EU Withdrawal Button, UK Subscription Rules, and Data Protection Risks for U.S. Online Sellers

Introduction

Regulators are intensifying scrutiny of subscription practices worldwide, as we previously highlighted in our discussion of U.S. developments, and the European Union (EU) and United Kingdom (UK) are now moving aggressively ahead of the United States. In the EU, Directive 2023/2673 comes into force on June 19, 2026, requiring all businesses that sell online to EU consumers to provide a mandatory digital withdrawal function for consumer (B2C) contracts. In the UK, the Digital Markets, Competition and Consumers Act 2024 (DMCCA) will introduce new rules for subscription contracts effective Spring 2027. Together, these represent the most significant overhaul of online consumer law in over a decade. Both also carry data protection implications that may not be immediately obvious.

1. The EU Withdrawal Button (Effective June 19, 2026)

Who Does This Apply to and What Is Required?

Directive 2023/2673 amends the Consumer Rights Directive (2011/83/EU) (CRD) by introducing a new Article 11a. Its central principle is that withdrawing from a contract must be no more burdensome than concluding one. The obligation applies to any B2C distance contract concluded via an online interface (i.e., website, mobile app, or other software-based purchasing environment) where a statutory right of withdrawal exists. It applies regardless of where the seller is based, meaning that U.S. and UK retailers that target EU consumers are in scope. Contracts for which no right of withdrawal arises (bespoke goods, perishable items, sealed hygiene products, and certain digital downloads) fall outside of the new requirements.

The withdrawal function must be clearly labeled with wording such as “withdraw from the contract here” or a close equivalent, and must remain accessible throughout the consumer’s 14-day withdrawal period. It must link to a structured two-step confirmation process, and must trigger an automatic confirmation email to the consumer without undue delay. Accordingly, a PDF form in the terms and conditions, or an instruction to email a returns address, will not comply.

Enforcement

Non-compliance exposes businesses to enforcement action in each EU member state. Competitors and consumer protection associations can also bring cease-and-desist proceedings. Member states were required to transpose the directive by December 19, 2025.

The Data Protection Dimension

The withdrawal button is not merely a user experience feature; it is a data processing operation. Linking a withdrawal to a specific consumer and contract requires the processing of personal data (name, contact details, or order reference), which must have a lawful basis under the European General Data Protection Regulation (GDPR). Article 6(1)(b) (performance of a contract) will generally apply, but the processing must be documented in Article 30 record of processing activity (ROPA) and privacy notices updated accordingly. The data minimization principle under Article 5(1)(c) applies: only data genuinely necessary to identify the consumer and the relevant contract should be collected.

2. The DMCCA Subscription Regime (Spring 2027)

Background

The DMCCA’s consumer protection provisions came into force in April 2025, introducing rules on drip pricing and fake reviews and giving the UK Competition and Markets Authority (CMA) direct enforcement powers, including fines of up to 10% of global annual turnover. The subscription contracts regime, the most operationally complex element, has been delayed repeatedly. The government’s April 2026 consultation response confirmed a spring 2027 commencement, with further guidance to follow. The regime applies to consumer contracts that auto-renew indefinitely, that auto-renew after a free or discounted trial, or that are for a fixed term with auto-renewal. Financial services, utilities, and certain regulated healthcare contracts are excluded, as are certain charitable and cultural membership organizations. Non-UK businesses targeting UK consumers are in scope.

Key Obligations

Four categories of obligation apply, which are as follows:

1. A new standalone pre-contract disclosure within the purchase journey, setting out subscription-specific key terms: price during any trial and thereafter, auto-renewal date, and how to cancel. 
2. Two 14-day cooling-off periods: one immediately on entering the contract, and one after a free or discounted trial ends or a longer-term (12+ month) contract auto-renews. 
3. Renewal reminders containing prescribed information, including the renewal date, amount due, and a warning that the consumer will incur liability unless they cancel. 
4. A cancellation obligation: cancellation must be straightforward and must not involve unnecessary steps. The “subscription trap” is precisely what the DMCCA is designed to end.

Data Protection

Renewal reminders, cooling-off records, and cancellation confirmations all involve the processing of personal data under the UK GDPR. The same analysis applies as for the EU withdrawal button: lawful basis, data minimization, accurate record-keeping, and appropriate retention schedules. Data protection should be built into the compliance program from the outset, not bolted on at the end of a technology project.

What Should Businesses Do Now?

1. EU withdrawal button (urgent): Implement the withdrawal function on all online interfaces used for EU B2C sales. Update withdrawal policies, terms and conditions, and privacy notices. 
2. DMCCA subscriptions (plan now): Audit subscription products against the new regime. Map pre-contract disclosures, renewal reminder processes and cancellation journeys, and begin technology development. Spring 2027 is closer than it appears for businesses with complex digital infrastructure.
3. CMA compliance: The CMA’s direct enforcement powers are already live. Review consumer-facing practices for compliance with the drip pricing and fake reviews rules now in force.
4. Data protection: Update GDPR and UK GDPR documentation (records of processing, privacy notices, and retention schedules) to reflect new processing activities under both regimes.

Conclusion

The EU withdrawal button deadline is imminent. The DMCCA subscription regime is not far behind. Both carry real regulatory, financial, and reputational risk for non-compliant businesses, and both require data protection to be treated as an integral part of implementation rather than an afterthought. Businesses that act now, integrating legal, technology, and data protection workstreams, will be significantly better placed than those that do not.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.