Forced retention of payment methods

Forced retention of payment methods is a common design pattern in which online platforms and payment processors store user payment credentials without offering a clear or accessible way to revoke them. In many cases, cards or payment authorizations remain attached to an account unless a new method is added, or until the entire account is deleted. This design restricts users’ control over their own financial data and can result in unwanted recurring charges.

The issue disproportionately affects individuals with limited financial resources, as well as non-profit or low-budget users, who may lack the legal or technical knowledge required to challenge such systems. This article documents how the practice works, outlines its implications for consumer rights, and presents case studies across multiple services.

How it works[edit | edit source]

In most cases, forced retention of payment methods is implemented through user interfaces that do not allow stored payment data to be removed unless a replacement method is added. Some platforms go further, requiring the deletion of the entire account in order to erase billing credentials.

Another variant involves payment intermediaries (like PayPal), where billing agreements are created automatically during a one-time purchase, without an explicit consent process. These agreements remain active unless manually revoked, which is often hidden behind asynchronous interfaces or inaccessible menus.

Overall, these systems are designed in a way that favors continued billing and makes revocation difficult, non-obvious, or impossible without contacting support.

Why it is a problem[edit | edit source]

Forced retention of payment methods causes long-term risks for consumers by removing their ability to control how and when they are billed. When a person cannot revoke stored card data or stop an ongoing billing authorization, unwanted charges become more likely. This risk increases when services use automatic renewals or hide cancellation options.

Many users are not offered a simple way to delete a card or cancel a billing agreement. This situation puts the burden entirely on the user and punishes those with limited time, resources, or legal knowledge. Some are even forced to delete their entire account or give up access to services just to stop the billing.

These obstacles are often made worse by unclear interfaces, delayed menus, or wording that makes it difficult to understand how to stop payments.

Examples[edit | edit source]

Captivate.fm (Podcast platform)[edit | edit source]

Between December 2024 and May 2025, the user requested the removal of a stored credit card used for monthly billing. The platform required a replacement card to be added before the original one could be removed. As no alternative was possible, the only option left was to delete the entire account. This action resulted in the irreversible loss of all stored content, as well as any communication history with support. The user described this as a last resort to stop further charges, since no clear cancellation path existed within the account settings.

Book Like A Boss (Booking service)[edit | edit source]

In December 2024, the user replaced their card with a debit-only card, assuming no further charges could occur. However, the card continued to be billed monthly until May 2025. The interface offered no option to remove the card without adding another. A message still visible in June 2025 states: "Want to change your card? No problem, just add another one."

Despite a written request sent on May 24, no action was taken, and the billing profile remained active.

Cdiscount & PayPal (Retail / payment platform)[edit | edit source]

On May 28, 2025, a single €7.90 purchase on Cdiscount via PayPal resulted in the creation of a pre-approved billing agreement. The user had not subscribed to any recurring payment, did not agree to such a mandate, and was not presented with any contract or checkbox. Attempts to cancel the agreement on PayPal showed it as ‘pending cancellation’ indefinitely. The section to manage billing authorizations was not immediately visible on the site. It appeared only several seconds after page load, suggesting it was injected via asynchronous JavaScript… likely reducing the user’s ability to act on it.

The user describes this as a technical obfuscation that makes the control over payment settings artificially harder. The only contact attempt with Cdiscount was made via a support form that left no trace, no confirmation number, and no email.

Pattern of friction and discouragement[edit | edit source]

Across all three services, the user describes a consistent pattern in which the resolution of unauthorized or unwanted billing was made progressively more difficult over time. The timeline reveals the following escalation:

• December 2024: First support requests made (Captivate, Book Like A Boss), including a request to remove card details. Initial steps were ignored or rendered ineffective.
• March 2025: Internal account audits and review of bank statements, trying to identify the source of charges.
• May 2025: Profile deletion and new contact attempts. In one case, this led to total data loss. In another, the request was unanswered, and the payment method remained.
• June 2025: A final step was taken: issuing a formal card cancellation to prevent further withdrawals.

In all cases, the process demanded several months of monitoring, multiple contact attempts, and irreversible actions like deleting an account, without ever obtaining a clean or documented resolution from the services involved.

This progression reflects a strategy of friction-based discouragement, whether intentional or not. It increases the user’s emotional and administrative burden, causing delays, hesitation, or abandonment. Some actions (such as using a non-trackable support form, or hiding critical menu items in late-loading interfaces) further amplify this effect by amplifying the user's confusion and reducing trust in the process.

Legal framework[edit | edit source]

Article 6 and 17 of the General Data Protection Regulation (GDPR)[edit | edit source]

These articles define the lawfulness of processing and the right to erasure. If a user requests the removal of stored financial data and the platform refuses unless a new payment method is provided, this may violate both articles.

Article 12 of the GDPR[edit | edit source]

This article requires that any interface related to data control be concise, transparent, intelligible and easily accessible. In one case, PayPal delayed the display of the “automatic payments” menu using asynchronous loading scripts. This made the cancellation option harder to find and act upon.

Article L133-8 of the French Monetary and Financial Code[edit | edit source]

This provision states that any pre-authorized payment must remain revocable at any time before execution. In the case involving PayPal and Cdiscount, the user could not cancel the agreement even though no ongoing service or debt existed.

Article L121-1 of the French Consumer Code[edit | edit source]

This article prohibits misleading commercial practices. Automatically creating a billing agreement without explicit consent or visible contract may fall under this category.

Directive 2011/83/EU on consumer rights[edit | edit source]

This directive requires that any information related to billing, subscriptions or renewals be provided in a clear and accessible way. In all examples cited, such information was absent or concealed.