.svg)
Introduction
In a decision with wide-reaching implications for consumer rights and digital commerce, the US Court of Appeals for the Eighth Circuit recently vacated the Federal Trade Commission’s (FTC) Click-to-Cancel rule, which was finalized in 2024 and final disclosure and cancellation requirements were set to take effect on July 14, 2025. Initially proposed in 2023 as a commonsense extension to the FTC’s Negative Option Rule, which protects consumers from being charged for goods or services they did not explicitly agree to purchase, Click-to-Cancel would have required businesses to allow consumers to cancel subscriptions through the same simple method used to enroll typically, online and in one click. Although many consumers often associate Click-to-Cancel with streaming subscriptions, the rule would also have applied to a range of financial products and services that banks and their affiliates offer, such as identity theft monitoring services, credit protection or credit monitoring products, and add-on insurance products.
Now, with the rule formally struck down by a federal appeals court, financial institutions that offer subscription-based services/products are still exposed to compliance risk under existing Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices (UDAP/UDAAP) standards, the Electronic Funds Transfer Act (EFTA), the Truth in Lending Act (TILA), and various other state laws. This revocation also does not remove consumer expectations; instead, it creates a gray zone where the reputational, regulatory, and legal risks are arguably even more complex than before, because more states may create their own regulatory schemes to fill the gap.
The Bigger Picture
Originally introduced to address a key problem in negative option marketing, Click-to-Cancel was seen by regulators as a solution for consumers who may have found cancelling subscriptions difficult, confusing, or time-consuming. When it originally announced a notice of proposed rulemaking, the agency received more than 16,000 comments from consumers and consumer interest groups in support of the FTC’s proposal. The court’s decision may appear at first to benefit businesses by removing an “onerous” new rule. However, in reality, other consumer protection laws that require clear, conspicuous, and simple cancellation processes still exist and are enforceable both on the federal and state level. For example, according to the FTC Act’s prohibition on unfair and deceptive practices, financial institutions offering subscription-based products or services online must ensure that consumers can easily understand and exercise their right to cancel.
Additionally, many states have proposed more stringent consumer protection laws to compensate for the absence of Click-to-Cancel. For example, New York’s Fostering Affordability and Integrity through Reasonable Business Practices Act would, if passed, require banks to make the terms of their subscription-based products clear and conspicuous. Previously established state-level “automatic renewal” laws, like those in California and New York, specifically require straightforward online cancellation options. Without Click-to-Cancel, state attorneys general may take a heavy handed approach to enforcement. Banks should continue prioritising transparent, user-friendly cancellation options for customers or risk potential enforcement actions, reputational damage and lawsuits even without the Click-to-Cancel rule in place.
Why Should You Care?
While the Click-to-Cancel has been vacated, other consumer protection laws on both a federal and state level still apply to these types of products such as UDAP, EFTA, FCRA, TILA to name a few that banks should ensure compliance with as well as consider the following:
1. Legal and Compliance Exposure Doesn’t Disappear
The Eighth Circuit’s decision removed the Click-to-Cancel rule, but not the FTC’s authority to police unfair or deceptive practices, nor did it preempt state law. Institutions offering subscription services must still grapple with a complex legal matrix. For example, California’s Automatic Renewal Law (ARL) imposes stringent cancellation requirements and is actively enforced by the state attorney general. Additionally, New York’s Department of Financial Services (DFS) is tasked with ensuring that cancellation processes are simple, transparent, and fair. Although banks are generally exempt for core products like deposit accounts or loans — optional add-ons, such as identity protection, investment advisory, or premium account services, remain subject to the ARL.
Financial institutions should determine applicability to the ARL, which depends on the bank’s connection to California: institutions that have branches in the state or that serve California residents must comply, even if the product is offered nationally or they are headquartered outside California.
Banks should consider:
- Conducting an impact analysis - Evaluate whether your financial institution offers products or services online that would meet the definition of Click-to-Cancel requirements under federal and state laws, as companies must still ensure compliance with the laws of states they are operating in. Pay particular attention to subscription-style products, add-on services, or premium accounts like identity theft monitoring, credit protection, credit monitoring, or add-on insurance products, as well as anything "free trial" that rolls into paid services. Determine if you operate or have customers in states that have specific laws similar to that of the Click-to-Cancel rule.
- Identifying impacted products and services - If the institution does offer these types of products/services, map out which offerings fall under negative option billing or auto renewal models, and include both bank-owned services and third-party products offered through the institution, so that the institution can identify potential compliance risks, ensure proper disclosures, and prevent unexpected consumer charges.
2. Risk of Even More Patchwork Regulation
With the federal rule vacated, more states may introduce or strengthen their own rules on subscription cancellation. This creates operational and legal complexity, particularly for national banks and fintech firms serving users in multiple jurisdictions. Financial institutions will need to make sure their regulatory change management program is strong to ensure compliance across multiple states with subscription cancellation regulations.
Banks should consider:
- Performing a gap analysis - Compare current cancellation processes and procedures to state-level Click-to-Cancel requirements and other federal laws and regulations that apply to these types of products/services.
3. Reputational Harm and Consumer Distrust
The public sentiment that fueled Click-to-Cancel has not disappeared with the court’s ruling. Consumers still expect cancellation to be quick and painless, especially for financial tools that directly interact with their accounts. Any misalignment between consumer expectations and actual design, such as forcing users to call during business hours or navigate hidden menus, can spark viral backlash, negative media coverage, and user churn.
Banks should consider:
- Reviewing customer disclosures - Ensure enrollment and cancellation disclosures clearly explain terms, renewal periods, and cancellation methods, and align digital banking platforms and account-opening materials with state requirements, so financial institutions can reduce regulatory risk, avoid consumer complaints, and maintain trust.
4. Class Action and Consumer Litigation Risks
Regulators such as the Consumer Financial Protection Bureau (CFPB) may be currently enforcing consumer protection laws on a very limited basis; however, private litigation risks may increase. Plaintiffs’ attorneys may see the absence of clear federal standards as an opportunity to pursue deceptive practices claims under state law or general consumer protection principles. Financial institutions with outdated or opaque cancellation practices could find themselves defending high-cost lawsuits, even if they are technically in compliance with the current federal regulatory landscape.
Rather than view this decision as a green light to obscure cancellation paths, financial institutions should treat it as a warning to continue to align cancellation practices with fairness, transparency, and ease of use standards to avoid UDAP/UDAAP exposure and non-compliance with other applicable federal and state consumer protection laws.
Banks should consider:
- Reviewing policies and procedures - Determine if any updates need to be made to internal documentation to ensure cancellation processes align with both state and federal regulatory expectations. Document escalation paths for customer complaints related to subscription cancellations.
- Assess third-party and vendor relationships - Review partner contracts (e.g., identity theft protection, insurance, credit monitoring services). Confirm vendors are compliant with Click-to-Cancel requirements in relevant states.
- Evaluate training needs - Train frontline staff, call center agents, and compliance teams on cancellation processes for applicable products/services. Provide specific guidance on handling disputes and customer complaints related to auto-renewals.
Rather than treating the Eighth Circuit’s decision as the end of the matter, financial institutions should view it as a signal that the compliance environment around subscription cancellations remains unsettled and potentially more complex. The absence of a federal standard increases reliance on existing federal statutes, state laws, and consumer expectations, all of which continue to create meaningful legal and reputational exposure. Institutions that act now to simplify cancellation processes, strengthen oversight of third-party offerings, and prepare for further state activity will be in a stronger position to manage regulatory risk and maintain consumer trust going forward.
