The New EU Right of Withdrawal: A Guide for Online Merchants

What is the right of withdrawal?

The right of withdrawal is one of the EU's strongest consumer protections. It gives any consumer who buys something online, by phone, or through any other distance channel 14 calendar days to change their mind. No reason required. No penalty.

The right has existed since 2011 under Article 9 of Directive 2011/83/EU (the Consumer Rights Directive). It's sometimes called the "cooling-off period." The reasoning behind it is simple: in a physical store, you can inspect the product, ask questions, and speak to a salesperson before committing. Online, you can't. The 14-day window is the EU's answer to that information gap.

The withdrawal period starts:

• For physical goods: the day the customer (or someone they nominate, not the courier) takes physical possession of the goods.
• For services and digital subscriptions: the day the contract is concluded.

If a merchant fails to inform the customer about the right of withdrawal, the window extends by 12 months. That means a customer who was never told about their rights effectively has 12 months and 14 days to withdraw.

When a customer withdraws, the merchant must refund everything within 14 days, including standard delivery costs. The customer typically pays only the direct return shipping costs, unless the merchant agreed to bear them.

‍

What's actually changing on 19 June 2026

This is the part that matters most, and it's frequently misunderstood.

The right of withdrawal itself is not changing. EU consumers still get 14 days. They still don't need to give a reason. They still get a full refund. The substantive law has been in place for over a decade and won't move.

What's changing is the experience. Directive (EU) 2023/2673, published in November 2023 and applicable from 19 June 2026, adds a new Article 11a to the Consumer Rights Directive. Article 11a is the heart of the change. It mandates that every trader concluding distance contracts through an online interface must offer a clearly identifiable, continuously available withdrawal function — what's already being called the "withdrawal button."

In plain language: if your customers can buy from you online, they must be able to withdraw from that contract online too, through a function that's at least as easy to find and use as the checkout flow itself.

‍

Who does this apply to?

The directive's title focuses on financial services, which has led to widespread confusion. The truth is more straightforward and more consequential.

Article 11a is what regulators call a "horizontal" obligation. It applies to every distance contract concluded through an online interface where a right of withdrawal exists. That means:

• Ecommerce stores of all sizes, across categories.
• Subscription services, from streaming to meal kits to memberships.
• Digital products and SaaS sold to consumers.
• Online financial services, including the products the directive was originally drafted for.

The transposition into national law has been consistent across Member States on this point. Germany, France, Italy, the Netherlands, Denmark, Poland, Spain, Ireland and Belgium have all confirmed in their implementing legislation that the obligation applies to consumer-facing online contracts of any kind.

If you sell online to EU consumers in any way, this applies to you.

‍

What the new button has to do

Article 11a sets out a tightly defined two-step flow. There are four substantive requirements.

A clearly labelled button

The withdrawal function must be labelled with the words "withdraw from contract here" or "an unambiguous corresponding formulation." The label has to be easily legible. National regulators are likely to scrutinise creative variations that might soften the action or make it less obvious.

Prominent placement and continuous availability

The button has to be displayed prominently and easily accessible throughout the withdrawal period. That means visible during the full 14 days, not buried in account menus or behind authentication walls. If the contract was concluded on a website, the button has to live on the website. If it was concluded in an app, it has to live in the app. Customers cannot be required to download additional apps, register, or re-authenticate beyond what they already do when logged in.

A two-step submission flow

After clicking the button, the customer must be able to submit an online withdrawal statement. The form can only ask for what's strictly necessary to process the withdrawal: name, an identifier for the contract (typically order number), and an electronic channel for confirmation (typically email). Anything more — additional verification, mandatory surveys, copies of ID — is outside the spirit of the directive and likely outside the letter of GDPR's data-minimisation principle.

The statement is only validly submitted when the customer presses a second function reading "confirm withdrawal" or an equivalent unambiguous phrase.

Automatic acknowledgement on a durable medium

The merchant must acknowledge receipt of the withdrawal without undue delay, on a durable medium. In practice this means an automatically generated email containing the content of the withdrawal statement and the exact date and time it was received. A chat transcript on its own doesn't satisfy this; the customer needs something they can store, retrieve, and produce later if there's a dispute.

‍

What's banned: the friction problem

Article 11a does more than mandate a button. It explicitly prohibits a series of design patterns that have been common in cancellation flows.

The directive, supported by Recital 37 and reinforced by the Unfair Commercial Practices Directive, treats the following as either non-compliant or as misleading practices:

• Paper-only or phone-only cancellation routes as the sole option. The directive's logic is that withdrawal must be at least as easy as the original purchase. If you sold online, you have to allow withdrawal online.

• Buried interfaces. A button hidden in a long T&Cs PDF, reachable only through multiple unrelated menus, or accessible only after solving a verification puzzle won't meet the "prominently displayed and easily accessible" standard.

• Retention pop-ups and confirmation loops. "Are you really, really sure?" prompts after a clear instruction, multi-step retention surveys, and discount offers that delay the cancellation are explicitly cited as banned dark patterns.

• Fake urgency. Countdown timers warning customers they have only minutes to withdraw, or fabricated scarcity around their cancellation, fall within the same prohibited category.

• Over-collection of data. Requesting more information than name, contract identifier, and contact email is unnecessary and risks both directive violation and GDPR consequences.

• Coercive copy. Language designed to make customers feel guilty, foolish, or pressured for exercising their right.

The cumulative effect is clear: friction in cancellation flows, which has been a quiet retention strategy across many industries, is now actively illegal.

‍

The cost of non-compliance

The penalties have real teeth.

Following the Omnibus Directive (2019/2161), Member States are required to set fines of up to 4% of annual turnover in the Member State concerned for widespread cross-border infringements, or up to €2 million where turnover information is unavailable. Several Member States have set higher national ceilings: Germany at 4% of turnover with a €50,000 minimum cap, France at up to €75,000, Italy at amounts determined by the Italian Antitrust Authority case-by-case.

Beyond the fines, there are three less visible but equally significant risks:

• The 14-day clock may never start running. If the merchant fails to inform the customer about the existence and placement of the withdrawal function — which Article 6(1)(h) now requires as part of pre-contractual information — the withdrawal period extends by 12 months. Refund exposure stretches accordingly.

• Civil and class actions. Under the Representative Actions Directive (2020/1828), qualified consumer organisations can bring representative actions across borders for systematic breaches. A single deficient interface can become a multi-jurisdictional proceeding.

• Consumer rights remain valid through any reasonable channel. If the button is missing or broken, customers can still exercise their withdrawal right through any clear statement — email, chat, support ticket — and the merchant has to honour it. The button doesn't replace existing rights; it adds to them.

‍

The part of compliance most teams miss

Most of the public conversation about Article 11a focuses on the website button. That's understandable — it's the visible, designable part of the regulation. But it's not where compliance actually gets tested.

A significant share of withdrawal requests won't come through the button. They'll come through support channels: chat, email, social DM, phone. Customers who couldn't find the button. Customers who'd rather message. Customers who aren't sure whether their order qualifies, or whether they're still inside the 14-day window. Customers who started with the button, got confused, and abandoned it.

For subscription businesses and complex orders, support is where most withdrawals get initiated, not the website.

This matters because the directive doesn't carve out an exception for support channels. The same logic applies: a withdrawal expressed clearly through any reasonable channel must be honoured, with the same protections, the same 14-day timing, and the same durable-medium acknowledgement.

If your support layer — human or AI — obstructs, delays, misinforms, or deflects a withdrawal request, the merchant is non-compliant. The website button doesn't help. What matters is what happens in the chat.

This is especially live for AI support. A chatbot that responds to "I want to cancel my subscription" with an FAQ link, a contact form, or an instruction to email a generic address can put the merchant directly in breach. In Moffatt v. Air Canada (2024), the Canadian Civil Resolution Tribunal held an airline liable for a chatbot's misrepresentation of refund policy, rejecting the argument that the chatbot was a "separate legal entity responsible for its own actions." EU regulators and courts are very likely to apply similar reasoning.

‍

How Mim handles it

This is why we built a Right of Withdrawal procedure into Mim, our AI agent. It's designed to do three things well.

Recognise the request

Customers don't say "I'd like to exercise my right of withdrawal under EU Directive 2023/2673." They say "I want to cancel my subscription." Or "I changed my mind." Or "Can you stop my order." The procedure teaches Mim to recognise all of these in any of the languages it operates in — without requiring the legal term and without depending on a specific phrasing.

Collect what's needed

‍Once Mim recognises the request, it doesn't ask why. Asking for a reason is banned under the directive. Instead, Mim asks for the minimum needed for a human agent to act: order number, subscription ID, or contract identifier — whatever is relevant for the business.

Hand off cleanly

‍Mim doesn't process the cancellation itself. It can't refund the card, close the subscription, or issue the durable-medium confirmation. Those actions require a human agent or a secure backend integration. What Mim does is escalate to a human colleague with a timestamped handoff note containing everything needed to act. The 14-day clock is protected from the moment the customer wrote in. The customer doesn't have to repeat themselves.

The procedure is one of Mim's structured behaviour patterns — it sits on top of the default persona and tools, and teaches Mim how to handle this specific scenario. That structure matters because it's visible and adjustable. You can see what the procedure does, edit it for your business, and refine it as we all learn from how the directive plays out in practice.

For new Mims, the procedure ships included by default. For existing Mims, you can add it from the procedure library. Either way, setup takes minutes.

‍

What to ask yourself before 19 June

If you take nothing else from this guide, three questions are worth answering honestly before the rule applies.

• Where is your withdrawal button going to live, and is it where the contract was concluded? Article 11a requires the function to be on the same interface used for the sale. If you sell on web, app, and in-product simultaneously, you need to think about all three.
• ‍When a customer writes "I want to cancel" in chat, what happens? Trace the path. Does your support layer — human or AI — recognise this as a withdrawal request? Does it collect the right information? Does it produce a timestamped record that protects the 14-day window? Does it escalate or act without obstruction?‍
• What does your pre-contractual information say about the right of withdrawal? Article 6(1)(h) has been amended to require that customers be told about the existence and placement of the withdrawal function before they conclude the contract. Most existing terms and email templates pre-date this requirement.

Four weeks is enough time to answer these questions and act on them. It's not enough time to start from zero.

If you'd like to talk through what 19 June 2026 means for your support operation, reach out. Whether you use Dixa or not.