Regulation

Governments and regulators are focused on ensuring consumers enter into fair and transparent contracts. As consumer protection regimes are being toughened, their interplay with cybersecurity and data protection regulation is presenting a complex regulatory landscape for businesses to navigate.

Consumer protection

Consumers who sign up to subscriptions for goods or services benefit from consumer protection laws governing the information that must be provided on price, contract length and cancellation and refund rights.

Consumer credit

Many subscription services involve activity that may be classed as the provision of financial services – including the provision of goods through a subscription that constitutes a hire agreement or a credit agreement.

Businesses can navigate this issue in different ways. In some cases, a subscription service can be structured to avoid such issues, or a subscription business could use an authorised third party provider of financial services. In other cases, the subscription business determines that the benefit which will accrue to it is worth the regulatory and compliance burden of obtaining authorisation itself.

In the UK, a hire or credit agreement is regulated under the Consumer Credit Act 1974 and requires Financial Conduct Authority authorisation. The FCA aims to ensure that organisations assess consumers properly to ensure that they can repay their loans, and that consumers who fall into arrears are treated fairly when organisations collect their debts.

An FCA-commissioned review has also proposed that ‘buy-now-pay-later’ subscription products, also known as ‘deferred payment credit’, should be the subject of specific regulation, which is expected to come into force in 2023.

Contracts

Consumers rarely get to negotiate contracts with businesses, particularly contracts formed online. Consumer law attempts to address this imbalance between the consumer and a business in several ways. In the UK, for example, the terms of consumer contracts must be transparent and fair.

Cybersecurity

The heart of a successful subscription business is its data. Given the confidential and personal nature of information processed by subscription businesses, cybersecurity and safe data management is a key consideration.

While all businesses are at risk of cyber-attacks, the subscription model can present some particular vulnerabilities. Online subscriptions can be subject to phishing, account takeovers, reselling and password selling or sharing.

Data protection

The collection and safe handling of personal data also presents significant security and regulatory issues, particularly for companies that have not previously been major data processors or controllers. But all businesses need to keep up to date with regulatory changes.

Digital

The EU’s Digital Services Act and Digital Markets Act contain rules which could affect businesses offering subscriptions. For example, the DSA prohibits so-called ‘dark patterns’ where an online interface is designed in a way that deceives or manipulates its recipients or materially distorts or impairs their ability to make free and informed decisions.

The DSA examples “making the procedure for terminating a service more difficult than subscribing to it” as a practice where such dark patterns could materialise and on which the European Commission may issue further guidance in future.

The applicability of certain obligations in the DSA and DMA can depend on the role, size and impact of an online business, making it of crucial importance that online businesses offering subscriptions carefully consider and assess the applicability of these digital rules when implementing them.

Key contact

Clive Gringras

Partner
Head of TMT

London

T +44 207 067 3189

Previous 4 / 5 Next