvantage consumers.
As enforcement action inevitably follows supervisory focus, merchants, payment processors, and other entities facilitating recurring payments should be aware of both the specific rules in the jurisdictions where they operate and the broader consumer protection standards that regulators apply. Monitoring the direction of travel will also be important and the UK’s rollout of VRPs may signal where the market is heading. By enabling consumers to authorize and manage recurring payments through regulated third parties within open banking frameworks, the approach is emerging as a potential benchmark for embedding consumer control directly into payment infrastructure.
