Publication
29 Sep 2023 ·
United Kingdom
Regulation
3 min read
Consumer protection
Consumers who sign up to subscriptions for goods or services benefit from consumer protection laws governing the information that must be provided on price, contract length and cancellation and refund rights.
Consumer credit
Many subscription services involve activity that may be classed as the provision of financial services – including the provision of goods through a subscription that constitutes a hire agreement or a credit agreement.
Businesses can navigate this issue in different ways. In some cases, a subscription service can be structured to avoid such issues, or a subscription business could use an authorised third party provider of financial services. In other cases, the subscription business determines that the benefit which will accrue to it is worth the regulatory and compliance burden of obtaining authorisation itself.
In the UK, a hire or credit agreement is regulated under the Consumer Credit Act 1974 and requires Financial Conduct Authority authorisation. The FCA aims to ensure that organisations assess consumers properly to ensure that they can repay their loans, and that consumers who fall into arrears are treated fairly when organisations collect their debts.
An FCA-commissioned review has also proposed that ‘buy-now-pay-later’ subscription products, also known as ‘deferred payment credit’, should be the subject of specific regulation, which is expected to come into force in 2023.
Contracts
Consumers rarely get to negotiate contracts with businesses, particularly contracts formed online. Consumer law attempts to address this imbalance between the consumer and a business in several ways. In the UK, for example, the terms of consumer contracts must be transparent and fair.
Cybersecurity
The heart of a successful subscription business is its data. Given the confidential and personal nature of information processed by subscription businesses, cybersecurity and safe data management is a key consideration.
While all businesses are at risk of cyber-attacks, the subscription model can present some particular vulnerabilities. Online subscriptions can be subject to phishing, account takeovers, reselling and password selling or sharing.
Key steps for subscription businesses to reduce the risk of a cyber-attack or other data breach
Assess the risk
Assess the risk
Assess the risk, and potential effect, of a cyber-attack or other data breach for the business.
Establish a strategy
Establish a strategy
Establish a robust cyber risk management strategy and incident response plan, embedding cyber risk management at all levels in the business.
Data protection
The collection and safe handling of personal data also presents significant security and regulatory issues, particularly for companies that have not previously been major data processors or controllers. But all businesses need to keep up to date with regulatory changes.
Digital
The EU’s Digital Services Act and Digital Markets Act contain rules which could affect businesses offering subscriptions. For example, the DSA prohibits so-called ‘dark patterns’ where an online interface is designed in a way that deceives or manipulates its recipients or materially distorts or impairs their ability to make free and informed decisions.
The DSA examples “making the procedure for terminating a service more difficult than subscribing to it” as a practice where such dark patterns could materialise and on which the European Commission may issue further guidance in future.
The applicability of certain obligations in the DSA and DMA can depend on the role, size and impact of an online business, making it of crucial importance that online businesses offering subscriptions carefully consider and assess the applicability of these digital rules when implementing them.
