Auto‑renewal contracts are permissible in New York, but the practice is tightly regulated. Under the 2022 amendment to N.Y. General Business Law § 349 and the 2025 Consumer Protection Act, businesses must present clear, conspicuous disclosures, obtain affirmative consent, and provide a simple, cost‑free cancellation method. Failure to meet these standards can trigger civil penalties and private actions. Beginning 1 January 2026, the state will tighten the rules further by mandating a 30‑day cancellation window and enhancing electronic‑notice requirements. In short, auto‑renewal remains legal, but compliance costs are rising and the margin for error is shrinking.
Current Legal Framework
New York treats auto‑renewal as a form of “continuous service contract.” The 2022 amendment to § 349 requires that the renewal term, price increase (if any), and the right to cancel be displayed in a type size no smaller than 14 pt and positioned at the point of sale or within the electronic checkout flow. The law also obliges merchants to send a reminder at least 15 days before renewal, using the consumer’s preferred communication channel. Non‑compliance can result in a statutory fine of up to $5,000 per violation and allows consumers to sue for actual damages, attorney fees, and punitive damages (N.Y. Gen. Bus. L. §§ 349‑352).
Upcoming Changes in 2026
The 2025 Consumer Protection Act, slated for effective enforcement on 1 January 2026, adds three key provisions:
- A mandatory 30‑day opt‑out period after each renewal, during which the consumer can cancel without penalty.
- Expanded notice requirements, requiring both email and text‑message alerts for digital subscriptions.
- A presumption of “unfair practice” if the merchant does not retain a copy of the consumer’s affirmative consent for at least three years.
These changes aim to curb “dark patterns” and increase transparency, aligning New York with the Federal Trade Commission’s recent guidance on subscription traps.
Best Practices for Businesses
- Use plain‑language clauses; avoid legalese that could be deemed misleading.
- Implement a double‑opt‑in mechanism where the consumer explicitly clicks “Agree to auto‑renew.”
- Automate the 15‑day renewal reminder and the 30‑day opt‑out notice; keep logs of all communications.
- Provide a one‑click cancellation link on the consumer’s account page and honor cancellations immediately.
- Retain consent records securely for at least five years to satisfy future audit demands.
How can a consumer prove an auto‑renewal was not disclosed properly?
A consumer can request the merchant’s disclosure documents under the New York Freedom of Information Law. If the merchant cannot produce the required 14‑pt notice or the 15‑day reminder, the consumer may file a claim alleging a violation of § 349, and the courts will consider the lack of documentation as evidence of non‑compliance.
What penalties do businesses face for violating the 2026 rules?
Violations may incur statutory fines of up to $10,000 per breach and allow consumers to recover actual damages, attorney fees, and punitive damages. Repeated offenses can trigger injunctive relief, forcing the business to cease the auto‑renewal practice altogether.
Does the new 30‑day opt‑out apply to all subscription types?
Yes. The 30‑day opt‑out requirement covers both digital and physical goods services that use auto‑renewal, including software licenses, gym memberships, and magazine subscriptions. Exceptions exist only for limited‑time promotional offers that do not extend beyond the initial term.
Are there any exemptions for small businesses?
Small businesses with annual revenue below $500,000 are exempt from the 2026 electronic‑notice mandate, but they must still meet the basic disclosure and cancellation standards. Failure to comply with the core § 349 requirements still subjects them to penalties.
How should a company update its terms to stay compliant before 2026?
Begin by revising the renewal clause to include explicit price, term, and cancellation language in a 14‑pt font. Add a checkbox for affirmative consent, implement automated reminder systems, and archive all consent records. Conduct a legal audit before the 2025 deadline to identify gaps and remediate them early, avoiding costly retroactive fixes.