This article originally appeared in the December 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
In my June 2023 column, I wrote about an initiative by the Federal Trade Commission (FTC) to modernize the 1973 Negative Option Rule for the digital economy. The proposed amendments are intended to protect consumers from recurring charges for products or services they do not want and cannot readily cancel.
On Oct. 16, 2024, the FTC announced the final rule (now retitled the “Rule Concerning Recurring Subscriptions and Other Negative Option Plans”). The updated rule expands coverage from just negative option purchases made online to negative option programs in any media, including telephone, in-person, and printed material.
The new rule defines the negative option feature as "a contract provision under which the consumer's silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the negative option seller as acceptance or continuing acceptance of the offer." This includes automatic renewals, continuity plans, free-to-pay conversions or fee-to-pay conversions, and prenotification negative option plans.
Companies must now make cancellation at least as simple as enrollment. For example, if you enrolled online, you should be able to cancel online and not be required to speak with a live representative. Companies are now required to disclose the terms of the transaction, including the existence of the negative option and how the customer can terminate their agreement before collecting the consumer's billing address. They must obtain a consumer's consent to the recurring charges and automatic renewals, and maintain proof of the consumer's consent for three years or one year after cancellation.
Security Industry Opposition
The final rule is already subject to legal challenges in the U.S. Courts of Appeal for the Fifth and Sixth Circuits. The petitioners in the Fifth Circuit include the Electronic Security Association (ESA), which joins other petitioners seeking to vacate the FTC’s final rule, arguing that it is arbitrary, capricious, and an abuse of discretion under the Administrative Procedure Act. They also contend that the rule is unsupported by substantial evidence and exceeds the FTC’s statutory authority.
In particular, the ESA and its fellow petitioners argue that a broad application of the new rule is unfair and unnecessary – particularly when applied to certain industries like security. They say the final rule is an attempt to regulate consumer contracts for all companies in all industries and across all sectors of the economy in which the customer purchases a service or subscription that will continue unless the customer exercises the option to cancel.
Not all companies are the same, the ESA argues. A recurring subscription to homemade jelly is not the same as protecting a family or business from intrusion, fire or other hazards. Also, security products and services are not hidden or sprung upon consumers. “Consumers of security systems know every day they have security as they interact with it every time a door is open and home or in the office,” the ESA said in a statement.
Clearly, the new rule has engendered a backlash – including within the security industry. The FTC received more than 16,000 comments on the proposed rule before finalizing it. Some of those comments were heeded; others were not, and many of those unheeded by the FTC are now being advanced in court.
While the outcome of these legal challenges is uncertain, all – or more likely some – of the strict regulations may be struck down or otherwise modified by the courts. Nevertheless, without a stay of the enforcement of the new rule, companies will need to comply. Most of the rule’s provisions will go into effect 180 days after it is published in the Federal Register, which would mean April 14. 2025; therefore, businesses (even security companies) offering recurring subscriptions and memberships must consult with counsel and prepare to comply with the new requirements or risk facing legal and regulatory consequences, including penalties up to $51,744 per violation.
The FTC wants to protect consumers. The security industry wants to protect its customers. Perhaps the litigation will bridge the gap and allow for an appropriate balance of these currently incompatible goals.
