The FTC's Click-to-Cancel rule was vacated. Do I actually need to update my cancellation flow in 2026?

Yes, and the reasoning is the inverse of the obvious one. The vacatur removed the rule, not the enforcement authority that would have animated it. ROSCA — the Restore Online Shoppers' Confidence Act — remains in force and continues to authorize the FTC to bring actions against subscription brands whose disclosures or cancellation flows are deceptive. The FTC has used ROSCA aggressively through 2024, 2025, and into 2026 against Match, Chegg, Amazon, and others without ever invoking the Click-to-Cancel rule. State Automatic Renewal Laws — particularly in California, New York, Colorado, Vermont, Illinois, and Minnesota — operate independently of the federal rule's status, and many of them already require click-to-cancel parity, same-medium termination, and clear-and-conspicuous renewal disclosures. A nationally-distributed subscription brand is therefore already governed by a click-to-cancel standard via the most prescriptive state law that applies to its customer base, regardless of what the FTC rule says. The January 2026 ANPRM filed with OMB signals that the agency intends to rebuild the rule, and the new version is likely to be at least as prescriptive as the vacated one. The defensible operating posture is to design to the strictest applicable state standard and apply that uniformly, because the cost of doing so is small relative to the cost of differential state compliance and far below the cost of a single ROSCA enforcement action. The misread that the vacatur was relief has been the most expensive misread in the subscription space this cycle. Operators who paused their cancel-flow migration in July 2025 are the ones who now show up in 2026 enforcement actions because the underlying theory of liability never paused. The correct frame is to treat the vacatur as a noise event in an otherwise continuous enforcement trajectory, finish the migration that was already justified by ROSCA and the state floor, and remove the asymmetry between signup and cancel that animates every action in this space. For the cross-state mapping the United States compliance reference sets out the per-state framework, and the substantive disclosure-language audit should run through the disclosure checker so the language is consistent at signup, in the renewal notice, and in the cancellation confirmation.

What specifically did Match, Chegg, and Amazon do wrong that I should look for in my own flow?

Across the three cases the common thread is designed friction in the cancel path that does not exist in the signup path, combined with disclosure ambiguity at the point of sale, and the diagnostic in each case identified the same handful of design choices any subscription brand should audit against. Match was cited for an auto-renewal disclosure the FTC considered insufficiently clear and conspicuous at the point of subscription, paired with a cancellation flow that routed users through customer service rather than offering a one-click online path. The deceptive theory was that the signup conveyed an impression of easy reversibility that the cancellation flow did not match. Chegg was cited for trial-to-paid conversion mechanics that the FTC alleged did not obtain affirmative consent at the renewal step, combined with cancellation friction that exceeded the signup effort. The theory was signup-cancellation asymmetry as a per se deceptive practice. Amazon Prime drew the most public action for what the FTC characterized as a multi-screen Iliad cancellation flow engineered to deter completion — repeated confirmation screens, retention offers presented as required steps, and dark-pattern micro-copy designed to push users back into the subscription. The theory in that case was that dark-pattern friction in cancellation flows is a per se ROSCA problem regardless of whether the brand disclosed the renewal terms at signup. The diagnostic the three cases produce for any subscription operator is a five-question audit. First, can a user cancel in the same number of clicks they used to sign up. Second, can a user cancel through the same medium they used to sign up. Third, does the cancel path remain accessible while retention offers are presented. Fourth, is the auto-renewal disclosure clear and conspicuous on the same screen as the subscribe button. Fifth, is the trial-to-paid transition driven by affirmative consent or by silent rollover. A no-answer to any of the five maps to a theory of liability currently in use in active FTC litigation. The remediation is not to find a marginally-defensible workaround but to remove the asymmetry — the friction is the enforcement target, and there is no creative way to keep it that survives sustained review. For the broader operational mechanics the SaaS and tech compliance guide covers the SaaS-specific renewal-consent layer, and the ecommerce and DTC compliance guide covers the order-page disclosure layer that DTC subscription brands need to fix in parallel.

How do state Automatic Renewal Laws interact with federal ROSCA enforcement, and which state actually sets my floor?

State ARLs and federal ROSCA enforcement operate as parallel regimes rather than as a hierarchy, and the practical effect for a subscription brand that ships nationally is that the strictest applicable state law sets the operating floor for the whole footprint, while ROSCA sets a baseline of disclosure and consent that applies federally on top of that floor. ROSCA requires clear and conspicuous disclosure of all material terms before obtaining billing information, requires informed consent before charging, and requires a simple cancellation mechanism. The FTC interprets each of those obligations through enforcement, and the active interpretation in 2024–2026 has tracked closely with the vacated Click-to-Cancel rule's substantive requirements even without the rule itself. State ARLs build on top of ROSCA with state-specific requirements that are often more prescriptive. California's amended ARL requires clear renewal-term disclosure at sign-up, pre-renewal notices for longer-term subscriptions, and cancellation through the same medium used to enroll. New York's amended ARL requires electronic cancellation for any electronic signup. Colorado's amended ARL requires renewal reminders before annual rollovers and prohibits forced customer-service cancellation. The interaction matters operationally because there is no choice-of-law shortcut for a national brand: if a customer in California signs up, California's ARL attaches; if a customer in New York signs up, New York's ARL attaches. Operating differential cancellation flows by state of customer residence is mechanically possible but expensive, fragile, and exposes the brand to claims that the lower-prescriptive flow was deliberately designed to evade the higher-prescriptive law. The defensible compliance posture is to identify the most prescriptive applicable state ARL across the customer footprint, design the cancellation flow to that standard, and apply it uniformly. The marginal cost of meeting the strictest standard nationally is small — a few additional disclosure lines, a simpler retention flow, an electronic cancel path — and the protection it provides against forum-shopping enforcement is substantial because state attorneys general can and do bring ARL actions independently of the FTC. The cross-state framework, including the specific elements that differ between California, New York, Colorado, Illinois, Vermont, and Minnesota, is set out in the United States compliance reference , and ongoing amendments to state ARLs should be tracked through the policy tracker so the operating floor is adjusted as new state actions move.

How aggressive should I be about removing retention offers and 'are you sure' screens from the cancel flow?

The aggressive position is the correct one in 2026, and the reasoning is that retention offers and confirmation screens are not per se prohibited but the operational threshold for the friction they can add is low and the enforcement risk asymmetry is severe — keeping a marginally-defensible retention flow saves a fraction of cancellations while exposing the brand to ROSCA or state ARL action whose cost dwarfs the retained revenue. The framework that has emerged from current FTC enforcement is that a retention offer can be presented but must not gate the cancel path; the cancel button must remain available and at least as prominent as the retention offer; the offer must be a single-screen presentation, not a sequence of screens designed to wear down the user; and confirm-shaming language (the classic phrasing where the cancel screen asks whether you really want to give up your savings) falls inside the dark-pattern theory the FTC used against Amazon. The same applies to required surveys, forced rating prompts before cancel, and any micro-copy that conveys urgency or loss in a way that pressures the user to abandon the cancellation. The operational rule of thumb is that any screen the user encounters after clicking cancel which is not the cancel confirmation itself is a candidate for elimination, and the burden is on the operator to justify retaining it. A single in-line retention offer with the cancel button equally available is the highest-friction defensible posture; anything beyond that — multi-screen retention sequences, mandatory surveys, repeated confirmations — is operating in increasingly contested territory. The marginal retention revenue from those mechanisms is small, the cancellation rate suppression from removing them is typically modest in well-priced subscription products, and the cost of being on the wrong side of an enforcement action is materially larger. There is a secondary operational benefit that operators consistently underestimate. Reducing friction in the cancel flow produces a measurable improvement in trial-to-paid retention and in re-subscription rates among users who cancel and later return, because subscribers who cancel cleanly without negative experience are materially more likely to re-engage than subscribers who feel they had to fight to leave. That re-engagement effect, combined with the reduced enforcement exposure, makes the aggressive removal of friction a net positive on the lifetime-value side in addition to the compliance side. The cancel flow should be benchmarked against the AI compliance audit for dark-pattern indicators and the disclosure checker for the confirmation-and-receipt layer, and the broader operating logic for SaaS-specific retention design is set out in the SaaS and tech compliance guide .

Do paid social ads for subscriptions need to disclose auto-renewal terms in the ad itself, or only on the landing page?

The defensible answer in 2026 is both, and the operational reason is that the disclosure obligation attaches at the point the offer is presented to the consumer, which under current enforcement reads as the ad creative itself rather than only the destination, and that paid social and search ads function as offer presentations under ROSCA and state ARL theories regardless of whether the actual subscribe button sits on the landing page. The FTC's current enforcement posture treats the ad as part of the offer flow, and several recent actions have cited the ad framing — particularly free-trial-led copy that does not disclose the recurring-billing nature on the same screen — as part of the deceptive-practice theory. State ARLs follow similar logic: California's amended framework, for instance, requires clear renewal-term disclosure in the offer presentation, and a paid social ad that omits the renewal term while emphasizing the free-trial framing is part of that presentation. The practical requirement is that any subscription ad whose copy emphasizes a free trial, a discount, or a promotional first month should also state the post-trial price, the billing cadence, and the cancel-anytime path, in legible copy that a reasonable consumer can see without expanding the description or clicking through. The acceptable framing is a free trial line that also states the post-trial price, the billing cadence and the cancel-anytime path, rather than a free-trial headline with the recurring-billing detail buried on the destination. Critically, the landing page disclosure must match the ad framing. Drift between the two — a free trial implied in the ad with a different cadence on the landing page, or a price quoted in the ad that differs from the landing — is a creative-to-landing mismatch that surfaces in both platform ad review and FTC enforcement narratives. The disclosure should appear in the visible region of the ad, not only in alt-text or hover states, because the assumed delivery is mobile-first where alt-text and hover are not encountered. For Meta-specific cancellation-flow ad review behavior the Meta rejection triggers guide covers the creative-to-landing match rule, and the cross-platform comparison for Meta, Google, and TikTok subscription-ad expectations is in the platform comparison reference . Validate the disclosure language in the ad copy and on the landing page with the disclosure checker before the campaign goes live so the alignment is verified upfront rather than discovered through review or enforcement.

What happens if my flow is non-compliant — what penalties are SaaS and DTC brands actually paying in 2026?

The penalty exposure for a non-compliant subscription flow in 2026 spans federal civil penalties under ROSCA, state ARL penalties that vary by jurisdiction, restitution to affected consumers, attorney general settlements that can dwarf the underlying violations, and reputational consequences that affect both customer trust and platform ad-account standing — and the modal outcome for brands that draw an enforcement action is not a small fine but a multi-million-dollar settlement with structural remediation requirements attached. ROSCA itself does not carry per-violation civil penalties of the kind the FTC Act authorizes for rule violations, but the FTC has used the FTC Act's general unfair-and-deceptive-practices authority in tandem with ROSCA to seek civil penalties, restitution, and injunctive relief in active subscription cases. State ARLs are more prescriptive on penalty scaling: California's amended ARL allows per-violation civil penalties that can compound across affected consumers, and the California Attorney General has been an active enforcer in the subscription space. New York, Colorado, Illinois, and Vermont have similar penalty scaling tied to per-violation counts. The settlement track that most active cases follow combines a civil penalty, full restitution to affected consumers, and a consent decree that requires structural changes to the cancellation flow and ongoing reporting to the agency, which itself has a long operational tail and constrains future product changes. The under-modeled component of penalty exposure is the secondary effect on platform ad-account standing. A subscription brand publicly named in a ROSCA or state ARL action becomes a brand-safety signal that flows through into ad review on Meta, Google, and TikTok, and accounts with public enforcement actions in their history are reviewed more conservatively on subsequent campaigns. The financial cost of that secondary effect is hard to model but consistently larger than operators predict, because it shows up as reduced reach on otherwise-compliant campaigns over a multi-quarter horizon rather than as a single line item. The defensible posture is to model the all-in cost of a single enforcement action as the civil penalty plus restitution plus settlement-driven remediation plus the multi-quarter platform-standing tail, compare it against the marginal cost of bringing the cancel flow up to the strictest applicable state standard now, and proceed accordingly. The arithmetic favors the migration almost unconditionally for any subscription brand with material national distribution. For the financial-services subset of subscription brands the financial services advertising compliance guide covers the additional licensure and disclosure obligations that compound on top of the ARL baseline, and the live tracking of FTC and state enforcement activity in this space is maintained in the policy tracker .

Your Cancel Button Is the Next FTC Lawsuit (2026 Guide)

Your Cancel Button Is the Next FTC Lawsuit: Subscription Compliance After Click-to-Cancel

Why Vacatur Made Things Worse, Not Better

Most subscription brands read the July 2025 vacatur of the FTC's Click-to-Cancel rule and concluded the pressure was off. That read is wrong, and the consequence shows up in the litigation calendar rather than the rulemaking calendar. The rule is paused; the underlying enforcement authority is not. The FTC kept the Restore Online Shoppers' Confidence Act (ROSCA), the FTC Act, and every state automatic renewal law — and used them through late 2025 and into 2026 to sue subscription brands directly, without the rule, on the same theory the rule would have codified.

Then in January 2026 the FTC filed an Advanced Notice of Proposed Rulemaking with OMB to rebuild the rule. The signal to operators is the inverse of the relief most assumed: the agency is not retreating from cancel-flow enforcement; it is widening it. ROSCA litigation, state attorneys general, and the eventual replacement rule will all converge on the same standard — that cancellation must be as easy as signup, and that the disclosures at the point of subscription must be plain and unburied.

"The rule is paused, but the standard isn't. We expect cancellation to be as simple as the sign-up that started it, and we will use ROSCA and the FTC Act to enforce that expectation while rulemaking continues.
— Federal Trade Commission, public enforcement remarks, Q1 2026"

This guide covers the three active fronts subscription brands need to manage right now — federal enforcement via ROSCA, state Automatic Renewal Laws (ARLs), and the rebuilt rule on the horizon — and gives the cancel-flow audit and ad-creative cleanup that protect revenue across all three. Pre-flight your subscription ad creative with the AI compliance audit and validate every disclosure with the disclosure checker before the next campaign goes live, and map cross-state ARL obligations with the legal compliance scan.

Who Got Sued: Match, Chegg, Amazon

The three cases every subscription brand should read in 2026 are not theoretical. They are live ROSCA and state actions filed against brands whose cancellation flows the FTC or state attorneys general decided were deceptive. The table summarizes the operative facts and the gap that triggered each action.

Brand	Forum	Cited gap	Lesson
Match.com	FTC, ongoing	Auto-renewal disclosure not clear and conspicuous at point of sale; cancellation routed through customer service rather than a one-click path	Disclosure burying plus friction in the cancel path together is a deceptive-experience theory regardless of whether the rule is in force
Chegg	FTC, settlement track	Mismatched signup ease and cancellation difficulty; trial-to-paid conversion without affirmative consent at the renewal step	Signup-cancellation asymmetry is now an enforcement theory, not a policy preference
Amazon (Prime)	FTC, public litigation	Multi-screen "Iliad" cancellation flow allegedly engineered to deter completion of cancel	Dark-pattern friction in cancellation flows is treated as a per se ROSCA problem

The pattern across the three is not novel terminology — it is the practical gap between how the signup flow is designed (frictionless, optimized) and how the cancellation flow is designed (multi-screen, customer-service-routed, confusion-inducing). Where the gap is wide enough to read as a designed friction, the enforcement theory does not need a specific rule to attach. ROSCA and state ARLs are sufficient.

The defensible posture is to assume any asymmetry between signup ease and cancellation ease can be the start of an enforcement narrative. For SaaS-specific cancellation flow design, the SaaS and tech advertising compliance guide covers the trial-to-paid and renewal-consent layer, and for DTC subscription brands the ecommerce and DTC compliance guide covers the order-page disclosure layer.

The State ARL Floor Already Active

The Click-to-Cancel vacatur removed the federal ceiling. It did not remove the state floor. State Automatic Renewal Laws have been on the books for years, several were tightened in 2025 and 2026, and they impose obligations subscription brands operating nationally must meet regardless of the federal rule's status. The state layer is the most consequential active front for the next 12 months.

The states that matter most operationally

California: the 2024 amendments to the California Automatic Renewal Law strengthened the disclosure and consent requirements at the point of sale, required clear notice before renewal at specified intervals, and clarified that cancellation must be available through the same medium used to enroll. Penalties scale with violations.
New York: the 2025 ARL amendments require electronic cancellation for any subscription entered electronically and clarified the disclosure standard at sign-up. Online brands cannot route cancellation through phone-only paths.
Colorado: the 2025 amendments require renewal reminders before annual auto-renewals and clarified that consumers must be able to cancel without speaking to a customer service representative.
Vermont, Illinois, Minnesota: moved in 2025–2026 to tighten the ARL framework with prominent disclosure and click-to-cancel standards in line with the FTC's proposed approach, regardless of the federal rule's status.

The operating implication is that a nationwide subscription brand is already governed by a click-to-cancel standard via the state floor, even with the federal rule paused. The cleanest compliance posture is to design the cancel flow to the most prescriptive state's standard and apply that nationally — the marginal cost of doing so is small, and the protection against forum-shopping enforcement is large. For the cross-state mapping the United States compliance reference sets out the per-state framework, and ongoing changes to ARL enforcement and the federal rule's progress should be tracked through the policy tracker.

The 7-Step Cancel-Flow Audit

The cancellation flow is the operative artifact in every enforcement action. Audit it against the seven gates below before the next billing cycle. Each gate maps to a specific theory of liability used in current ROSCA and ARL actions.

1. One-click parity: the user can initiate cancellation in the same number of clicks they used to sign up. A signup that took three clicks but a cancellation that takes seven is an asymmetry an enforcer will read as designed friction.
2. Same-medium termination: a subscription entered online can be cancelled online without phone, email, or customer service routing. Forcing a call to cancel an online signup is the single most-cited ARL violation.
3. No retention-flow gating: a retention offer (discount, pause) can be offered, but it cannot block the cancel path. The cancel button must remain accessible while the offer is displayed, and accepting the offer must be the affirmative choice rather than the default.
4. Disclosure at point of sale, plain and unburied: the auto-renewal terms, the price after any trial, the billing cadence, and the cancellation method must be clear and conspicuous on the same screen as the subscribe button — not on a linked page, not in a footer, not in a checkbox legend.
5. Affirmative consent at renewal transition: if a trial converts to paid, the conversion must follow affirmative consent, not silent rollover. A renewal notice with a one-click confirm or a pre-renewal reminder satisfies this; passive rollover after a trial does not under several state ARLs.
6. Receipt and confirmation at cancellation: upon cancellation the user receives a confirmation in the same channel as enrollment (typically email) with the date of last access, the end of billing, and any pro-rata refund terms.
7. No dark-pattern micro-friction: no confirm-shaming language ("Are you sure? You'll lose…"), no fake countdown timers, no required survey to complete cancel, no multi-screen confirmation that exceeds the signup screen count.

For the disclosure layer specifically (gates 4 and 6), validate the language and placement with the disclosure checker, and for the broader cross-jurisdiction obligations confirm the flow against the legal compliance scan so the highest-prescriptive state's standard is met nationally.

Subscription Ad Creative Cleanup

The cancellation flow is the second front. The first front is the ad creative that drives the subscription. ROSCA and state ARLs both attach the disclosure obligation to the offer presentation, and that includes the paid social and search ad that fed the signup, not only the landing page. Ads must clearly disclose the auto-renewal and the post-trial price, must not bury the recurring-billing nature behind a free-trial headline, and must lead to a landing page whose disclosure language matches the ad's framing.

The four ad-creative changes to ship before the next campaign

Lead with recurring-billing framing where applicable: if the offer is a subscription, the ad should say so. "Free 7-day trial — then $19.99/month, cancel anytime" is defensible. "Start your free trial today" without the recurring-billing context is not.
Match ad copy and landing-page copy: the price, the billing cadence, and the cancel-anytime language in the ad should appear identically on the landing page. Drift between the two is a creative-to-landing mismatch trigger in Meta's 2026 ad review and a deception theory in ROSCA actions.
Avoid time-pressure micro-copy that obscures the subscription: "Only 3 spots left" or "Today only" on a subscription offer reads as pressure tactics in ARL frameworks and increases enforcement exposure.
Pre-clear the cancel-anytime claim: if the ad says "cancel anytime," the cancellation flow must actually be one-click, same-medium, and friction-free. A "cancel anytime" claim with a multi-screen retention flow is the textbook ROSCA mismatch.

Run the subscription ad creative through the keyword risk checker for time-pressure micro-copy and the AI compliance audit for the landing-page alignment before launch, and confirm cross-platform disclosure consistency on Meta, Google, and TikTok via the platform comparison reference.

Subscription Compliance Checklist

[ ] Cancel flow audited against all 7 gates and brought up to the most prescriptive state standard
[ ] One-click parity verified — signup and cancel click counts match
[ ] Same-medium termination available — online signup, online cancel
[ ] Retention flow does not gate the cancel button
[ ] Auto-renewal and post-trial price disclosed on the same screen as subscribe
[ ] Affirmative consent at trial-to-paid transition, not silent rollover
[ ] Cancellation receipt sent in the same channel as enrollment
[ ] No confirm-shaming language, fake countdowns, or required surveys at cancel
[ ] Ad creative leads with recurring-billing framing where applicable
[ ] Ad copy and landing-page copy match on price, cadence, and cancel terms
[ ] "Cancel anytime" claim only used if the cancel flow is genuinely one-click
[ ] State ARL exposure mapped for California, New York, Colorado at minimum

Don't miss the next policy change.

Subscribe to the Policy Tracker — get weekly digests or instant Pro alerts across all 8 platforms. Or try our free Keyword Risk Checker first.

Subscribe Free

Report Keywords — Run AI Compliance Audit

#FTC#Subscription Compliance#Click to Cancel#Auto Renewal#Negative Option#SaaS#E-commerce#Disclosure Rules#Advertisers#2026 Policy#Compliance Guide 2026

Share This Report

Tweet Share

Your Cancel Button Is the Next FTC Lawsuit: Subscription Compliance After Click-to-Cancel

Why Vacatur Made Things Worse, Not Better

Who Got Sued: Match, Chegg, Amazon

The State ARL Floor Already Active

The states that matter most operationally

The 7-Step Cancel-Flow Audit

Subscription Ad Creative Cleanup

The four ad-creative changes to ship before the next campaign

Subscription Compliance Checklist

Don't miss the next policy change.

Report Keywords — Run AI Compliance Audit

Share This Report

Related Posts

May 2026 Enforcement Digest: Who Got Banned, Fined or Paused Across 8 Platforms

AI Avatars in Your Ads: The June 9 New York Law That Could Pull Your Creative Overnight

Carbon Neutral Is About to Be Illegal in the EU: Greenwashing Cleanup Before Sep 27

Related Resources

All Tools

Platform Guides

Knowledge Hub

Policy Tracker