UK and EU Shifts in Consumer Protection

Navigating the New Era

Consumer protection in the UK and Europe is entering a new era. In the UK, the enhanced regime introduced by the Digital Markets, Competition and Consumers Act 2024 (DMCCA) is well underway, while in the EU the new Commission has released initial proposals for a new Digital Fairness Act (DFA) to reinforce existing consumer protection rules.

Together with recent changes to cookie rules and penalties in the UK (and equivalent proposals from the EU), these regulatory developments are reshaping customer journeys and related compliance obligations for consumer-facing businesses through stricter transparency, consent and fairness requirements. Businesses should therefore prepare for increased scrutiny in 2026.

Lessons from the first months of the enhanced UK regime

The key consumer protection aspects of the DMCCA entered into force in April 2025, giving the Competition and Markets Authority (CMA) the power, for the first time, to impose fines of up to 10% of a company’s turnover for breaches of UK consumer protection laws.

For the first seven months of the regime, the CMA focused primarily on helping businesses get to grips with the new rules. Instead of taking enforcement action, last summer the CMA issued “advisory letters” to over 50 companies whom it considered may not be compliant with its new rules on fake reviews, recommending they review the guidance against their current policies and approach. In its November 2025 announcement on the launch of its first enforcement cases into suspected drip pricing and pressure selling at eight companies, the CMA explained that it had spent the intervening time reviewing the pricing practices of over 400 businesses, as a result of which it launched these eight investigations and wrote advisory letters to a further 100 companies. While the outcome of these cases is uncertain, it is encouraging to see the CMA continue to use advisory letters rather than seeking enforcement action in all cases of potential concern, aligning with the UK government’s strategic steer on proportionately.

Since April 2025 the CMA has also published a plethora of lengthy guidance documents, focusing on unfair commercial practices, fake reviews and drip pricing, amongst others. This has been supplemented by business-focused guidance and webinars, resulting in a vast amount of policy being generated upfront for consumer-facing businesses to navigate.

Customer journeys in focus at both the EU and UK level

Many of these early policy updates, and more than half of the first enforcement cases, have focused on fake reviews and drip pricing – that is, on ensuring that early in the customer journey, customers have clear and accurate information about a product or service’s qualities and its total cost. These are both areas where any breach of the rules is automatically unlawful, so the stakes are high. Yet much remains unclear. At a CMA webinar on fake reviews held last summer, a quarter of respondents incorrectly answered a question whose answer was supposed to be clear from the guidance. Similarly, the initial draft guidance on drip pricing caused so much uncertainty that the CMA conducted an additional consultation on a revised guidance document, which was subsequently released in final form in November. Precedent developed through the CMA’s first enforcement cases, where some of the drip pricing guidance will be thoroughly tested and applied in practice, will be key to refining these policy areas as the regime matures.

For those practices where the CMA must also prove that a breach would likely cause the average consumer to take a particular transactional decision, the new guidance means that businesses must ensure that consumers have all relevant information at the outset of their customer journey. Building on earlier case law, the guidance explains that deciding whether to visit a shop, click through onto a website, or agree to a sales presentation are all “transactional decisions”. In practice, and in light of the CMA’s new direct enforcement powers, businesses should review all claims made during the customer journey for accuracy, and conspicuously flag any material contractual provisions which could affect a consumer’s decision making as early as possible.

The EU is also zoning in on similar issues. In December, the Commission issued its first fine (of €120 million) under the Digital Services Act against X for breaching the regime’s transparency and design obligations. The Commission held that X’s “blue checkmarks” give users a false impression that accounts had been meaningfully verified and amount to a “deceptive design practice”. The Commission also highlighted how X’s design choices hinder researchers’ abilities to analyse ads on the platform. Looking beyond its existing regulatory toolbox, in a bid to ensure that its consumer protection rules remain fit for purpose in the digital age, the European Commission pledged in its recent 2030 Consumer Agenda to table a legislative proposal for the DFA by Q4 2026. Although it is not yet clear exactly what the proposal will cover, the Commission seems to be focused on areas such as drip pricing and scarcity tactics. It is also, though, considering a wider range of issues including dark patterns, addictive design features like “infinite scrolling”, and misleading online choice architecture – which has previously been a focus for the CMA. Given that the UK Secretary of State has powers to expand the list of automatically unlawful practices under the DMCCA, we expect the government will watch the progress of the EU legislation carefully, potentially with an eye for future amendments to its own legislation.

Cookie rules in focus

Meanwhile, recent changes to the UK’s cookie rules are already impacting the design of customer websites (and apps) in the UK. The Data (Use and Access) Act 2025 (DUA Act), which became law in June 2025, has liberalised the UK’s cookie consent rules, so more cookies can be set without the need for opt-in consent, including analytics and security update cookies. In parallel, the DUA Act aligns the maximum fines for marketing and cookie infringements with those applicable to breaches of the UK General Data Protection Regulation (GDPR) (i.e. £17.5 million or 4% of the business’ annual worldwide turnover, whichever is higher). UK businesses should review their approach to cookie compliance, including the design of website banners, in light of these changes and also in response to ongoing focus on cookies from the UK data protection authority (DPA) – which has included the regulator auditing compliance by the UK’s "top" 1000 websites.

Cookie changes are also on the agenda at the EU level, as part of the pro-growth Digital Omnibus reforms. These would include adding new consent exceptions and aligning cookie penalties across the EU with those under the EU GDPR, as the UK has done. The current EU proposals go beyond the UK’s changes – for example, they would require businesses to facilitate one click cookie rejection, and for the rejection to be respected for six months, to address concerns that "dark patterns" are driving consent rates. However, the Omnibus proposals are at an early stage and may be revised following scrutiny by the EU institutions. In the meantime, increased regulatory focus on compliance with the current rules (such as the €750 million imposed on Conde Nast by the French DPA in November) is pushing cookie compliance up the agenda across Europe.

The road forward for consumer-facing businesses

Further developments are expected in both the UK and EU in 2026. In the UK, policy creation will continue apace as the final pieces of the enhanced consumer protection regime (and further cookie changes under the DUA Act) come into force. We expect secondary legislation and guidance on subscription contracts to be published in the autumn (at the earliest), following the UK government’s consultation on its proposed policies last year. The progress of the CMA’s first investigations will also provide important insights into how the CMA’s new rules and enforcement toolkit will be applied in practice. In the EU, as well as developments in relation to the DFA and Digital Omnibus, the Commission has committed to assess whether centralised enforcement powers might be required in certain cases, and how otherwise to bolster coordination among national authorities. This assessment will inform a proposed revision of the Consumer Protection Cooperation Regulation, which governs cross-border cooperation over suspected breaches of consumer protection rules. Given the current decentralised and fragmented enforcement landscape, this is an encouraging step for significantly reducing the compliance burden for consumer-facing businesses active in the EU.

In the UK in particular, any missteps could have serious ramifications, with the UK DPA and CMA able to impose larger fines by the day (the duration of the infringement post-April 2025 being a relevant factor in calculating the penalty). Consumer-facing businesses operating in the UK and EU should continue to monitor these developments carefully and review their policies and practices as these regimes mature.

EXPLORE MORE FROM HORIZON SCANNING
Capital Flows
The future of merger control: Navigating political shifts and a dynamic regulatory environment  As geopolitical tensions, industrial policy, and competitive pressures reshape global markets, merger control is undergoing recalibration across the EU, UK, and US.
Digital
Digital regulation: navigating diverging paths Recent years have seen a proliferation of digital regulation. The (often overlapping) regimes emerging across the globe present the potential for international divergence, a risk further compounded by the growing global focus on domestic industrial policy agendas and geopolitical tensions.
Digital
AI update for 2026: Adapting to the evolving AI regulatory landscape As AI continues to transform the business landscape, staying ahead of legal developments in this space has never been more critical. Global regulation poses a particular challenge, with jurisdictions adopting divergent approaches amid fierce international competition and concerns that excessive regulation could hinder innovation.
Digital
Get smart: data portability is moving from concept to reality Data sharing is set to be turbocharged in the UK and EU through new schemes centred on customer-directed data portability. Ambition for these schemes is high, as drivers of competition, innovation and growth, including in the UK’s latest industrial strategy.

See all

STAY INFORMED

We will continue to publish Horizon Scanning insights throughout the year.
Subscribe using the button below to receive the latest updates straight to your inbox.

 Subscribe

This material is provided for general information only. It does not constitute legal or other professional advice.