Guidance

Compliance Principles for anti-virus software businesses that use auto-renewing contracts

Published 19 October 2021

Introduction

The Competition and Markets Authority (CMA) has published new Compliance Principles for anti-virus software businesses that use automatically renewing contracts with consumers in the UK. These Principles are set out below.

We are calling on anti-virus businesses who use auto-renewing contracts with consumers to review their current terms and practices carefully and, where necessary, change them to help ensure they are treating their customers fairly and align with the Principles. It is important that when carrying out this assessment businesses look at all of their practices in the round and consider the overall impact on their customers.

Why this matters to your business

It is important that your business complies with consumer protection law, otherwise you risk facing enforcement through the courts. Such enforcement may result in you being ordered to change your practices, having to pay money back to your customers or even sanctions such as fines or prison. The CMA has looked at the practices of anti-virus businesses generally in the UK and developed some key Principles concerning auto-renewing contracts. Following these Principles will help you to comply with consumer protection law.

This follows the conclusion of CMA enforcement action earlier in 2021, which led to leading anti-virus software providers (as part of the CMA’s McAfee investigation and Norton investigation) – giving formal commitments to make changes designed to make their automatically renewing contracts easier to understand and exit, as well as ensuring customers who auto-renew have extended refund rights.[footnote 1]

What we mean by ‘auto-renewing’ contracts

When people buy anti-virus protection, they may pay to receive it for a fixed period. An ‘auto-renewing contract’ is where, at the end of this period, the consumer automatically continues to be charged to receive anti-virus protection. Often the consumer will continue to be supplied with the anti-virus product - and to pay for this – indefinitely until they take action to end the contract.

Our concerns

Although auto-renewing contracts can provide convenience for your customers, the danger is that they may find themselves: (i) locked into contracts they no longer want or need; and/or (ii) being charged renewal fees they did not expect or at a price which is much higher than expected.

The Principles focus on contracts that auto-renew onto a subsequent contract of one year or more, where the CMA considers that consumers especially require protection to prevent them from being locked into an unwanted contract. However, a number of the Principles will also be relevant where anti-virus businesses offer shorter auto-renewing contracts (for example, where the contract auto-renews on a monthly basis).

The Compliance Principles

These Principles are designed to provide practical advice for anti-virus software businesses to help them to ensure that they comply with consumer protection law, and reduce the risk of facing enforcement action. They are based on the CMA’s interpretation of the law, and in particular what the CMA considers is required for a business to be professionally diligent.[footnote 2]

Professional diligence is an objective standard and applies to all aspects of your business activities. It is intended to reflect what a reasonable person should be able to expect from a fair dealing anti-virus software business. It requires businesses to approach transactions professionally and fairly, to take into account the legitimate interests of consumers and to deal fairly and openly with them. For example, businesses should not design their websites or marketing practices to ‘nudge’ a customer to act in a way that is not really in their interests, or put barriers in customers’ way to hinder them from acting (sometimes referred to as ‘sludge’). Even if other businesses may be engaging in a practice, this does not make conduct acceptable if it is otherwise unfair.

The Principles recognise that there could be a number of ways to achieve compliance with the law, and the examples given are illustrative and non-exhaustive. Ultimately only a court can decide whether a business is breaking the law, and you should keep your practices under review as the law continues to develop.[footnote 3]

""

When the customer first signs up

Principle 1 – Make sure your customers are able to make a fully informed choice about auto-renewal

Before your customer enters into an auto-renewing contract, give them clear and prominent information about auto-renewal, including: how much they will be charged for the product upon renewal, the length of the renewed contract period and how auto-renewal works.

More likely to Comply

✔️You give customers a clear, genuine and free-standing choice between ‘opting-in’ to auto-renewal, or instead taking the contract for a fixed period.

✔️ You set out how the auto-renewal will work - including the amount of the renewal fee, when it is charged, the length of the renewed contract period, how the customer can ‘turn off’ auto-renewal after entering the contract and their refund rights after the renewal.

✔️ You set this information out clearly and prominently next to the offer details on your website’s home page and product pages.

Unlikely to Comply

❌ You only provide customers with important information about auto-renewal:

  • if they have to go looking for it, for example by clicking on hyperlinks

  • in an End User Licence Agreement (EULA)

  • where it is obscured by other information, for example the customer needs to scroll through other, more prominent, information to get to it in the small print at the bottom of the webpage, it is buried in a long paragraph, or it is hard to read, in a smaller or less visible font

Principle 2 – Make sure that any price claims you make are accurate and do not mislead your customers

Any price advantage or saving claimed must be genuine. Where you compare the purchase price of the product against a higher price, you must ensure that the price comparison is fair.[footnote 4] For example, you should not give the impression that the price you ordinarily charge for the initial period is a discount or a saving, merely because it is cheaper than the price charged on auto-renewal. This is because, in these circumstances, the price being charged for the initial period is the normal price paid by a consumer when they first buy the product.

More likely to Comply

✔️ You offer a temporary discount for new customers against the price that new customers would normally pay for that product.

Unlikely to Comply

❌ You describe the price at which the product is offered to new customers as a “50% saving”, “50% OFF”, “£X OFF” or similar when this is compared to the higher price charged on auto-renewal.

❌ You compare the price at which the product is offered to new customers against a strikethrough of the higher price charged on auto-renewal or by referring to the amount of the higher auto-renewal price as the ‘WAS’ price.

Principle 3 – Confirm to the customer the key points of the auto-renewing contract

You should give your customers clear and prominent information about what they are agreeing to, immediately before they conclude the purchase (i.e. before they click on the ‘Place my Order and Pay’ button or similar on your website to confirm their purchase). You should also provide an electronic copy of the key information in a confirmation email sent to the customer after the purchase has been completed.

More likely to Comply

✔️ You provide your customers with clear and prominent information on the key things they need to know about auto-renewal[footnote 5] when they first sign up, including:

  • the length of the contract period following auto-renewal
  • how much they will be charged on auto-renewal
  • when the payment will be taken on auto-renewal
  • how they can turn off auto-renewal
  • what options they have to terminate the contract after auto-renewal

✔️ The purchase confirmation email you send your customers also includes clear and prominent links to the mechanism(s) to turn off auto-renewal and to your Refund Policy.

""

During the contract

Principle 4 – Make sure that your customers can easily turn off auto-renewal

You should provide your customers with a simple and easy way to turn off auto-renewal. It should be at least as easy for a customer to exit the auto-renewing contract as it was to sign up. For example, if your customers can sign up at the click of a button online, they should be able to turn off auto-renewal in the same way. They should not have to phone up a call centre to turn off auto-renewal, and you should not use practices which mislead or pressurise them not to exercise their rights.

More likely to Comply

✔️ You provide your customers with an easily accessible, automated online process which allows them to turn off auto-renewal in a simple and straightforward fashion (such as via an online customer account).[footnote 6]

✔️ You clearly and prominently signpost the process for turning off auto-renewal (such as through FAQs and instructions) on your website and in your customer communications.

✔️ You provide clear and prominent links on your website (such as through a navigation bar on the home page), on the application installed on the customer’s device and in your customer communications to easily access the mechanism for turning off auto-renewal.

Unlikely to Comply

❌ You require your customers to phone a call centre, or to fill in a form, to turn off auto-renewal.

❌ You make it hard for your customers to find information about how to turn off automatic renewal on the website or in other customer communications.

❌ You make it hard for your customers to find and access the mechanism for turning off auto-renewal within the customer’s online account, such as by not clearly and prominently labelling it or only making it accessible by hovertext or a drop down menu.

❌ You give your customers the impression that if they turn off auto-renewal, the product they have already paid for will be adversely affected.

❌ You require your customers to go through an excessive number of steps, or unnecessary steps, to turn off auto-renewal online, for example by requiring them to complete a mandatory free text box or by not giving them the clear and prominent option to turn off auto-renewal throughout the online process.

❌ You use automated messages which seek to dissuade your customers from turning off auto-renewal – for example, by making imbalanced or inaccurate claims about the benefits of auto-renewal or exaggerating the risks of turning it off.

❌ You provide financial incentives to call centre or chat function staff to discourage customers from turning off auto-renewal.

Principle 5 – Remind your customers about auto-renewal in good time before it happens

You should provide your customers with clear and prominent information about the upcoming auto-renewal, including:

  • the amount of the renewal fee
  • the date the renewal payment will be taken and the date the contract will renew (if different)
  • when auto-renewal must be turned off by to prevent the renewal payment being taken (if different from the renewal payment date)
  • how the customer can turn off auto-renewal and a link to the mechanism to do so
  • the length of the renewed contract period; and
  • the customer’s right to end the auto-renewed contract and get a refund

More likely to Comply

✔️ You send your customers reminders that their contract is about to auto-renew, in good time before you take the money for the renewal.

✔️ You use communication methods that you think your customers are likely to read or that they have told you are their preferred method(s), and you use a different method if it becomes clear that the customer has not received the message (for example where you get an email bounce back).

✔️ You clearly label the reminder, so that customers can easily identify that it is about their renewal, and you give them clear instructions about what to do to prevent the auto renewal taking place.

Unlikely to Comply

❌ You hide renewal messages amongst other marketing messages.

❌ You issue reminders about auto-renewal either too far in advance or too close to the renewal date, resulting in your customers either not engaging with the relevant information or having insufficient time to take action.

Principle 6 - Once off, auto-renewal stays off

Where your customers turn off auto-renewal, you should not turn it back on without first obtaining their express consent.

Where a customer has turned automatic renewal off after buying the product, they can reasonably expect that automatic renewal will remain off if, at the end of the fixed period, they choose to manually renew their anti-virus software product for another period.

More likely to Comply

✔️ Where a customer has purchased your anti-virus software and opted out of or turned off automatic renewal, you ensure that automatic renewal remains off if they choose to renew the product manually.

Unlikely to Comply

❌ Where a customer has purchased your anti-virus software and turned off automatic renewal, you then turn it back on again by default, without obtaining their express consent, when they purchase a bolt on or upgrade to that contract.

""

Once the contract has automatically renewed

Principle 7 - Give your customers the chance to change their mind

You should inform your customers that their contract has auto-renewed, and provide them with written confirmation. You should also provide the opportunity for an appropriate refund.

More likely to Comply

✔️ You give your customers a cooling off period of at least 2 weeks after they have received their renewal confirmation in which to end the contract and get a full refund.

✔️ You offer your customer an ongoing right to a pro-rata refund throughout the whole period of the renewed contract, especially where auto-renewal was on by default when entering the initial contract.

✔️ You provide written confirmation of the length of the renewed contract, how much has been charged, how the customer can terminate and get a refund, and when the next payment will be taken.

Principle 8 - Make it easy for your customers to obtain a refund if they want one

Where your customers exercise their right to a refund (either full or pro-rata), you should make sure that it is simple and straightforward for them to request this and receive their money back as quickly as possible. Where possible, they should be able to do this online.[footnote 7]

More likely to Comply

✔️ You operate an automated online process which allows customers to terminate their contract and request the appropriate refund without needing to leave your website.

✔️ You require your customer to input only the information essential to process their online refund.

✔️ You clearly signpost this refund mechanism on your website and in communications with customers and provide clear and prominent links for them to easily access it.

Unlikely to Comply

❌ You require customers, in all cases, to phone a call centre or use webchat to obtain their refund.

❌ You require your customers to take unnecessary steps to obtain a refund, for example by requesting information that you already hold or that is not needed to process the refund.

❌ You provide the requested refund after an extensive delay.

Principle 9 - Provide appropriate safeguards for customers who are no longer using the product following auto-renewal

Where it becomes clear that a customer is not using an automatically renewed product, you should take steps to engage with them and you should not assume it is right to continue to take payments if they do not respond.

More likely to Comply

✔️ You operate a system to check whether your customers are actually receiving software updates, so that they have full anti-virus protection.

✔️ Where it becomes apparent to you that a customer has not received the latest updates, you take steps to obtain confirmation from them that they actually want to renew their contract before taking their next payment.

Unlikely to Comply

❌ You continue to take renewal payments from your customers for years without checking that they are using the product.

❌ You fail to take any effective steps to engage with customers who appear not to be using the product, to invite them to receive the relevant software updates, or if they prefer, to turn off auto-renewal (and seek a refund).

  1. Further details of our enforcement action against McAfee and Norton and the undertakings that they provided can be found on the Anti-virus software case page

  2. Professional diligence is a standard required by the Consumer Protection from Unfair Trading Regulations 2008 (CPRs), regulation 3(3)(a). The Principles also reflect the CMA’s interpretation of the requirements of other provisions in the CPRs (including those dealing with misleading omissions and misleading actions) and the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 to the anti-virus software market.

  3. The Government has recently consulted on proposals to clarify and strengthen UK consumer protection law in relation to subscription contracts. The Principles referred to in this document reflect consumer protection law as currently drafted and may not reflect any changes to consumer protection law which are introduced as a result of the consultation.

  4. When designing your price promotions you should take into account, in particular, the CTSI Guidance for traders on pricing practices and the sections of the UK Code of Non-Broadcast Advertising and Direct & Promotional Marketing that relate to prices, as amended from time to time. 

  5. Note you must meet your pre-contract obligations under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013/3134 (‘CCRs’) which cover, amongst other things, general information about the contract. These are outside the scope of these principles which focus on auto-renewal (in particular Regulation 13 of CCRs, which cover information that must be provided before making a distance contract). For example, where a 14 day statutory right to cancel the contract after it is entered into exists, customers must be made aware of the conditions, time limit and procedures for exercising that right (Regulation 29 of the CCRs). 

  6. This may be in addition to other customer support channels such as telephone, email and web chat that the customer can easily access, if they prefer, to request to turn off automatic renewal. 

  7. This may be in addition to other customer support channels (such as telephone, email and web chat) that the customer can easily access should they prefer in order to make a refund request.