What is the FTC Act?

The Federal Trade Commission Act is the foundational US consumer protection statute, enacted in 1914 and amended several times since. Section 5 of the FTC Act (15 U.S.C. \u00a7 45) is the operative provision for digital consent and clickwrap-related enforcement, prohibiting "unfair or deceptive acts or practices in or affecting commerce."

Unlike the ESIGN Act, which establishes federal validity for electronic signatures and records, Section 5 is a deliberately broad standard. It does not specify particular technologies, contracts, or interfaces. Instead, it gives the Federal Trade Commission authority to bring enforcement actions against any business practice that meets the unfairness or deception test, regardless of whether the practice is otherwise lawful under sector-specific rules. For online businesses, Section 5 has become the primary federal vehicle for challenging dark patterns, deceptive subscription flows, and clickwrap interfaces that obscure material terms.

Who does the FTC Act apply to?

The FTC Act applies to persons, partnerships, and corporations engaged in commerce, with the FTC's jurisdiction extending to commercial activity in or affecting interstate commerce. In practical terms, this covers virtually all US online businesses, as well as foreign businesses whose practices affect US consumers.

The Act is applicable when a business:

  • Markets, sells, or offers goods or services to US consumers, including through clickwrap-based account creation, checkout, or subscription flows.
  • Operates a digital platform that captures user consent or payment information.
  • Engages in negative option marketing, including auto-renewing subscriptions, free-to-paid conversions, and prenotification plans.
  • Makes representations to consumers about its products, services, privacy practices, or contract terms.

Certain entities are excluded from FTC jurisdiction under the Act, including banks, savings and loan institutions, common carriers, and entities subject to the Packers and Stockyards Act. Most digital businesses, including SaaS, e-commerce, marketplaces, and consumer apps, fall squarely within FTC authority.

FTC Act and Clickwrap Agreements

The FTC Act does not regulate clickwrap design directly, but Section 5 effectively imposes design standards through its prohibition on unfair or deceptive acts or practices. The FTC has used Section 5 to bring high-value enforcement actions against clickwrap interfaces that buried material terms, used dark patterns to manipulate consent, or made cancellation disproportionately harder than enrollment. For online businesses, Section 5 is the federal counterweight to state privacy laws like the CCPA and VCDPA, and a clickwrap that satisfies state consent rules can still be challenged at the federal level if the design itself is misleading.

How FTC Act Affects Clickwrap Design

The FTC's approach to clickwrap is grounded in two principles drawn from Section 5: clear and conspicuous disclosure and the absence of dark patterns. A clickwrap that meets the technical requirements of contract formation can still violate Section 5 if a reasonable consumer would be misled about what they are agreeing to, what charges they are authorizing, or how to exit the agreement.

The location, prominence, and language of any disclosure are central to whether the consent it captures is valid. The FTC's longstanding "Disclosures 101" guidance and the 2022 Dark Patterns Report make that point explicitly. Material terms such as automatic renewal, recurring charges, cancellation methods, and limitations on consumer rights cannot be buried behind a small "I agree to the Terms" link while a large "Continue" button is presented immediately above. The FTC treats that kind of asymmetry as deceptive on its face.

Dark patterns are independently actionable, even where the underlying contract is otherwise enforceable. The FTC has brought enforcement actions against pre-selected upsells, asymmetric opt-in versus opt-out flows, confusing button labels, hidden cancellation paths, and false urgency cues. The Commission does not need to prove that any individual user was actually deceived. The design itself is sufficient if it is likely to mislead a reasonable consumer.

Subscription clickwraps fall within the FTC's negative option rule, finalized in 2024. The rule codifies the click-to-cancel principle: cancellation must be at least as simple as enrollment. A clickwrap that signs a user up for an auto-renewing subscription with one click cannot require a phone call or in-person visit to cancel. Sellers must also obtain express informed consent to the negative option feature before charging, separate from any other product terms, and provide annual reminders for auto-renewing services.

Privacy and security representations made in the clickwrap flow are enforceable as well. Where the agreement or its accompanying notice makes specific claims, such as "we never sell your data," "your information is encrypted," or "we comply with GDPR," the FTC treats material misrepresentations as deceptive under Section 5. This applies even where the underlying practice would otherwise be lawful, and is the basis on which the FTC has pursued companies that misrepresented data security or compliance posture in their consumer-facing materials.

What Must Be Shown Under FTC Act

The FTC does not prescribe a specific clickwrap template, but its enforcement record makes clear what a compliant interface must surface before the user takes the acceptance action:

  • All material terms including price, automatic renewal, recurring billing, cancellation method, return policy, and any material limitations on consumer rights.
  • Disclosures placed clearly and conspicuously, in a font, size, and location that a reasonable consumer would notice and read, not buried in dense fine print or behind a footer link.
  • Express informed consent for negative option features, separate from acceptance of the broader terms of service, with the specific charge, billing frequency, and cancellation method disclosed.
  • The cancellation method, including how the consumer can cancel and confirmation that cancellation is at least as simple as enrollment.
  • Any privacy or security claims stated accurately and substantiated, including specific framework compliance (such as GDPR, CCPA, or HIPAA) and specific data handling practices.
  • The absence of dark patterns that obscure material terms, manipulate the user toward acceptance, or make rejection disproportionately harder than acceptance.

The FTC evaluates clickwrap interfaces from the perspective of a reasonable consumer acting under the circumstances. Disclosures that a sophisticated reader could find with effort are not necessarily clear and conspicuous if a typical user would miss them.

What Records You Must Keep Under FTC Act

The FTC Act does not impose a specific retention schedule for clickwrap records, but the Commission expects regulated entities to maintain documentation sufficient to substantiate any representations made to consumers and to demonstrate that disclosures and consent flows operated as designed. Many FTC consent orders impose a 20-year recordkeeping requirement as part of the resulting compliance program.

Controllers should retain:

  • The full clickwrap interface as presented - Screenshots or reconstructions of the UI for each material version, including the placement of disclosures and the relative prominence of acceptance and rejection controls.
  • The complete agreement text - The version of the terms, privacy policy, and any negative option disclosures presented at the moment of acceptance.
  • Acceptance event metadata - Timestamp, user identifier, IP address, device information, and the specific consent mechanism used.
  • Cancellation flow records - The interface and steps a user encountered when attempting to cancel, including any retention prompts, friction points, or confirmation steps.
  • Substantiation for representations - Documentation supporting any specific privacy, security, or compliance claims made in the clickwrap flow, sufficient to defend the claim if challenged.
  • Internal testing and design records - User testing results, A/B test outcomes, and design decisions affecting consent flows. The FTC has subpoenaed these records to assess whether a design was knowingly built to mislead consumers.

The records become particularly important during an FTC investigation. The Commission has broad authority under Section 6 to issue civil investigative demands requiring production of documents, including internal communications about how a clickwrap or cancellation flow was designed. Companies that cannot produce contemporaneous records of how their interface looked and operated at the time of the alleged violation are at a significant evidentiary disadvantage in defending Section 5 actions.

FTC Act and Clickwrap Agreements

Key Provisions of FTC Act

Unfair Acts or Practices
Acts or practices that cause or are likely to cause substantial injury to consumers which is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition (Section 5(n), 15 U.S.C. § 45(n)).
Deceptive Acts or Practices
A representation, omission, or practice that is likely to mislead a consumer acting reasonably under the circumstances and that is material to the consumer's decision (FTC Policy Statement on Deception, 1983).
Material Term
Information that is likely to affect a consumer's choice or conduct regarding a product or service. Material terms must be disclosed clearly and conspicuously, not buried in fine print or behind generic links.
Dark Patterns
Design practices that trick or manipulate users into taking actions they would not otherwise take, such as making it harder to opt out than to opt in, hiding cancellation options, or using confusing acceptance language. The FTC treats material dark patterns as unfair or deceptive under Section 5.
Negative Option Marketing
An offer in which the consumer's silence or inaction after disclosure is treated as acceptance, including auto-renewing subscriptions and free-to-paid conversions. Subject to specific FTC rules requiring clear disclosure, express informed consent, and simple cancellation.
Click-to-Cancel
The FTC's negative option rule principle requiring that the cancellation method be at least as simple as the enrollment method. A user who signed up online must be able to cancel online with comparable steps - not be forced into a phone call or in-person process.

Penalties for FTC Act Non-Compliance

Civil penalties per violation Up to $53,088 per violation (2024 figure, adjusted annually for inflation)
The FTC may impose civil penalties of up to $53,088 per violation under 15 U.S.C. § 45(m), with the figure adjusted annually for inflation. Each affected consumer can constitute a separate violation, so total exposure scales with user volume.
Consumer redress and disgorgement Full restitution plus monetary equitable relief
Following AMG Capital Management v. FTC (2021), the FTC must rely on Section 19 and other authorities to obtain monetary relief. The Commission has continued to secure substantial settlements, including consumer refunds, restitution, and disgorgement of revenue tied to deceptive practices.
Injunctions and consent orders 20-year compliance program plus operational restrictions
The FTC routinely obtains consent orders requiring a 20-year compliance and recordkeeping program, third-party audits, restrictions on specific marketing practices, and prohibitions on similar conduct in the future. Violations of consent orders trigger additional civil penalties of up to $53,088 per violation.

Frequently Asked Questions

The FTC has brought several enforcement actions against dark patterns in consent and subscription flows. The largest is the $245 million settlement with Epic Games over Fortnite's deceptive purchase interfaces. The Commission has also acted against Amazon for difficult-to-cancel Prime subscriptions and against companies that used misleading free trial offers to push users into paid subscriptions through confusing clickwrap flows.
The FTC's updated Negative Option Rule applies to virtually all negative option programs, meaning any plan where a consumer's silence or inaction is treated as consent to a charge. That covers free-to-paid conversions, automatic renewals, and continuity plans.

Related Regulations

CCPA / CPRA
California Consumer Privacy Act & Privacy Rights Act
California · Updated 2020
ESIGN Act
Electronic Signatures in Global and National Commerce Act
Federal · Active 2000
UCPA
Utah Consumer Privacy Act
Utah · Active 2023
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.