Anti-virus software

The CMA is investigating the anti-virus software sector following concerns that some firms in the industry may not be complying with consumer law.

From:
Competition and Markets Authority
Published
19 December 2018
Last updated
19 October 2021 — See all updates
Case type:
Consumer enforcement
Case state:
Open
Market sector:
Public markets, Telecommunications
Outcome:
Consumer enforcement - undertakings
Opened:
27 November 2018

Timetable

Date Action
19 June 2019 Update on investigation
27 November 2018 Case opened

Publication of Compliance Principles

19 October 2021: The CMA has published new Compliance Principles for anti-virus software businesses that use automatically renewing contracts with consumers in the UK. Following these Principles will help businesses to comply with consumer protection law.

The CMA has written to anti-virus companies across the sector calling on them to review their current auto-renewal practices and terms and, where necessary, change them to help ensure they are treating their customers fairly and align with the Compliance Principles.

This follows the conclusion of CMA enforcement action earlier in 2021, which led to leading anti-virus software providers giving formal commitments (as part of the CMA’s McAfee investigation and Norton investigation) to make changes designed to make their automatically renewing contracts easier to understand and exit, as well as ensuring customers who auto-renew have extended refund rights.

Conclusion of second investigation

14 June 2021: The CMA has accepted undertakings from each of NortonLifeLock Ireland Ltd and NortonLifeLock UK Limited (the Companies) addressing the CMA’s concerns relating to the Companies’ automatically renewing contracts.

This comes just weeks after the undertaking secured from McAfee Ireland Limited making a similar commitment.

The undertakings, which have been offered voluntarily by the Companies, make changes designed to make automatically renewing contracts easier to understand and exit, including:

  • giving customers whose contract has auto-renewed an ongoing right to exit the contract and obtain a pro-rata refund of the amount they have been charged, after their existing refund window has expired. This new right will also be extended to customers who asked for a refund in 2020, but were refused
  • making refunds available through an automated system to make it simple and easy for customers
  • ensuring customers are made aware, up front, that their contract will auto-renew, the price they will be charged for the product upon automatic renewal and when the money will be taken
  • where the price will be higher on auto-renewal, not giving the impression that the initial price represents a saving by comparison
  • contacting customers who have not used their product for a year to advise them of the fact and make clear their options

The undertakings, which reflect relevant differences between the conduct of the Companies and of McAfee Ireland Limited, nevertheless sets common standards across the CMA’s anti-virus investigations.

The undertakings cover when the changes will come into place. For example the pro-rata refund right will be available to customers within 40 days but changes to the refund process will take longer for the Companies to implement, with provision made in the undertakings for the Companies to report to the CMA on their progress.

The undertakings bring to an end the CMA’s investigation and do not reflect either an admission by the Companies of liability or wrongdoing. Ultimately only a court can rule on whether a particular practice infringes the law and no such ruling has been made in this matter.

As was announced in March the CMA took legal action against Norton after it refused to provide outstanding information to assist with its investigation.

Norton raised various legal arguments as to why it thought it didn’t have to provide the information, which the CMA disagreed with. However, as a result of the Companies’ undertakings, the CMA no longer needs the information, and is applying to discontinue this legal action.

Further update on investigation

25 May 2021: The CMA has accepted an undertaking from McAfee Ireland Ltd (the Company) that addresses the concerns that the CMA held in relation to certain of McAfee’s practices relating to its automatically renewing contracts.

The undertaking, which has been offered voluntarily by the Company, covers a range of changes designed to improve the overall function and flexibility of McAfee’s automatically renewing contracts for consumers, including:

  • Giving customers whose contract has auto-renewed an ongoing right to exit the contract and obtain a pro-rata refund of the amount they have been charged, after their existing refund window has expired. This new right will also be extended to customers who asked for a refund in 2020, but were refused.
  • Emailing customers to make them aware of their refund rights, and providing clear information on the McAfee website about the refund rights;
  • Simplifying and streamlining the processes to turn off auto-renewal and obtain a refund. This includes building a mechanism to allow most customers to request refunds automatically;
  • Ensuring customers are made aware, up front, that their contract will auto-renew, the price they will be charged for the product upon automatic renewal and when the money will be taken;
  • Where the price will be higher on auto-renewal, not giving the impression that the initial price represents a saving by comparison.

The undertaking covers when the changes will come into place. For example the pro-rata refund right will be available to consumers straightaway but changes to the refund process will take longer for the Company to implement, with provision made in the undertaking for the Company to report to the CMA on its progress.

The undertaking brings to an end the CMA’s investigation and does not reflect either an admission by McAfee of liability or wrongdoing. Ultimately only a court can rule on whether a particular practice infringes the law and no such ruling has been made in this matter.

Update on enforcement investigation

23 March 2021: The CMA has made an application to the court in respect of an information notice that two of the businesses under investigation, NortonLifeLock UK Ltd and NortonLifeLock Ireland Ltd, have refused to comply with in full.

Press Notice: CMA takes Norton to court for withholding information

19 June 2019: The CMA is continuing to gather and review information. The investigation is currently focused on a number of areas associated with the automatic renewal of subscriptions, including:

  • whether consumers expressly agree to be automatically renewed
  • if there is express agreement to pay a higher price when auto-renewed and if not whether businesses can charge a higher price
  • whether customers can easily prevent renewal
  • whether they should be entitled to refunds if they no longer want or need the service

We have written to a number of anti-virus firms following concerns that some of their practices and terms associated with the automatic renewal of subscriptions may breach consumer law, and we have required them to provide information to understand more about their practices. Once we have completed our analysis of the information and other evidence gathered we will consider what, if any, further action might be required. At this stage, we have not reached a view about whether there have been any breaches of consumer law by the firms currently under investigation.

We have also written to 16 other anti-virus companies across the sector asking them to review their practices and terms and conditions to ensure that they are compliant with consumer law and put them on notice that they could also face an investigation if any consumer law concerns are identified.

Launch of enforcement investigation

19 December 2018: The investigation will examine whether the business practices and terms and conditions associated with the automatic renewal of subscriptions are fair.

In particular, the investigation will consider:

  • whether automatic renewal is set as the default option
  • whether notification of renewal is sent and, if so, the timing of the notification
  • when renewal payments are taken and whether the renewed subscriptions are charged at a different price to the original subscription

We expect to provide an update in early 2019.

Contact

SRO: George Lusty (george.lusty@cma.gov.uk)

Project Director: Jennifer Dinmore (jennifer.dinmore@cma.gov.uk)

Published 19 December 2018
Last updated 19 October 2021 + show all updates

  1. Compliance principles announcement published.

  2. The CMA has accepted undertakings from each of NortonLifeLock Ireland Ltd and NortonLifeLock UK Limited (the Companies) addressing the CMA’s concerns relating to the Companies’ automatically renewing contracts.

  3. The CMA has accepted an undertaking from McAfee Ireland Ltd.

  4. The CMA has made an application to take Norton to court for withholding information.

  5. A progress update on the investigation has been published on the page.

  6. First published.

Contents

Related content