Meal Kit Provider - California Automatic Renewal LawCalifornia Automatic Renewal Laws and Recent Litigation

California Automatic Renewal Laws and Recent Litigation

Automatic renewal contracts have become ubiquitous in our everyday lives; however, few give thought to the laws and regulations governing them.  Whereas the federal government has regulations governing automatic renewal contracts[1], most states, similarly, have laws governing automatic renewal contracts, or automatic renewal laws (“ARL”).  Perhaps unsurprisingly, in 2009 California enacted one of the strictest ARLs intended to end the practice of charging consumer credit cards without a customers’ explicit consent for ongoing shipments of product or deliveries of a service.[2]

What is an Automatic Renewal under the Under California’s Automatic Renewal Law?

An “automatic renewal” is defined as “a plan or arrangement in which a paid subscription or purchasing agreement is automatically renewed at the end of a definite term for a subsequent term.”[3]  Similarly, a “continuous service” is defined as “a plan or arrangement in which a subscription or purchasing agreement continues until the consumer cancels the service.”[4]  While these definitions may appear to be esoteric, we encounter a number of automatic renewals or continuous services in our everyday lives – everything from meal kit boxes such as HelloFresh and Blue Apron, to monthly subscription boxes like Birchbox or LootCrate, to digital subscription services like Netflix, Hulu, Apple Music, or Spotify.

What Does California’s Automatic Renewal Law Require?

If a business wants to offer an automatically renewing contract it must:

  1. Clearly and conspicuously disclose, before a contract is fulfilled, the “automatic renewal offer terms” or “continuous service offer terms” of the contract;
  2.  Obtain the “affirmative consent” of a costumer to the “automatic renewal offer terms” or “continuous service offer terms”;
  3. Disclose any cancellation policies; and
  4. Provide notice of any “material changes” to the terms of the “automatic renewal offer terms” or “continuous service offer terms”[5]

What Terms Must Be Disclosed Under California’s Automatic Renewal Law?

The California automatic renewal law requires that “automatic renewal offer terms” and “continuous service offer terms” be disclosed in a clear and conspicuous manner before the contract is made or fulfilled and must include:

  1. That the subscription or purchasing agreement will continue until the consumer cancels;
  2. A description of the cancellation policy that applies to the offer;
  3. That reoccurring charges that will be charged to the consumer’s credit or debit card or payment account with a third party as part of the automatic renewal plan or arrangement and the among of the charge;
  4. The length of the automatic renewal term; and
  5. The minimum purchase obligation[6]

In 2018, the California ARL was amended to include that if the offer included a free gift or free trial than it must clearly and conspicuously notice the customer of the price that they will be charged and when the free trial expires.

What Happens If My Business Does Not Comply with California’s Automatic Renewal Law?

The California ARL does not provide for a private right of action, meaning a California resident cannot directly sue a business for violating the automatic renewal law.  The law simply provides that “all available civil remedies that apply to a violation of [the California ARL] may be employed.”[7] 

That is not to say that the California ARL is without teeth.  To be sure, an organization known as the California Auto Renewal Task Force (CART), made up of District Attorneys from a variety of Californian counties, has filed numerous actions against businesses for allegedly violating the ARL.  An action brought by CART recently settled with the business agreeing to pay $400,000 in penalties and an additional $150,000 in restitution for violating California ARL by failing to get the customers’ affirmative consent as outlined above.[8]

Are There Any Other Concerns If My Business Engages in Automatic Renewal Contracts?

In addition to California, the federal government may impose regulatory requirements regarding automatic renewal contracts of which your businesses should be aware. Under Restore Online Shoppers’ Confidence Act (ROSCA), the Federal Trade Commission is tasked with investigating businesses who fail to:

  1. Clearly and conspicuously disclose material terms of contract such as whether it is reoccurring;
  2. Obtain the consumer’s express and informed consent before making a charge; and
  3. Provide a simple mechanism to stop reoccurring charges.[9]

A recent case involving a California based company, Age of Learning, Inc. d/b/a ABCmouse, resulted in a $10,000,000 settlement after FTC alleged that ABCmouse failed to provide a sufficiently simple mechanism to stop the reoccurring charges for educational content.[10]

As transparency remains a cornerstone of compliance initiatives, whether under California’s ARL or ROSCA, it is critical for businesses to have great foundation for their business before scaling to avoid potential settlements or fines.  Our experienced litigation and compliance attorneys at Octillo can help your business navigate the complexities of drafting appropriate notices, or handling litigation resulting from California’s or any other states’ ARL.

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

[1] See e.g. Section 5 of the FTC Act, 15 U.S.C. § 45(a) (regulating unfair or deceptive practices); Restore Online Shopper’s Confidence Act (ROSCA), 15 U.S.C. § 8403 et seq (prohibiting charging customers unless there has been clear disclosure of, and express consent to, the material terms).

[2] Cal Bus & Prof Code § 17600 et seq.

[3] Cal Bus & Prof Code § 17601(a).

[4] Cal Bus & Prof Code § 17601(e).

[5] Cal Bus & Prof Code § 17602.

[6] Cal Bus & Prof Code § 17601(b)(1-5).

[7] Mayron v. Google LLC, 54 Cal. App. 5th 566, 570 (2020); Cal Bus & Prof Code § 17604(a)

[8] DA Announces Consumer Protection Settlement In Auto-Renewal Case (Mar. 7, 2021 at 5:48pm),

[9] 15 U.S.C. §§ 8401-8405 et seq.

[10] See FTC, 10 million ABCmouse settlement: Avoiding auto-renewal traps (Sep. 2, 2020 at 12:10pm),

Text MarketingTCPA Considerations When Starting Your SMS Marketing Campaign

TCPA Considerations When Starting Your SMS Marketing Campaign

Consent is the cornerstone of compliance with the Telephone Consumer Protection Act (“TCPA”).  It is imperative that business and marketing teams have a strong understanding of this before leveraging text messaging or automated calls into their marketing campaigns.  Similarly, it is critical to understand when prior express written consent is required, if any exceptions may apply to your text messaging campaign practices, the importance of documenting consent, and other best practices that can be leveraged for obtaining prior express written consent in an online environment.

Understanding the TCPA

The TCPA was enacted in 1991, amending the Communications Act of 1934, and sought to restrict unwanted telephonic solicitations from companies.  The TCPA grants the Federal Communications Commission (“FCC”) the authority to develop rules related to telemarketing, the use of automated telephone dialers, artificial or prerecorded voice messages, SMS text messages, and fax machines. 

Many businesses leverage text messaging or SMS marketing to reach out to current and potential customers and while this can be a great marketing tactic, careful attention should be paid when using SMS text messages to communicate with customers, even where a preexisting business relationship exists, as there are steep penalties involved for initiating improper text messages or calls. In fact, the statute provides for damages in the amount of $500 per improper text message, which can quickly add up when you are sending them out en masse.  With these hefty fines, compliance with the TCPA should be taken into consideration before embarking on any SMS text messaging campaign.

Affirmative, Written/Digital Consent & Opt-Out

Under the TCPA, you must obtain written or digital consent before sending promotional SMS text messages.  As such, you always want to be sure your teams are obtaining affirmative written consent before beginning any SMS text messaging marketing campaign.  It is mandatory to obtain this affirmative written or digital consent before sending promotional SMS text messages. 

In Vandenberg & Sons Furniture, Inc. v. Alliance Funding Grp., a California corporation that provided financing for equipment leasing to small businesses faxed a Michigan corporation that is in the furniture business in 2012.  No. 1:15-CV-1255, 2021 WL 222171 (W.D. Mich. January 22, 2021).  At the bottom of the two-page fax, there was an opt-out notice that provided that the fax recipient with instruction on how to opt out of future fax advertisements.  Id. Over the next four years, the equipment leasing business sent out hundreds of thousands of fax advertisements to the furniture business and others.  Id.  The Western District of Michigan recently held that as the equipment leasing business failed show any evidence it had obtained affirmative written consent from the individuals it sent faxes to, a class potentially worth over a $100 million dollars could be formed.  Id.

Best SMS Practices to Follow for Text Marketing

As stated, obtaining (and documenting) proper consent is foundational.  One recommendation for obtaining affirmative consent is to present a just-in-time notice at the point of collection of a telephone number.  A small dialogue box should confirm that the individual is authorizing the collection of the phone number and consents to be contacted by text messages.  The TCPA recommends marketers retain the consent for a minimum of four years.  This affirmative consent needs to be duly signed by the customers, which can be written, digital or a simple opt-in for a campaign.  Moreover, under the TCPA, customers must also be provided with an option to opt of out any such marketing campaign, being presented with the choice of continuing to receive messages.

To best align with TCPA guidelines, here are some additional best practices that your business should be following when undertaking text messaging as part of your marketing campaign:

  1. We recommend mentioning the details regarding opting out of your campaign at least once every month.  Include a small message addressing the same at the end of your marketing text.
  2. Look into the opt-out requests and process them as soon as possible (it is advisable to acknowledge in real time).  This provides your customers with a sense of reassurance and makes your activities more organized.
  3. Along with the details regarding opting out of your campaigns, it is important to include contact details for your customer care services at least once every month.  If the details are precise, you can add them to every marketing SMS you send to your customers.
  4. Always keep a track of an opt-out request once it has been received.  Ensure all the procedures are carried out efficiently and the concerned customer is successfully opted out of receiving your messages.  Also, inform the customer through a final SMS, confirming the fact that they will stop receiving similar messages from you in future.  It is also advisable to provide details of opting back in for your SMS campaign, in case the customer feels the need to do so in future.

Like many areas of compliance, building an infrastructure within your organization to address the new and evolving legal landscape surrounding the use of text messages under the TCPA can help your business stay ahead of the curve and prevent costly litigation.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. Our TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

VirginiaWhat You Need to Know About Virginia’s New Consumer Data Protection Act

What You Need to Know About Virginia’s New Consumer Data Protection Act

On March 2, 2021, Virginia enacted the Consumer Data Protection Act (the “CDPA”) with the goal of establishing a framework for controlling and processing the personal data of Virginia Residents. Where the CDPA resembles California’s Consumer Privacy Act (“CCPA”) in some regards and resembles the European Union’s General Data Privacy Regulation (“GDPR”) in others, the CDPA is likely the first step in a line of new state laws governing the processing of a consumers’ data.  As such, companies should use this time to familiarize themselves with the intricacies of the CDPA so as to begin to adapt to the intricacies of handling consumer data.

Who Does the CDPA Apply to?

The CDPA applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia, and that:

  1. during a calendar year, control or process personal data of at least 100,000 consumers; or
  2. control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. 

Equally important is who is exempted from the CDPA.  Va. Code Ann. § 59.1-572(A).  To that end, the CDPA does not apply to i) any governmental body within Virginia; ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); or iii) any covered entity or business associate governed by the privacy, security, and breach notification under HIPAA or HITECH.  Va. Code Ann. § 59.1-572(A).

What is “Sensitive Data” Under the CDPA?

Understanding what constitutes as “sensitive data” under the CDPA first requires an understanding of what is “personal data” under the CDPA.  The CDPA defines personal data as being “any information that is linked or reasonably associated to an identified or identifiable natural person”.  Va. Code Ann. § 59.1-571.  Nevertheless, personal data under the CDPA does not include de-identified data or “publicly available information”.  Id.

The CDPA more heavily regulates a covered business’ processing and handling of sensitive data.  Under the CDPA sensitive data is defined as including:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. the personal data collected from a known child; or
  4. the precise geolocation of an individual.  Va. Code Ann. § 59.1-571. 

Moreover, the CDPA provides certain exceptions for data which is not to be considered sensitive data, including, but not limited to:

  1. protected health information under HIPAA; information used only for public health activities under by HIPAA; information derived from any of the health care-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; patient identifying information for purposes of 42 U.S.C. § 290dd-2;  information created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.) or  the Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
  2. information collected and maintained regulated and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.); and
  3. personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.).  Va. Code Ann. § 59.1-571(C).

What is My Business Required to Do if it is a Covered Business?

Under the CDPA, a covered business is required to:

  1. adopt data minimization practices;
  2. disclose their privacy practices through a “meaningful privacy notice”;
  3. implement data security measures;
  4. refrain from discriminating against consumers who exercise their rights under the CDPA; and
  5. obtain consent prior to processing sensitive data, as defined below.  Va. Code Ann. § 59.1-574. 

Moreover, a covered business may be required to conduct risk assessments on their data protection practices.  These risk assessments must be taken where the covered business activities involve:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk;
  4. the processing of sensitive data; and
  5. any processing activities involving personal data that present a heightened risk of harm to consumers.  Va. Code Ann. § 59.1-576.

Does the CDPA Provide Any Rights to Virginians?

Under the CDPA, Virginians are provided certain individual rights including:

  1. the right to access their data;
  2. the right to amend their data;
  3. the right to delete their data;
  4. the right to transfer their data; and
  5. the right to opt out of certain uses of their personal data.  Va. Code Ann. § 59.1-573(A)(1-5). 

What Happens If My Business Violates the CDPA?

CDPA does not contain a private right of action.  Va. Code Ann. § 59.1-579(C).  As such, enforcement is the exclusive jurisdiction of the Virginia Attorney General.   Va. Code Ann. § 59.1-579(A).  Under the CDPA, the Virginia Attorney General is required to provide the covered business a letter outlining the provisions of the CDPA that have been, or are alleged to have been, violated.   Va. Code Ann. § 59.1-579(B).  The covered business than has 30 days to cure any alleged violations.  Id.  If the covered business cures the alleged violations of the CDPA “and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur” then Virginia Attorney General is not to seek statutory damages against the covered business.  Id.  Nevertheless, if the covered business fails to cure the alleged violations of the CDPA, it may be “subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.  Va. Code Ann. § 59.1-580(B).

When Will the CDPA Become Effective?

The CDPA will become effective on January 1, 2023.  Va. Code Ann. § 59.1-581.  Moreover, in contracts to the new California Consumer Privacy Rights Act (“CPRA”), the CDPA does not contain a twelve-month lookback period, and thus compliance with the CDPA will only be required moving forward.

What Do I Do Next?

Now is the time to prioritize developing a robust, scalable data privacy program within your organization.  First and foremost, conducting an assessment to determine what laws and regulations, such as the CDPA, CCPA, or GDPR, apply to your organization is a great starting place. Your business may be required to make additional disclosures surrounding your data collection practices and how consumers can exercise certain rights to that data.

Octillo’s dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are especially adept to help your business adapt to the changing legal landscape.  We recommend reviewing all cookie consent banners and just in time notices to evaluate whether they provide the necessary opt out consent for targeted advertising as required by the CDPA and other evolving laws.  Based on the above, if you believe that the CDPA may impact your business, reach out to Octillo for assistance.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

CAN-SPAMCAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

CAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

Using digital communications to reach customers has never been more popular, especially as the pandemic pushes more businesses to make consumer interactions contactless. From email to SMS, marketing teams have taken business online—but doing so brings a specific set of risks regarding data security and privacy. It is easy to get tripped up if you do not have a good grasp of the basic legal guidelines that govern commercial emails.  

In the U.S., the most relevant law when launching a digital marketing campaign is CAN-SPAM. This law sets the rules that all companies need to follow when sending marketing messages via email. The Telephone Consumer Protection Act of 1991 (TCPA) covers SMS messages and phone calls. Canada’s Anti-Spam Legislation (CASL) covers digital communications originating in that country. If you are wondering why businesses should be paying attention to these regulations, take note: according to the FTC, each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $43,280.

What Kinds of Emails are Regulated?

Under CAN-SPAM, the rules only apply to commercial emails (or Commercial Electronic

Messages (CEM) under CASL). These are messages sent with the purpose of advertising or promoting a product or service. When evaluating the overall purpose of an email, it is important to look at the content of the message, hyperlinks and even contact information. In general, ask if the message:

• Includes offers to purchase, sell, barter or lease a product, goods or a service

• Includes offers to provide a business or investment opportunity

• Promotes a person who can do any of the above things

If the email contains both commercial sales promotion and transactional information (a receipt, a confirmation, notifications about an existing subscription or service, etc.), then the email is regulated if the recipient would regard the primary purpose of the email to be commercial in nature.

What About Social Media and Text Messaging?

Messages transmitted via social networking sites is a bit of a grey area. Some federal courts have ruled that CAN-SPAM’s definition of “electronic mail message” includes messages transmitted to a social network user’s inbox, news feed or wall. It is also important to check the terms and conditions of each social media platform you intend to use – many have limits on how marketers can use them.

And because social media, email and SMS marketing are all intertwined, it is important to note that the TCPA restricts telephone solicitations and the use of automated phone equipment. It lays out very strict solicitation rules that require explicit customer consent for commercial SMS messages.

Basic Guidelines for Sending Commercial Emails

If you are ready to draft commercial email campaign, these 7 basic guidelines outlined by the FTC are a good place to start:

1. Don’t use false or misleading header information in the “From” and “To” lines.

2. Don’t use deceptive subject lines.

3. Identify the message as an ad.

4. Tell recipients where you are located.  

5. Provide a clear way to unsubscribe.  

6. Honor opt-out requests promptly.

7. Monitor contractors or vendors working on your behalf.  

It is important to note that in Canada, marketers must have consent for both commercial email and text messages. If not, you need to send an email requesting express consent or find another way for the recipient to opt in to receive future emails or text messages. Acheck box at checkout or on your website is not sufficient.

Additional Resources For Marketing

Many businesses, regardless of size, leverage some form of marketing on a regular basis to market and communicate with their client population. Whether its regular email marketing newsletters or text messages designed to communicate and market to your customers, there are some best practices that we at Octillo recommend following.  Our attorneys are also technologists and certified privacy professionals.

Additionally, our experienced team at Octillo helps client navigate those rules and any other similar regulations as your organization’s data security and privacy program is evaluated from a compliance standpoint. There are many low-cost, high-impact protective measures that can be implemented with the assistance of counsel to make sure your business has a legally defensible compliance posture.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.