DMCC Act seeks to make consumer protection fit for the digital age

The Digital Markets, Competition and Consumers Act 2024 (DMCC Act) received Royal Assent on 24 May 2024, bringing in long-anticipated reforms aimed at forging a UK regulatory framework fit for the digital age. In doing so, the DMCC Act introduces major updates to UK competition and consumer protection laws and has been hailed as a “watershed moment in the way we protect consumers in the UK” by Sarah Cardell, Chief Executive of the UK Competition and Markets Authority (CMA).

The DMCC Act’s new digital markets regime has received much attention over recent months. Under that regime, firms designated as having “strategic market status” in respect of a digital activity will be subject to targeted conduct requirements imposed by the CMA for the purposes of fair dealing, open choices and/or trust and transparency. The CMA will also have the power to intervene in digital markets to promote dynamic competition and innovation, by imposing “pro-competitive interventions” on designated firms.

But what have received less attention are the separate consumer protection reforms within the DMCC Act that are due to come into force over the next 6 to 24 months, and which are also key to a fair and competitive playing field.

In the remainder of this article, we therefore consider these consumer protection reforms, explain how businesses can prepare themselves for them and discuss the potential interplay with existing privacy processes.

Existing key consumer protection regime

At present, there are three key pieces of UK consumer legislation:

• the Consumer Protection from Unfair Trading Regulations 2008 (CPRs), which cover the entire lifecycle of a consumer’s transaction with a trader and prohibit misleading or aggressive practices in a consumer-trader relationship;
• the Consumer Rights Act 2015, which governs the fairness of consumer contracts; and
• the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (CCRs), which govern the pre-contract information that must be given to consumers before making a sale, provide for cooling off periods and cancellation rights for consumers when they buy online or off-premises, and require express consumer consent for additional charges.

The DMCC Act replaces the CPRs and amends certain aspects of the Consumer Rights Act 2015 and the CCRs.

The changes modernise the current protections to reflect, in particular, the boom in online shopping and significant shifts in consumer purchasing behaviour since the existing UK consumer legislation was enacted; and specifically address certain unfair practices that have become more prevalent in recent years, as we discuss below.

Fake reviews

Legal changes

Reviews can play a central role in consumers’ purchasing decisions. To address fake reviews’ growing prevalence, several new practices have been added to the banned practices in the DMCC Act (which will replace the equivalent list in the CPRs) as follows:

• submitting or commissioning a fake consumer review (e.g. of a product or trader) or a consumer review that conceals the fact it has been incentivised;
• publishing consumer reviews in a misleading way (e.g. giving greater prominence to positive reviews over negative reviews or swapping reviews of one product to another);
• offering or advertising services to traders to submit, commission or facilitate fake consumer reviews; and
• publishing or providing access to consumer reviews without taking “reasonable and proportionate” steps to ensure reviews are genuine, do not conceal where they have been incentivised and are not presented in a misleading way.

These practices are ‘blacklisted’ as they are automatically considered unfair in all circumstances and therefore prohibited, regardless of the likely effect on consumers.

Guidance

The CMA has confirmed it will publish guidance for consultation later this year to help businesses understand their legal obligations. It is expected that this will be principles-based and will reflect both the CMA’s recent enforcement actions and its October 2023 response to the Government consultation on price transparency. In this, the CMA stated that it considers taking “reasonable and proportionate steps” to combat fake reviews to include:

• conducting regular risk assessments and internal evaluations;
• having systems and processes in place to proactively identify, investigate and/or respond to or remove fake reviews;
• providing third-party notification systems to enable third parties to report content or activity that might constitute fake reviews; and
• applying sanctions to dissuade, deter and prevent users engaging in fake review-related activity.

Practical steps

Businesses that publish or provide access to reviews will need to consider whether their existing consumer protection compliance policies need to be refreshed and ensure that they have appropriate protocols (as well as systems and resources) in place to meet the CMA’s expectations of ‘reasonable and proportionate steps’ to be taken in respect of fake reviews.

Fake reviews may include personal data of employees of the relevant business and so are subject also to data privacy laws and could be subject to data deletion requests from the relevant individuals. These existing privacy processes could be leveraged to also address fake reviews, whether or not the review contains privacy information, if concerns are raised.

Subscription contracts

Legal changes

The DMCC Act also introduces new measures that apply to subscription contracts reflecting the increased popularity of subscription services across sectors and alongside extensive CMA enforcement in this area, for example, as part of its investigations into online video games and anti-virus software.

These new provisions are aimed at alleviating some of the problems caused by so-called “subscription traps” – that is subscription models that entice consumers to sign up using free or low-cost trial periods, and then either do not alert them to the end of the trial period, auto-renew, or otherwise make it difficult for the consumer to cancel their subscription. The DMCC Act introduces significant reforms to deal with this, including by requiring businesses operating a subscription model to:

• provide pre-contract information to ensure that consumers can make informed decisions by understanding the nature of the contract and how to terminate;
• offer a 14-day cooling off period;
• issue regular reminders to consumers regarding their rights to terminate and when the subscription will renew; and
• provide simple and clear methods for terminating the subscription, including online if the subscription was entered into online.

Practical steps

The customer journey pre-contract already contains links to the privacy notice and either express consent to e-marketing or the ability to opt-out. The customer journey will, in future, need to be updated to reflect additional information and to have a final, clear step in which the customer expressly acknowledges that it will be committed to making payments to the trader.

Many have tried since 2018 to ensure that their privacy notices are clear and understandable (albeit this is by no means universally successful). Learnings can therefore be drawn from this when considering how to address the information requirements of the new regime.

Some of the subscription services may also be “pay or consent” models as characterised by the ICO and the European Data Protection Board i.e. where one can subscribe for a service with no (or no personalised) ads, or otherwise receive the advert-including model free of charge. These models already come with their own challenges from a privacy perspective and the new subscription requirements will in future need to be overlaid as well, adding to complexity in this area.

Drip pricing

Legal changes

Drip pricing occurs when a consumer is shown an initial price for a product, but additional fees are added (whether mandatory or optional) as they proceed with the transaction. According to research commissioned by the Government, “drip pricing is prevalent across the economy” and undermines price transparency, making it difficult for consumers to make informed decisions based on the advertised price of a product or service, particularly when online shopping.

To address this concern, the new rules will prohibit presenting a headline price which does not:

• incorporate any fixed mandatory fees that must be paid by all consumers in that price; and
• disclose the existence of any variable mandatory fees and how they will be calculated.

Importantly, enforcers will no longer have to prove that a failure to present the total price and the existence of any variable fees will cause, or be likely to cause, the average consumer to take a different purchasing decision (as is currently required under the CPRs). In effect, ‘hidden’ mandatory fees and drip pricing practices will therefore become blacklisted. However, the Government is not planning, at this stage, to legislate in relation to optional fees such as airline seat choices and luggage upgrades for flights.

Practical steps

Businesses will need to consider the impact of these changes on their customer journey and advertising strategy and make changes where necessary to comply with the new rules (e.g. by making headline prices clear and avoiding hidden mandatory fees). In turn, that may also require a broader strategic review of how best to engage with and market to consumers.

As with data privacy, transparency is at the heart of these reforms, and so some businesses may see this an opportune time to carry out a more holistic review of their customer journey and marketing strategies.

The CMA’s new consumer law enforcement powers

Under the current regime, the CMA does not have direct powers to sanction businesses for a breach of UK consumer law, as it does with anti-trust laws, instead needing to bring civil action in the courts.

In future, under the DMCC Act changes, the CMA will be able to directly impose fines for consumer law breaches. This brings in a fining regime based on turnover, a concept which anti-trust and privacy lawyers will be familiar with. The maximum fining levels, however, more closely reflect those for anti-trust than privacy, with the maximum fine for infringement of consumer law being 10% of global annual turnover, compared to a maximum of 7% under the EU AI Act and 4% under the GDPR.

On 31 July 2024, the CMA published draft guidance on its new direct enforcement powers, including its planned approach to calculating penalties for breaches of consumer law. The magnitude of the fines that will be issued by the CMA in practice remains to be seen, but the introduction of the potentially large fines will likely be a significant deterrent for non-compliance.

Timing

A written statement to Parliament recently outlined the planned implementation timetable for the DMCC Act. This reflects the timetable indicated by the previous Government, whereby the reforms relating to subscription contracts will not commence before Spring 2026, but the CMA’s new consumer law enforcement powers and the provisions relating to fake reviews and drip pricing are expected to come into force in April 2025.

The CMA’s new powers will not have retroactive effect (i.e. UK consumer law breaches occurring before commencement of the DMCC Act will continue to be considered under the previous regime), but any continuing infringement occurring when the DMCC Act is in force may well be investigated under the CMA’s new powers. It is therefore crucial for companies to be proactive and take stock of their preparedness at an early stage, with a view to mitigating the risk of potential issues arising in the future.

How to prepare

• Health checks: As highlighted above, companies should review existing consumer protection compliance policies and procedures and the consumer journey to see how they require updating to reflect the new regime. This should include considering the detailed requirements of the DMCC Act and, more holistically, considering whether existing practices are sufficiently transparent and fair. Given the potential need to change the customer journey, the lead time to make the necessary technical changes needs to be borne in mind. With many companies now having undertaken at least one review of their GDPR compliance since 2018, learnings can be drawn from the approach to those reviews.
• Update risk categorisation and governance: The ability of the CMA to impose significant fines changes the risk of non-compliance, and with that comes a need to reconsider governance. This was the case when the GDPR came into force and likewise the EU AI Act. Organisations need to consider if the right people are setting risk appetite, who should have responsibility for the risk and who should have oversight. For example, companies might consider the level of oversight that internal legal teams have over complaints-handling processes (which might allow for enhanced monitoring of common themes or issues so that they can be swiftly remediated) and put in place clear lines of reporting up to board level given the potential for high fines for breaches.