Outside view of RPC's transparent glass building.
  1. Home >
  2. Snapshots >
  3. Consumer >
  4. >
  5. CMA publishes new Compliance Principles for auto-renewals for anti-virus software

SHARE:

CMA publishes new Compliance Principles for auto-renewals for anti-virus software

Published on 17 January 2022

The question

What are the key areas of focus for the Competition and Markets Authority (CMA) when assessing the compliance of anti-virus software practices with consumer protection law?

The key takeaway

Anti-virus software businesses using auto-renewing contracts should review their business practices and terms to ensure they are treating customers fairly. Where necessary, they should update practices and terms to ensure they adhere to the new Compliance Principles. The overall impact of all business practices should be considered when making an assessment.

The background

The CMA has published new Compliance Principles for anti-virus software businesses that use automatically renewing contracts. These are contracts where the consumer is automatically charged for continued anti-virus protection at the end of a fixed period. They are usually charged for an indefinite period or until the consumer takes action to end the contract themselves. In December 2018, the CMA launched an investigation into the anti-virus software sector due to growing concerns about the sector’s compliance with consumer protection law. In particular, the CMA wanted to explore whether business practices and terms and conditions relating to the automatic renewal of anti-virus software subscriptions were fair for consumers. Despite the perceived convenience of auto-renewal for consumers, the CMA asserts that these contracts can lead to businesses charging consumers unexpected renewal fees at higher prices or locking consumers into contracts that they no longer want or need. The CMA contacted firms in the sector asking some to provide further detail about their automatic renewal practices and others to review their practices. It put firms on notice that they could face an investigation should their practices be considered non-compliant with consumer protection law.

Following CMA enforcement action in early 2021, leading businesses in the sector, McAfee and Norton, offered undertakings to the CMA that they would improve their automatic renewal practices going forward. This included: giving auto-renewed customers an ongoing right to exit the contract and obtain a refund after their existing refund window expired; improving communications with customers to sufficiently inform them of their refund rights; simplifying processes to turn off auto-renewal or obtain a refund; and generally making automatic renewal more transparent for customers.

The development

The new guidance published on 19 October 2021 brings together the findings of the CMA investigation and general core principles published by the CMA in 2018. The Compliance Principles primarily concern contracts which auto-renew onto a subsequent contract of one year or more. However, the CMA asserts that many of the Principles will be relevant for businesses offering shorter auto-renewing anti-virus contracts. The CMA provides practical advice for anti-virus software businesses, setting out practices which are more likely or unlikely to comply with the principles. Advice to follow includes:

  • give customers a clear, genuine and free-standing choice between “opting-in” to auto-renewal or taking the contract for a fixed period
  • set out how the auto-renewal will work, including key information such as the amount of the renewal fee, length of contract and when it is charged
  • give customers clear and prominent information about auto-renewal when they first sign up and about what they are agreeing to immediately before they conclude the purchase
  • provide a confirmation email after the purchase has been completed, including clear and prominent links to the mechanism(s) to turn off auto-renewal and to the refund policy
  • send reminders to customers when their contract is about to renew in good time, using communication methods they are likely to read or which they “prefer”
  • give customers a cooling off period of at least 2 weeks after they have received their renewal confirmation in which to end the contract and get a full refund
  • operate an automated online process which allows customers to terminate their contract and request the appropriate refund without needing to leave the website.

Why is this important?

The updated Compliance Principles reflect the CMA’s recent focus on further regulating auto-renewal subscription contracts and “subscription traps”, where consumers are automatically kept in subscription contracts they may not want or need to be involved in. It follows on from the proposed government reforms in the BEIS consultation published earlier this year, as discussed in our Autumn Snapshots. The CMA has carried out enforcement actions in both the anti-virus software and online console gaming sectors, so it will be interesting to see how other sectors are impacted by this shift in focus over the coming years.

Any practical tips?

Whether you’re an anti-virus software business or not, the Compliance Principles should be a must read if you’re offering subscription services. They offer clear guidance and practical examples to all businesses offering auto-renewal subscription contracts. The CMA has its eyes keenly set on tidying up auto-renewal practices, and there’s no better guide for compliance than seeing where others have gone wrong!

 

Winter 2021