Which jurisdiction should businesses prioritise for compliance?

Comply with the strictest standard and you'll meet all three. In practice, the UK's DMCCA subscription rules and drip pricing ban are currently the most prescriptive. The DSA's Article 25 is the broadest dark pattern prohibition. Australia's penalty ceiling (30% turnover under the proposed UTP Bill) is the highest.

Dark Pattern Penalties: UK vs EU vs Australia Compared

Q: Can a business be fined by multiple jurisdictions for the same dark pattern?

Yes. Each jurisdiction enforces independently. A drip pricing pattern on a website accessible to UK, EU, and Australian consumers can attract separate penalties from the CMA, the European Commission (or national DSCs), and the ACCC. There is no double jeopardy protection across jurisdictions.

Q: Do these laws apply if my business is based in a different country?

Yes. All three jurisdictions apply consumer protection laws based on where the consumer is, not where the business is incorporated. If you sell to UK consumers, the DMCCA applies. If you offer services to EU users, the DSA applies. If you target Australian consumers, the ACL applies.

Q: How does TrustScan handle multi-jurisdiction compliance?

TrustScan scans for the 10 dark pattern categories common across all three jurisdictions. Because the pattern categories (drip pricing, subscription traps, false urgency, etc.) are universal, a single scan identifies issues that matter under UK, EU, and Australian law. Jurisdiction-specific mapping is on our roadmap.

Three jurisdictions, three enforcement regimes, one target: dark patterns. The UK's Competition and Markets Authority can fine up to 10% of global turnover — without going to court. The European Commission already fined X (formerly Twitter) €550M under the Digital Services Act. The ACCC secured $100M from Qantas for selling tickets on flights that had already been cancelled. If your business operates across borders, you need to know which jurisdiction hits hardest — and where the real risk lies in 2026.

This article compares the UK (DMCCA), the EU (DSA + UCPD), Australia (ACL + proposed UTP Bill), and New Zealand (Fair Trading Act) side by side — penalties, enforcement styles, pattern-by-pattern treatment, and what a single dark pattern could cost you in each jurisdiction.

Penalty Framework: The Numbers

The headline penalty numbers reveal three very different approaches to deterrence. Australia leads on maximum fines, the UK leads on speed of enforcement, and the EU leads on breadth of scope. New Zealand trails the pack significantly but is moving toward reform.

Category	UK (DMCCA/CMA)	EU (DSA/EC)	Australia (ACL/ACCC)	New Zealand (FTA/ComCom)
Maximum fine (% turnover)	10%	6%	10% (current), 30% (UTP Bill)	N/A
Maximum fine (fixed)	No fixed cap	No fixed cap	$50M per contravention	NZ$600,000 per offence
Benefit-based penalty	N/A	N/A	3x benefit obtained	N/A
Information request penalty	1% turnover	1% turnover	Contempt of court	NZ$30,000
Daily penalty	5% daily turnover	5% daily turnover	Court-ordered	N/A
Enforcer	CMA (single body)	EC + 27 national DSCs	ACCC + state bodies	Commerce Commission
Court required?	No (direct)	No (direct)	Yes (Federal Court)	Yes (District/High Court)
Largest penalty to date	£473K (info notice)	€550M (X/Twitter)	$100M (Qantas)	NZ$3.4M

Several things stand out immediately. Australia's proposed UTP Bill would introduce the highest percentage-of-turnover penalty of any jurisdiction — 30% — and the existing $50M fixed cap per contravention already exceeds what most UK or EU fines actually reach in practice. But the requirement to go through the Federal Court slows the process dramatically. The UK's CMA can impose fines directly, making it the fastest route from investigation to penalty. The EU occupies a middle ground: direct enforcement by the European Commission against Very Large Online Platforms, but a fragmented network of 27 national Digital Services Coordinators for everyone else.

New Zealand's NZ$600,000 maximum per offence is notably lower than its trans-Tasman neighbour. The Commerce Commission has flagged law reform as a priority, but for now the deterrent effect of NZ enforcement on large multinational businesses remains limited.

The benefit-based penalty mechanism in Australia deserves particular attention. Where the court can establish that a business derived a quantifiable benefit from the dark pattern (additional revenue from hidden fees, retained subscribers who would otherwise have cancelled), the penalty can be set at three times that benefit — even if that exceeds the percentage-of-turnover cap. This makes Australia uniquely dangerous for dark patterns that are directly tied to revenue generation.

How Each Jurisdiction Enforces

United Kingdom: Fast, Centralised, Aggressive

The CMA is a single, well-resourced enforcer with new direct fining powers under the DMCCA. It does not need a court order to impose fines. It does not need agreement from other regulatory bodies. It identifies a problem, investigates, and acts.

The results speak for themselves: 13 formal investigations in the first six months of the DMCCA taking effect. Eight targeting online pricing practices (drip pricing, pressure selling), five targeting fake reviews. The first financial penalty — £473,000 against Euro Car Parks for failing to comply with an information notice — landed in December 2025. On top of that, 100 advisory letters were sent to businesses across 14 sectors, signalling broad monitoring capability far beyond the formal investigation pipeline.

The CMA's model is: investigate fast, fine directly, use high-profile cases to create sector-wide deterrence. The advisory letter programme is particularly significant — it means the CMA is reviewing businesses that may never face formal proceedings, but are now on notice that their practices have been observed. If you serve UK consumers, this is the enforcer most likely to act against you in the shortest timeframe.

European Union: Broad Scope, Two-Tier Enforcement

The EU operates a two-tier enforcement system under the Digital Services Act. The European Commission enforces directly against Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) — platforms with over 45 million monthly active users in the EU. For all other platforms, 27 national Digital Services Coordinators (DSCs) enforce independently, coordinated through the European Board for Digital Services.

This creates both strengths and weaknesses. The strength is massive scope: between the DSA (platforms) and the Unfair Commercial Practices Directive (all B2C services), virtually every business serving EU consumers is covered. The weakness is coordination. Twenty-seven different regulators, with different resource levels, different enforcement priorities, and different interpretations of the rules, inevitably produce inconsistent outcomes. A dark pattern that triggers enforcement in the Netherlands might go unnoticed in another member state.

At the VLOP level, the European Commission has been aggressive. The €550M finding against X demonstrates the scale at which the Commission operates. TikTok, AliExpress, Meta, Temu, and Shein are all under formal investigation. But the real question is how effectively the national DSCs will enforce against the thousands of smaller platforms and services in their jurisdictions. The Digital Fairness Act, expected in Q4 2026, will extend dark pattern rules beyond platforms to all B2C digital services, further stretching enforcement capacity across the member states.

Australia: Massive Penalties, Court-Dependent

The ACCC is Australia's federal competition and consumer enforcer, but unlike the CMA, it cannot impose fines directly. The ACCC must take businesses to the Federal Court and persuade a judge to order penalties. State and territory fair trading bodies can independently enforce Australian Consumer Law in their own jurisdictions, adding another enforcement layer but also creating an additional vector for businesses to manage.

This court requirement makes Australian enforcement slower — typically 18 to 36 months from investigation to penalty — but the outcomes can be devastating when they land. The $100M penalty against Qantas is the largest consumer law penalty in Australian history. The ACCC has also pursued Microsoft, HelloFresh, Coles, and JustAnswer for dark pattern-related conduct under existing ACL provisions.

The proposed Unfair Trading Practices Bill would transform Australian enforcement. It would increase the maximum penalty to 30% of turnover and give the ACCC infringement notice powers — administrative fines without court proceedings. When that takes effect (expected July 2027), Australia moves from slow-but-devastating to potentially both fast and devastating.

New Zealand: Lower Stakes, Reform Underway

The Commerce Commission enforces the Fair Trading Act 1986, which prohibits misleading and deceptive conduct and unfair contract terms. Penalties are capped at NZ$600,000 per offence for bodies corporate — a fraction of the fines available in Australia, the UK, or the EU. Enforcement requires court proceedings through the District Court or High Court.

The largest dark pattern-related penalty in New Zealand to date is NZ$3.4M. While the Commerce Commission has shown willingness to pursue digital consumer protection cases, the penalty levels mean that for large multinational businesses, New Zealand enforcement represents reputational risk rather than material financial risk. Law reform discussions are underway, with the Ministry of Business, Innovation and Employment reviewing whether penalty levels need to increase to match Australia's regime. For businesses operating across Australasia, NZ should be on your radar even if it is not yet an urgent compliance priority.

How Each Jurisdiction Treats Specific Dark Patterns

The penalty frameworks tell you the maximum risk. But the real compliance challenge is understanding how each jurisdiction treats specific dark pattern categories — because the same interface element can be prohibited under different legal theories, enforced by different bodies, and penalised at different levels across jurisdictions.

Drip Pricing

Jurisdiction	Legal Basis	Status	Enforcement Activity
UK	Explicit DMCCA ban	In force (April 2025)	CMA investigating StubHub, Viagogo, Appliances Direct, Marks Electrical. Full price must be shown from first display.
EU	UCPD misleading omissions + Consumer Rights Directive (total price) + DSA Article 25	In force	Covered under multiple directives. Consumer Rights Directive requires total price disclosure. DSA Article 25 adds platform-specific ban on manipulative pricing interfaces.
Australia	ACL s48 (component pricing since 2011) + proposed UTP Bill explicit drip pricing prohibition	Existing law in force; UTP Bill expected July 2027	ACCC actively enforcing. Actions against Dendy Cinemas, Dreamscape Networks. UTP Bill adds explicit drip pricing prohibition with enhanced penalties.
NZ	Fair Trading Act s13 (misleading representation re price)	In force	Commerce Commission has pursued some pricing transparency cases. Penalty cap limits deterrent effect.

Subscription Traps

Jurisdiction	Legal Basis	Status	Key Requirements
UK	DMCCA subscription contracts regime	Expected autumn 2026	Cancellation parity, 14-day cooling-off periods, renewal notices with direct cancellation mechanism.
EU	DSA Article 25 + UCPD (misleading/aggressive practices) + Consumer Rights Directive (14-day withdrawal right)	In force	DSA covers platform subscriptions. UCPD covers misleading renewal practices. Consumer Rights Directive gives 14-day withdrawal right for online contracts.
Australia	ACL s18/s21 (misleading/unconscionable conduct) + proposed UTP Bill	Existing law in force; UTP Bill expected July 2027	UTP Bill mandates cancellation parity and renewal notices. ACCC v Microsoft and ACCC v eHarmony set precedents on subscription dark patterns.
NZ	Fair Trading Act s9 (misleading conduct) + Consumer Guarantees Act	In force	General misleading conduct provisions apply. No subscription-specific regime yet.

False Urgency and Scarcity

Jurisdiction	Legal Basis	Enforcement Approach
UK	DMCCA misleading/aggressive practices	CMA investigating Wayfair for fake time-limited offers. Advisory letters sent to businesses using countdown timers and false stock warnings.
EU	UCPD Annex I blacklist item 7 (false limited-time offers) + DSA Article 25 (manipulative design)	False limited-time offers are per se prohibited under the UCPD blacklist — no need to prove consumer harm. DSA Article 25 adds a platform-specific prohibition on manipulative urgency design.
Australia	ACL s18 (misleading conduct) + s29 (false representations) + proposed UTP Bill “unreasonable manipulation”	ACCC has flagged fabricated urgency as a priority enforcement area. UTP Bill would explicitly prohibit unreasonable manipulation that distorts consumer decision-making.
NZ	Fair Trading Act s9/s13	General misleading conduct provisions. Limited specific enforcement on urgency patterns to date.

Confirm-Shaming

UK: Treated as an aggressive commercial practice under the DMCCA if it impairs freedom of choice through undue influence. The CMA's Online Choice Architecture paper explicitly identifies confirm-shaming as a harmful pattern. Enforcement is likely where the shaming language is designed to deter consumers from making choices that are in their interest — for example, “No thanks, I don't want to save money” as a decline option.

EU: Caught by DSA Article 25's prohibition on manipulative design. The EDPB classifies confirm-shaming under its “Stirring” category — using emotional appeals or visual nudges to influence users' decisions. The Digital Fairness Act is expected to strengthen this further with explicit prohibitions that apply beyond platforms to all B2C digital services.

Australia: Currently a grey area under the ACL. Confirm-shaming alone is unlikely to constitute misleading conduct under s18 unless the language is factually false. However, the proposed UTP Bill's “unreasonable manipulation” prohibition would explicitly catch confirm-shaming — filling a gap that the ACCC has acknowledged in its enforcement guidance.

NZ: Falls under general misleading conduct provisions of the Fair Trading Act. No specific prohibition or enforcement activity targeting confirm-shaming to date.

Pre-Selected Add-Ons

UK: Already prohibited under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, which require express consent for additional payments. The DMCCA reinforces this with enhanced enforcement powers. The CMA is investigating AA Driving School, BSM, and Appliances Direct for automatic opt-ins that added products or services without explicit consumer consent.

EU: Consumer Rights Directive Article 22 explicitly prohibits pre-ticked boxes for additional payments. This is one of the clearest and longest-standing prohibitions across all jurisdictions — in force since 2014. DSA Article 25 adds a platform-specific ban on pre-selected options that serve the platform's interests over the user's.

Australia: Covered under ACL s18 (misleading conduct) where pre-selected add-ons create a misleading impression about what the consumer has chosen. The UTP Bill is expected to include an explicit prohibition on pre-selected additional charges, removing the need to prove that the pre-selection was “misleading or deceptive” and instead treating it as inherently unfair.

NZ: Fair Trading Act s9 applies to misleading pre-selections. No explicit prohibition comparable to the EU's Consumer Rights Directive Article 22.

Case Study: What One Dark Pattern Costs Across Three Jurisdictions

To make the penalty frameworks concrete, consider a model company with revenue of £50M / €60M / AU$100M operating across all three major jurisdictions. The dark pattern: a subscription service with deliberately difficult cancellation — the consumer signed up in two clicks online, but cancellation requires navigating four screens, sitting through a retention call, and waiting through a 30-day “processing period.”

Factor	UK	EU	Australia (current ACL)	Australia (proposed UTP Bill)
Maximum penalty exposure	Up to £5M (10% of £50M turnover)	Up to €3.6M (6% of €60M turnover) under DSA, plus national UCPD enforcement	Up to $50M per contravention	Up to $30M (30% of $100M turnover)
Enforcement mechanism	CMA direct enforcement — no court needed	EC for VLOPs; national DSC for others; national consumer authority under UCPD	ACCC through Federal Court	ACCC infringement notices (admin) + Federal Court for higher penalties
Estimated timeline	6–18 months from investigation to fine	12–24 months	18–36 months	3–6 months (infringement notice) or 18–36 months (court)
Additional consequences	Enhanced consumer measures, mandatory practice changes, compliance monitoring	Periodic penalties (5% daily turnover), mandatory practice changes	Injunctions, corrective advertising, consumer redress orders	Same as current ACL plus infringement notices

The key insight: Australia has the highest potential penalties — up to $50M per contravention under current law, or 30% of turnover under the UTP Bill. The UK has the fastest enforcement — the CMA can go from investigation to fine without setting foot in a courtroom. The EU has the broadest scope — between the DSA, UCPD, Consumer Rights Directive, and the forthcoming Digital Fairness Act, it covers the widest range of practices across the most businesses.

For a company operating across all three jurisdictions, the realistic worst case is not one fine from one jurisdiction. It is concurrent enforcement in all three — a CMA investigation in London, a DSC inquiry in Dublin, and an ACCC Federal Court proceeding in Sydney, all targeting the same subscription trap on the same website. The total exposure is additive, not shared: potentially £5M + €3.6M + $50M AUD for a single dark pattern on a single website.

Which Jurisdiction Is the Biggest Threat in 2026

UK: Immediate threat. The CMA is actively using its new DMCCA powers. Thirteen formal investigations are already open. No court is needed for fines. The advisory letter programme signals that the CMA is monitoring broadly, not just targeting the most egregious offenders. The subscription contracts regime arriving in autumn 2026 will add another layer of enforceable obligations. If your business serves UK consumers in any capacity, the CMA is your number one regulatory risk right now. Read our full DMCCA analysis for what the CMA is targeting and how to prepare.

EU: Medium-term growing threat. DSA enforcement is ramping up. The €550M X finding sets a precedent that reverberates far beyond a single platform. TikTok, AliExpress, Meta, Temu, and Shein are all under formal investigation. But enforcement is split across 28 bodies (the European Commission plus 27 national DSCs), which inevitably creates unevenness. The Digital Fairness Act will extend dark pattern rules to all digital services when it arrives, significantly widening the net. For VLOPs, the risk is already high. For smaller platforms and services, the risk depends heavily on which member state's DSC has jurisdiction — and how well-resourced that DSC is.

Australia: High threat with delay. The ACCC must go through the Federal Court, which adds time — 18 to 36 months from investigation to penalty is typical. But when penalties land, they land hard. The $100M Qantas penalty demonstrates that Australian courts are willing to impose severe sanctions for consumer harm at scale. The UTP Bill, expected to commence in July 2027, will add ACCC infringement notice powers (administrative fines without court) and increase the maximum penalty to 30% of turnover. When that takes effect, Australia becomes arguably the most formidable enforcement jurisdiction of the three.

New Zealand: Watching brief. Penalties are too low to pose material financial risk to large businesses. But law reform is on the agenda, and businesses operating across Australasia should expect NZ penalty levels to increase over the next few years as the Commerce Commission pushes for alignment with Australia's regime.

The Good News: Compliance Is Converging

Here is the silver lining amid all this complexity. Despite different legislative frameworks, different enforcement bodies, and different penalty structures, all three major jurisdictions are converging on the same substantive requirements. The rules are articulated differently, but they point in the same direction.

Every jurisdiction is moving toward:

Full price transparency — no drip pricing, no hidden fees, total price from first display
Cancellation parity — as easy to cancel as it was to sign up
Informed consent — no pre-selected add-ons, no defaults that favour the business over the consumer
Genuine urgency only — no fabricated countdown timers, no fake scarcity, no false stock warnings
Clear information hierarchy — no buried terms, no misleading visual design that obscures important information from consumers

This convergence is genuinely good news for businesses operating internationally. It means that if you fix to the strictest standard across all jurisdictions, you are likely compliant everywhere. You do not need three separate compliance programmes — you need one programme built to the highest bar.

What is the strictest standard today? It depends on the dimension. For penalty severity, Australia's proposed UTP Bill (30% of turnover) is the highest. For speed of enforcement, the UK's CMA (direct fining, no court required) is the fastest. For scope of coverage, the EU's combination of DSA, UCPD, Consumer Rights Directive, and forthcoming Digital Fairness Act is the broadest. Design your compliance programme to satisfy all three dimensions, and you have covered the field.

Multi-Jurisdiction Compliance Strategy

If your business serves consumers in more than one of these jurisdictions — or if you anticipate doing so — a coordinated compliance strategy is not optional. Reactive, jurisdiction-by-jurisdiction compliance is more expensive, more error-prone, and more likely to leave gaps than a unified approach.

Step 1: Audit against all three frameworks simultaneously. Do not audit for UK compliance alone, then repeat the exercise for EU compliance, then again for Australia. Map your interface against all three frameworks in a single pass. The dark pattern categories overlap substantially — drip pricing is drip pricing in London, Brussels, and Canberra. Identify every pattern once, then assess the legal exposure under each jurisdiction.

Step 2: Fix to the strictest standard. For each dark pattern identified, determine which jurisdiction's requirement is most stringent and remediate to that level. If Australia requires total price from the first display and the UK requires the same, you fix once and both jurisdictions are satisfied. Compliance convergence means this “fix to the max” approach rarely costs more than fixing to the minimum — and it eliminates the risk of partial compliance in any single jurisdiction.

Step 3: Document jurisdiction-specific compliance. Even though you are fixing to a single high standard, document how your compliance satisfies each jurisdiction's specific requirements. Regulators want to see that you have considered their rules specifically — not just that you have a generic “no dark patterns” policy. Map each remediation to the relevant DMCCA provision, DSA article, ACL section, or UTP Bill clause.

Step 4: Monitor regulatory developments in all jurisdictions. The UK's subscription contracts regime arrives in autumn 2026. The EU's Digital Fairness Act proposal is expected in Q4 2026. Australia's UTP Bill is expected to commence in July 2027. Each of these will change the compliance landscape. Your monitoring should cover not just legislative changes but also enforcement actions, regulatory guidance, and court decisions across all jurisdictions.

Step 5: Continuous scanning. Regulations evolve, but so do dark patterns. New features, updated checkout flows, redesigned subscription pages, third-party integrations — any change to your digital interface can introduce a new compliance risk. Periodic manual audits are necessary but insufficient. Automated scanning provides the continuous monitoring that multi-jurisdiction compliance demands. Run a TrustScan analysis to identify patterns across your site and map findings to the specific legal provisions in each jurisdiction.

Common Questions

Can a business be fined by multiple jurisdictions for the same dark pattern?

Yes. There is no “double jeopardy” protection across national borders. If your website displays a drip pricing pattern to UK, EU, and Australian consumers simultaneously, the CMA, the relevant EU enforcer, and the ACCC can all independently investigate and impose penalties. In practice, regulators sometimes coordinate — the International Consumer Protection and Enforcement Network (ICPEN) facilitates cross-border cooperation — but coordination does not prevent parallel enforcement. A single dark pattern on a single website can generate three separate sets of proceedings, three separate penalties, and three separate sets of remediation orders. The total exposure is additive, not shared.

Which jurisdiction should a multi-national business prioritise first?

Prioritise the UK for immediate action and Australia for highest financial exposure. The CMA is the most active enforcer right now — 13 investigations in six months, direct fining powers, no court requirement. It is the jurisdiction most likely to act against you in 2026. Australia should be prioritised second because, although enforcement is slower (court-dependent), the penalty exposure is enormous — $50M per contravention under current law, rising to 30% of turnover under the proposed UTP Bill. The EU should be prioritised based on your specific profile: if you are a VLOP, the European Commission is already aggressively enforcing; if you are a smaller platform or service, the urgency depends on which member state's DSC has jurisdiction. In all cases, the most efficient approach is to fix to the strictest standard across all jurisdictions simultaneously, which eliminates the need to prioritise one regime over another.

Do these laws apply if my business is based in a different country?

Yes — all three jurisdictions apply their dark pattern laws based on where the consumer is located, not where the business is incorporated. The DMCCA applies to any business that “engages in a commercial practice” affecting UK consumers. The DSA applies to platforms that offer services to users in the EU. Australian Consumer Law applies to conduct “in trade or commerce” within Australia, which includes online services accessible to Australian consumers. If your website is accessible to consumers in these jurisdictions and you are not geo-blocking, you are almost certainly in scope. The enforcement challenge for regulators is practical (cross-border enforcement mechanisms) rather than legal (jurisdictional reach). Both the CMA and the ACCC have demonstrated willingness to pursue overseas-based businesses — and the EU's €550M fine against X, a US-headquartered platform, underscores that physical location provides no protection.

How does TrustScan handle multi-jurisdiction compliance?

TrustScan's AI-powered scanner analyses your website for dark patterns and maps findings to specific legal provisions across jurisdictions — including the DMCCA, DSA Article 25, UCPD, and Australian Consumer Law. Rather than running separate scans for each jurisdiction, TrustScan identifies the pattern once and shows you the legal exposure under each applicable framework. This unified approach means you see the full picture of your multi-jurisdiction risk in a single report, with actionable remediation guidance calibrated to the strictest applicable standard. Start a free scan to see how your site performs across all three jurisdictions.