Online marketers who use negative option continuity billing models are subject to strict disclosure requirements under both federal and state consumer protection laws, and are favorite targets of the Federal Trade Commission and state attorneys general. Payment processors that fail to properly police their merchants’ compliance with these laws are equally subject to potential liability under federal law for facilitating consumer fraud by granting deceptive marketers access to the payments system.

Further complicating this landscape, Visa and Mastercard have recently introduced their own new rules for negative option merchants and their acquirers. Word is that nutraceutical/dietary supplement marketers are likely to face particular scrutiny under these rules.

While there are many similarities among federal law, state law and these new card brand rules, there are also many key differences and competing requirements, which means that a merchant may need to structure its negative option billing practices differently depending upon which card the consumer elects to use.

Let’s start with the new Visa rules.

The New Visa Rules for Free-Trial Subscription Merchants

Visa’s updated rules for free-trial subscription merchants will take effect on April 18, 2020. These updates supplement the existing negative option rules, and apply equally to merchants selling either physical or digital goods and services if they offer free trials or introductory offers that roll into an ongoing subscription / recurring agreement. As announced by Visa in June of last year, the new rules will impose the following requirements on these merchants:

Express Consent

Under the existing rules, a merchant must require the cardholder to expressly consent to an ongoing subscription service for recurring payments at the time of enrollment.

Enhanced Notification

The new rules impose additional notification obligations, which also require the merchant to send an electronic copy (i.e., email or SMS / text, if agreed with the cardholder) of the terms and conditions of the subscription service to the cardholder at the time of enrollment—even if no payment is due at the time of enrollment. This must include:

• Confirmation that the cardholder has agreed to a subscription, unless the cardholder cancels.
• The start date of the subscription.
• Details of the goods/services.
• Ongoing transaction amount and billing frequency/date.
• Link or other simple mechanism to enable the cardholder to easily cancel any subsequent transactions online.

Merchants must also send an electronic reminder notification (i.e., email or SMS/text) including an online cancellation link at least seven (7) days before initiating a recurring transaction if:

• A trial period, introductory offer or promotional period has expired.
• The nature of the recurring agreement has changed (for example, the price or billing period).

Explicit Transaction Receipts

Merchants must disclose the following on transaction receipts:

• Length of any trial period, introductory offer or promotional period, including clear disclosure that the cardholder will be charged unless the cardholder takes steps to cancel any subsequent transactions.
• Transaction amount and date for the initial transaction (even if no amount is due) and for subsequent recurring transactions.
• A link or other simple mechanism to enable the cardholder to easily cancel any subsequent transactions online.

Easier Cancellation / Modification

Merchants must provide an easy way to cancel the subscription or payment method online, regardless of how the cardholder initially interacted with the merchant. For example, the ease of cancellation should be similar to “unsubscribing” from an email distribution list.

Statement Descriptor

An additional descriptor indicating a trial period-related transaction will be required in the Merchant Name field of the Clearing Record for the first financial transaction at the end of the trial period. This descriptor (e.g., “trial,” “trial period,” “free trial”) will then appear on cardholder statements, online banking, mobile apps and SMS/text alerts in the same way discretionary, additional invoice/order numbers appear for ecommerce transactions. Additionally, the Recurring Payment Indicator will be required to be populated for the first transaction, even if the amount is not equal to the usual/ongoing obligation.

Expanded Dispute Rights

The new rules will expand the existing “Misrepresentation” dispute condition for transactions where merchandise or digital goods have been purchased (i) through a trial period or (ii) as a one-off purchase, and the cardholder was not clearly advised of further billing after the purchase date. Merchants may respond by showing they have acted appropriately, provided they can prove: (i) the cardholder expressly agreed to future transactions at the time of the initial interaction; and (ii) the merchant electronically notified the cardholder (based on the details the cardholder provided) before processing new transactions following the trial/promotional period.

Expanded Policy for Negative Option and Up-Selling Merchants

The Global Brand Protection Program includes specific references to two existing business models: “Negative Option” and “Up-Selling” merchants. The Visa Rules will be updated with additional cardholder disclosure and consent requirements that will apply to these business models in all regions. In addition to the requirements outlined in the Visa Rules and Visa’s Global Acquirer Risk Standards, these merchants must comply with all other requirements applicable to the transaction type(s). For example, if a Negative Option merchant operates a recurring / subscription model, they must also comply with all relevant Stored Credential requirements.

Again, these rules will take effect on April 18, 2020.

The new Mastercard rules took effect back on April 12, 2019.

The Mastercard High Risk Negative Option Billing Merchant Rules

Mastercard’s High Risk Negative Option Billing Merchant Rules (the “Negative Option Rules”) are embodied in Sections 5.1.1, 5.4.1 and 6.2.2.1.1 of the Transaction Processing Rules (December 19, 2019) and Section 9.4.10 of the Mastercard Security Rules and Procedures — Merchant Edition (September 10, 2019).

The Mastercard Negative Option Rules apply to Card-Not-Present (CNP) merchants selling physical goods (such as cosmetics, health-care products, or vitamins) on a recurring basis via a subscription service that involves a trial period. They impose several obligations on the merchant:

The merchant must 
provide a direct link to an online cancellation procedure on the website where the cardholder purchased the product.

For a physical product/sample provided to a cardholder for a trial period, the trial date begins on the date that the cardholder receives the product—not before.

After the trial period has expired, but before charging the cardholder, the merchant must obtain the cardholder’s explicit consent to the initial recurring transaction based on the merchant’s disclosure of the following information: (1) the transaction amount, (2) the payment date of the transaction, (3) the merchant’s name as it will appear on the cardholder’s statement, and (4) easy to follow instructions for canceling the subscription and terminating recurring payments.

Any time a charge is approved, the merchant 
must provide the cardholder with an electronic receipt that both states the cancellation policy and includes instructions on how to cancel the subscription. Likewise, any time a charge is declined, the merchant must provide the cardholder with an electronic receipt that states the reason why the authorization was declined (e.g. insufficient funds).

Finally, the merchant must provide the cardholder with written confirmation in either hard copy or electronic format when either or both of the following events occur: (1) the cardholder’s trial period expires; and/or (2) 
the recurring payment transaction cycle has been terminated by either the cardholder or the merchant.

The Negative Option Rules also impose several obligations on the acquirer.

Before an acquirer may process non-face-to-face high-risk negative option billing transactions, the acquirer must register the merchant in the Mastercard Registration Program. The acquirer must also register any third-party service providers with access to account data (e.g. shopping carts, CRMs).

The acquirer must use MCC 5968 (Direct Marketing—Continuity/Subscription Merchants).

The acquirer must monitor authorization transaction messages to identify when the same account number appears among different high-risk negative option billing MIDs in the acquirer’s portfolio within 60 calendar days. In such cases, the acquirer must reach out to the merchant to verify that the sales were bona fide.

Finally, at the time of registering the merchant, the acquirer must have verified that the merchant’s activity complies fully with all laws applicable to Mastercard, the merchant, the acquirer and any prospective customer. This means verifying the merchant’s compliance with the Negative Option Rules, as well as applicable federal and state laws, such as the Restore Online Shoppers Confidence Act (“ROSCA”) and the California Automatic Renewal Law (discussed below).

So what does this last provision mean for merchants and acquirers?

ROSCA and the California Automatic Renewal Law

ROSCA embodies the federal law in this area. ROSCA prohibits charging consumers for goods or services sold in transactions effected on the Internet through a negative option feature unless the seller (1) clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information, (2) obtains the consumer’s express informed consent before making the charge, and (3) provides a simple mechanism to stop recurring charges.

California’s Automatic Renewal Law (Business and Professions Code Section 17600 et seq.) is even more exacting, and has been the go-to standard for evaluating merchant compliance. The California statute applies to any Internet-based offer made to a California resident. It requires the advertiser to clearly and conspicuously disclose the complete terms of the negative option offer, either in “larger type than the surrounding text,” or, if the same size as surrounding text, then in “contrasting type, font, or color” or “set off” by markings, “in a manner that clearly calls attention to the language.” This minimum mandate of “equal or greater size” is more precise and inflexible than the FTC’s “clear and conspicuous” standard, and generally ensures compliance with the FTC standard.

In addition to the clear and conspicuous disclosure requirements, California’s Automatic Renewal Law requires businesses to (1) obtain the consumer’s affirmative consent to the agreement (e.g. scrolling through the text of the agreement, and selecting the “I Agree” button) prior to completing the subscription purchase transaction, and (2) provide the consumer with an acknowledgement that includes the automatic renewal or continuous service offer terms, and cancellation policy and instructions for canceling, in a manner that is capable of being retained by the consumer. If the offer contains a free trial, the acknowledgment must also disclose how to cancel to avoid paying for the goods or services. Finally, if there is a material change to the terms of the automatic renewal offer (such as pricing), a business must provide the consumer with prior notice of the change and how to cancel before the change takes effect in a manner that is clear and conspicuous.

As of July 1, 2018, the California Automatic Renewal Law also requires that the business provide consumers with a mechanism for canceling the recurring billing plan online. Allowing consumers to cancel via email is acceptable so long as the business also provides a template for the cancellation email.

So Which Do I Follow?

Navigating these conflicting rules and laws is not a simple task. Indeed, a merchant may need to structure its negative option billing practices differently depending upon whether the consumer uses Visa or Mastercard to pay.

For example, the Visa and Mastercard rules alike apply to merchants that offer free trials that convert into an ongoing subscription. However, unlike the Mastercard rules, the Visa rules also apply to merchants that offer upsells and use negative option billing without a free trial. Both sets of rules apply to physical goods, but the Visa Rules also apply to digital goods and services. Both sets of rules require express consent. However, Visa requires the merchant to obtain the cardholder’s consent before the initial transaction/trial begins, whereas Mastercard requires the merchant to obtain the cardholder’s consent after the trial has ended but before the card is charged.

Adding in federal and state law requirements may mean additional disclosures. For example, while Mastercard requires the merchant to obtain the cardholder’s consent after the trial has ended, but before the card is charged, ROSCA requires the merchant to clearly and conspicuously disclose all material terms of the transaction before obtaining the consumer’s billing information.

The problem is even more complex for acquirers. Absent rigorous underwriting procedures that go well beyond a mere review of the websites disclosed in connection with the merchant application, they may not even know the merchant is engaged in negative option marketing. Why? Because experienced fraudsters—who also like to use negative option billing—are likely to use “shell companies” and “bank pages” to conceal the true nature of their activities.

I routinely review negative option billing practices for compliance with card brand rules and applicable law, and can help you navigate these issues. Feel free to email me at bcebeci@romeandassociates.com to schedule a consultation.

Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.