Subscriptions that Last Forever: How Data Protection Rules will Redefine Subscriber Agreements

[Kshitij is a student at National Law University Delhi.]

Auto-renewal of services on the surface sounds like a convenient feature that makes life easier for the ever-increasing number of users adopting and relying on subscription-based models for all kinds of services by reducing renewal inertia. While true, this is only a part of the picture; auto-renewal of subscriptions is said to have caused estimated losses worth GBP 700 million in the UK alone, and about 10% of users have fallen into this trap of an unwanted subscription in the European Union at least once. Regulators across the world (including India) have moved to scrutinise or regulate some forms of auto-pay mandates as ‘subscription traps’.

Despite the scrutiny, a latent issue associated with this practice continues to go under the radar: popular subscription services often set auto-pay mandates for a minimum of 10 years, and sometimes over 25 years, because clauses stating that billing continues until cancellation by the user are baked into subscriber agreements. This practice has largely escaped the same scrutiny as other dark patterns. However, with Rule 8 of the Digital Personal Data Protection (DPDP) Rules 2025 placing a time limit on the duration of the specified purpose, the current formulation of renewal in perpetuity merits reconsideration.

Current Legal Framework behind E-Mandate

To better appreciate the relevance of Rule 8 of the DPDP Rules, this section examines the Central Consumer Protection Authority (CCPA) and Reserve Bank of India (RBI) frameworks before turning to how Rule 8 fits into the picture.

While CCPA’s guidelines on dark patterns do not recognize the practice in question as a dark pattern, it mandates that cancellation of subscription should be as easy as signing up [akin to the DPDP Rule 3(c)], and that users cannot be forced to provide payment details for accessing a free trial for a future auto-mandate, the intent of regulators with these recommendations is clear that users should not be forced to pay for something they did not intend on using, and opting out of it must be made as convenient as possible.

Rule 6(a) and 7 of the RBI’s Master Directions on Digital Payments - E Mandate Framework 2026 directly address some of the issues with this practice by instructing the service providers to mandatorily notify the user 24 hours before and after the amount gets deducted. While service providers are bound to argue that the notification may amount to a sufficient safeguard, considering the number of misleading, spam communications that an Indian receives in a day, the possibility that the notification obligation alone will not suffice to prevent infinite renewals cannot be ruled out, which is where Rule 8 of the DPDP Rules bridges the missing link.

When the Party’s Over: Purpose Limitation and DPDP Rule 8

For a non-state Data Fiduciary, consent is a sine qua non for processing data, and since consent under the DPDP Act can only be obtained for a specified purpose under Rule 3(b) of DPDP Rules read with Sections 4, 5(1)(i), and 8(7), the processing of personal data (i.e. number, card/UPI details) can only be done with a specific purpose in mind. 

If the said user stops logging into the service, it raises a pertinent question as to how long a user actually consent the data to be stored, especially if they have also ignored the reminders that they would receive under the RBI master directions for a year, this is where the mandatory erasure requirement under Rule 8 would arise.

Though the following interpretation and rule’s imposition of a fixed time limit is a departure from Article 17 of EU’s General Data Protection Regulation, and has attracted criticism with regard to the arbitrary time limit, considering how DPDP has doubled as a means to protect child safety on the internet, and protect consumer interest by making opting out as convenient as opting in, the idea of the rule doubling as a consumer safety method aligns with the larger legislative scheme of the act to protect data principal’s interests.

When Rule 8(3) of the DPDP is read with Rule 8(1) and the second illustration under Rule 8, it can be interpreted that a data fiduciary must retain data, associated logs of a person, for one year after it was last processed, beyond which it should be removed unless required by any other law if the data principal has not exercised their rights.

Though the provision and explanation prima facie uses the term ‘at least’ after posing this requirement, considering that retention for a period of one year is for purposes under Seventh Schedule and greater than one year retention is only for a requirement under Third Schedule (or any other law), there persists no justification as to the retention of such data for longer than a year for any specified purpose not under the above when a principal has not interacted with the fiduciary based on the construction of the provision. Due to which a subscription cannot be extended for perpetuity via contractual agreements and should be barred to go beyond one year, and in any case not allowed to exceed three years under the current framework.

Data fiduciaries may argue that the renewal of subscriptions amounts to the principal engaging with the platform, such an argument would go against the idea of Rule 8(2) which essentially states that for a user to prevent their personal data from getting erased, the user is to log in or get in touch with the data fiduciary for performance of specified purpose or exercise their rights as a data principal. Since all three of these would require data principal to take some action by themselves, the perpetual and automatic renewal of subscriptions cannot be said to satisfy the same.

Therefore, once Rule 8 becomes operational in May 2027, the countdown for mandatory erasure will effectively start ticking from the day the user stops logging into the platform and should end after 1 year or 3 years (for entities under third schedule) of inactivity, as the specified purpose of consumption of service was no longer being met.

This would essentially restrict auto pay from being allowed to stretch beyond the one/three-year period, and subscriber agreements need to reflect this purpose limitation by adding a caveat that the subscription will end when the user wishes to or on account of inactivity for one year, whichever is earlier. Non-incorporation of the caveat could risk voiding of the contract under Section 24 of the Indian Contract Act 1872, as the consideration received post purpose limitation will become unlawful.

Way Ahead: What Should Fiduciaries Do?

Though schemes by the state will be exempt from any such interpretation courtesy Section 17 of the DPDP Act, private data fiduciaries will bear the brunt of this development and come with the risk of bringing small scale savings, SIPs, Mutual Funds, EMI down payments, and insurance schemes within its umbrella of active renewal (as anything above INR 15,000 would still require Additional Factor Authentication). It could be inconvenient for the user to manually renew the scheme every few months, due to which it is suggested that an exemption may be considered for banking, investment, and insurance companies. The distinction would also be justified in the larger context, as the diligence as well as significance of a user in making a financial decision is ordinarily bound to be higher when compared to purchasing a subscription service, and would also address some of the criticism associated with the rule’s arbitrary imposition of timelines.

Additionally, for the platforms that would be expected to comply with the proposed rule, apart from rewording agreements and restricting auto pay as discussed above, the subscription lifecycle could be organised so that auto pay is limited to a specified period under Rule 8 of DPDP. Post which, each user (irrespective of their usage of the service) would be asked to confirm if they would like to continue by the app as a pop up in the front and center, and as a clause that the user will be asked to manually renew the agreement once every 12/36 months as a potential measure to be on the safe side, the RBI could also consider the same as a restriction that could be baked into the electronic mandate framework.

Conclusion

Rule 8 of the DPDP Rules, once in force, would lead to a shift of the burden of subscription management from the consumer to the fiduciary once tenure for purpose limitation ends. While current e-mandate framework focuses primarily on transparency through notifications and ease of opting out, the rule will further protect the consumer’s interest by acknowledging that the purpose for which the user signed up is no longer met. 

Considering the convoluted phrasing of the provision, and the concerns surrounding it, there is a chance that the provision is later clarified or further carve-outs are introduced, but as it stands, it is clear that subscriptions are not forever and fiduciaries must rethink their subscriber agreements and offerings to keep up.