US Court nullifies FTC requirement for click-to-cancel

> The FTC is required to conduct a preliminary regulatory analysis when a rule has an estimated annual economic effect of $100 million or more. The FTC estimated in a Notice of Proposed Rulemaking (NPRM) that the rule would not have a $100 million effect.

> But an administrative law judge later found that the rule's impact surpassed the threshold, observing that compliance costs would exceed $100 million "unless each business used fewer than twenty-three hours of professional services at the lowest end of the spectrum of estimated hourly rates," the 8th Circuit ruling said. Despite the administrative law judge's finding, the FTC did not conduct a preliminary regulatory analysis and instead "proceeded to issue only the final regulatory analysis alongside the final Rule," the judges' panel said.

It says it in the article

The fact that it takes more than 24 hours to put a 1 click cancel button is alien to me.

Well, after you factor in some of these companies are probably large corps with layers of middle management. It will probably require at least 3 months of premeetings

Why are you pasting the article when it doesn't include any warnings that were given to the ftc at the time?

Which explains the issue with the law neatly:

1. Not pegged at inflation, so the threshold is continually moving downward. 2. All it takes is a couple of bad actor companies to blow out the threshold. If you take the companies at their word, then you will never get under this threshold. Why trust them?

You must not work on these sorts of systems. It can easily take more than 24 hours. In case you’re genuinely interested in learning more, here’s how it works.

There are good reasons for it working this way, BTW. The needs of a company with hundreds or thousands of people are different than the needs of hobbyists and early-stage startups.

1. A user experience designer analyzes the user flow and decides where to put the cancellation button. They make decision about style, layout, and wording. This isn’t a ton of work, but something so critical to the company’s business and retention numbers will probably involve a lot of review, discussion, and bike shedding. This could easily take 24 people-hours of work on its own.

2. Somebody programs the front-end change. They probably have to put it behind a feature flag so it’s not visible until the back end is ready.

3. Somebody programs the back-end. They think about security, authentication, authorization, CSRF. That’s probably handled, but again, this is a critical feature and deserves extra care.

4. Somebody programs the interface to the company’s internal systems. They’re usually kind of a pain to work with. Billing, marketing, support, customer success. Something probably sends an email to the user. Maybe there’s a follow up flow to try to get them back with a special offer a month later. Etc.

5. The change is tested. Preferably with automated tests, but a feature like this has tendrils into systems throughout the company, and a lot of moving parts, so manual testing is also important. If it goes wrong, it’s a big deal, involving the potential for chargebacks and lawsuits, both of which are expensive at scale.

Throughout all this, you’re dealing with legacy code, because billing is one of the oldest systems the company has, and the one with the most risk of change, so the code is nasty and doesn’t follow current conventions. Every change is painful and tedious.

It’s alien to you that this could take more than 24 hours? At any company of size, I have trouble imagining it taking less.

How many companies of "size" you know of? Because that process looks HORRIBLY inefficient and only primed to extract as much money of the consumer. You just need to put it in the account screen. A big red button. Your _workflow_ is there to make excuses. If the move was the other way, you would gladly pay the cost, but because it actually hurts your "business model" then it is suddenly a problem. No buddy, I call BS on all that, and call BS on the law itself.

It literally says they were warned by the administrative judge that a preliminary regulatory analysis was required to make such a rule.

> Despite the administrative law judge's finding, the FTC did not conduct a preliminary regulatory analysis and instead "proceeded to issue only the final regulatory analysis alongside the final Rule,"

So, you're holding a strong opinion about something that you're completed uneducated about and have no experience with?

ANY software change in a non-hobby business goes through a change process.

One as significant as an entirely new account cancelation flow requires extensive planning, design and testing.

What if you have equipment like a set top box? What if a shipping label needs to be mailed out? What if there are state-by-state regulations that must be complied with? What if you have to issue prorated returns of prepaid subscription fees? What if different accounts have different cancelation terms because of bulk pricing? And a million other things that you have to think about, design for and test.

Of course you can solve all this. But it's certainly not "BS" that it'll take more than 24 hours.

The FTC knew this. They cheated their process to ram through a rule. But you like the rule they tried to cheat to implement, so it's ok then, I guess.

Of course now that the FTC rule is well known, anyone designing a new system would require click-to-cancel. The new burden is low, but at the time the big companies probably spent millions to fix it.

A more extreme example would be the US Clean Air Act and how the EPA extended the rules to regulate carbon dioxide emissions. Obviously going to cost a lot of money, but a necessary change to dodge climate disaster. That rule had to wait for Congress to pass the Inflation Reduction Act to become legal. Hopefully this minor consumer protection rule will be supported by Congress as well.

For the types of issues we’re discussing here, we’re talking about companies making more than $50mm yearly, which is about 75-100 employees. So successful small businesses and larger. I don’t have exact numbers, but this size business is very common. Most professional programmers will have seen the issues I’m talking about.

We are assuming the calculation for the number of companies affected is correct. If they are using a provider like Shopify or a WordPress plugin, the cost will only be to upgrade the plugin.

I don't know that the backend is necessarily needed. If the button only opened a support ticket/sent an email then the rest can be done by the employees who already processed cancellations on the phone. They just don't need to be on the phone with the customer to do it.

Even a company of 100 people should have a change process. I work in infra mostly and to even shut down a VM that has already been decommissioned I have to go through a change process. You can't have a dozen IT/dev cowboys just doing things they think are fine on a whim because you have to take into account what all the other teams in the company are doing. We've got 30 people in our IT dept and change processes are absolutely crucial to not fucking things up on a regular basis.

Exactly, currently at some point on page 10 of click-throughs, is the "real" cancel button, and essentially you just need to make that the "first" cancel button and link straight to it.

Don’t forget that the FTC’s new rules were about a more than just adding a button to your website. You should go read them, but be warned the pdf is 230 pages long.

Yes, Congress should probably revisit the threshold. But all thresholds are arbitrary, and for this purpose a hundred million is arguably as good as any. It’s not the end of the world if they only do that every few decades. In fact I would argue that instead of being inflation adjusted, the threshold should be adjusted so that the FTC always has to do a review on some percentage of their new rules. But simplicity has a lot going for it too.

> All it takes is a couple of bad actor companies…

Keep in mind that this threshold is not about bad actors at all. It’s about the impact to the legitimate companies that are not defrauding people at all. The FTC estimated that there were over a hundred thousand companies that would be effected by these new rules, and possibly that there were 5× that. As the judge noted, the implementation cost of these new rules would have to be less than $1000 _per company_ in order for it to be below the threshold. That’s two days of an average engineer’s salary, or even less if they’re getting paid well instead of just average. And since the rules involve more than just adding a button to your webpage the work involved would need to be done by more than just an engineer.

And hitting that threshold is no bad thing, since it just means that the FTC has to allow an extra public comment period with the specific purpose of coming up with alternative rules. If any of those alternative rules would be effective but cheaper to implement then the FTC is supposed to drop their own rules and adopt the alternative rules instead. That keeps the cost down for the legitimate companies while still allowing the FTC to go after the illegitimate ones that aren’t going to bother following the rules anyway.