UK Dark Pattern Laws: CMA Enforcement Under the DMCCA 2025

Most UK businesses don't know it, but the rules changed on 6 April 2025. The Competition and Markets Authority no longer needs a court order to fine you for dark patterns. They've already investigated 13 companies, fined the first one, and sent advisory letters to 100 more.

If your website serves UK consumers — regardless of where your business is incorporated — the Digital Markets, Competition and Consumers Act 2024 (DMCCA) applies to you. And the CMA is moving fast.

What Changed on 6 April 2025

The DMCCA received Royal Assent in May 2024, but the consumer protection provisions in Parts 3 and 4 didn't take effect until 6 April 2025. That date fundamentally changed UK consumer protection enforcement.

Before the DMCCA, the CMA had to go to court to enforce consumer protection law. That meant lengthy proceedings, high costs, and uncertain outcomes. Many businesses correctly calculated that the risk of enforcement was low enough to tolerate manipulative design patterns.

That calculation is now wrong.

Under the DMCCA, the CMA can:

Directly impose fines of up to 10% of worldwide annual turnover — no court required
Issue information notices compelling businesses to provide documents and data, with fixed penalties for non-compliance
Require “enhanced consumer measures” — mandatory changes to business practices, compensation for affected consumers, and compliance monitoring
Accept undertakings from businesses, with penalties for breach
Designate “digital markets” participants with additional obligations under Part 1

This isn't a theoretical upgrade. The CMA has been using these powers since the day they took effect.

The CMA's New Enforcement Toolkit in Action

The CMA didn't wait. Within seven months of the DMCCA taking effect, it launched its first enforcement wave.

November 2025: Eight Formal Investigations

On 18 November 2025, the CMA announced formal investigations into eight businesses for online pricing practices, including drip pricing and pressure selling tactics:

Company	Sector	Alleged Practices
StubHub	Event tickets	Drip pricing, hidden fees
Viagogo	Event tickets	Drip pricing, hidden fees
AA Driving School	Driving lessons	Misleading pricing, automatic opt-ins
BSM Driving School	Driving lessons	Misleading pricing, automatic opt-ins
Gold's Gym	Fitness	Hidden fees, pressure selling
Wayfair	Homeware retail	Misleading time-limited offers
Appliances Direct	Electronics	Drip pricing, automatic opt-ins
Marks Electrical	Electronics	Drip pricing, automatic opt-ins

These aren't informal inquiries. They are full administrative investigations under the DMCCA's consumer protection powers, with the ability to result in fines of up to 10% of worldwide turnover.

December 2025: The First Fine

The CMA imposed a £473,000 penalty on Euro Car Parks for failing to comply with a formal information notice. This is significant not because of the amount, but because of what it signals: the CMA will use its fining powers, and non-cooperation will be punished swiftly.

March 2026: Five More Investigations (Fake Reviews)

On 27 March 2026, the CMA launched five further investigations into fake and misleading reviews, targeting Autotrader, Feefo, Dignity, Just Eat, and Pasta Evangelists. This brings the total to 13 formal investigations in less than six months.

100 Advisory Letters

Beyond formal investigations, the CMA sent 100 advisory letters to businesses across 14 sectors, warning them about pricing practices that may breach the DMCCA. Sectors included holidays, driving schools, homeware, rail travel, parking, cinemas, live events, food delivery, gyms, fashion, and online vouchers.

An advisory letter isn't enforcement — but it's a clear signal that the CMA has reviewed your practices and found them wanting. Ignoring an advisory letter and then being caught in a formal investigation is about the worst possible position to be in.

The Dark Pattern Categories the CMA Focuses On

The CMA published its foundational Online Choice Architecture discussion paper in April 2022. This paper established the definitional framework the CMA uses to identify harmful design patterns. Combined with the DMCCA's consumer protection provisions, these are the patterns now subject to direct enforcement:

1. Drip Pricing

What it is: Advertising a headline price and then revealing mandatory fees progressively through the purchase process — booking fees, service charges, processing fees, delivery surcharges.

DMCCA provision: The Act introduces an explicit prohibition on drip pricing, requiring that the total price (including all mandatory fees, taxes, and charges) be displayed whenever a price is shown to consumers.

How prevalent: Research by the Department for Business & Trade found drip pricing in 93% of event ticketing businesses, 69% of cinemas, and 60% of gyms reviewed.

CMA action: StubHub, Viagogo, Appliances Direct, and Marks Electrical are all under formal investigation for drip pricing. The CMA also published finalised price transparency guidance alongside the November 2025 investigations.

2. Pressure Selling and False Urgency

What it is: Countdown timers that create artificial urgency, “Only 2 left!” warnings when stock is plentiful, “15 people viewing this right now” notifications designed to rush decisions.

DMCCA provision: Falls under the prohibition on misleading commercial practices and aggressive commercial practices — both now directly enforceable by the CMA without court proceedings.

CMA action: Wayfair is under investigation for misleading time-limited offers. Gold's Gym is under investigation for pressure selling tactics.

3. Automatic Opt-Ins (Pre-Selected Add-Ons)

What it is: Pre-ticking boxes for insurance, warranties, premium delivery, or subscriptions that consumers must actively uncheck to avoid paying for.

DMCCA provision: The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 — carried forward under the DMCCA — already require that additional charges require explicit opt-in consent. Pre-selected add-ons are prohibited.

CMA action: AA Driving School, BSM Driving School, Appliances Direct, and Marks Electrical are under investigation for automatic opt-ins for optional charges.

4. Subscription Traps

What it is: Easy sign-up, hard cancellation. Multi-step cancellation flows, retention gauntlets, phone-only cancellation when sign-up was online, inadequate renewal notices, free trials that silently convert to paid plans.

DMCCA provision: The DMCCA introduces a dedicated subscription contracts regime (arriving autumn 2026) requiring cancellation parity, renewal notices, and cooling-off periods.

International precedent: Amazon settled with the FTC for $2.5 billion over Prime cancellation dark patterns in September 2025 — the largest dark patterns settlement in history.

5. Hidden Information

What it is: Burying material terms in fine print, making cancellation instructions hard to find, obscuring price increases, or structuring information disclosure so that key facts only appear after the consumer has psychologically committed.

DMCCA provision: Misleading omissions (failing to provide material information) and misleading actions (creating an overall false impression) are both directly enforceable.

6. Confirm-Shaming

What it is: Wording opt-out choices to make consumers feel guilty — “No thanks, I don't like saving money” instead of a simple “No.”

DMCCA provision: Can constitute an aggressive commercial practice if it significantly impairs the consumer's freedom of choice through undue influence.

7. Dark Nudges and Interface Interference

What it is: Using visual hierarchy, colour, size, or placement to steer consumers toward more expensive options, or making the “Accept All” button prominent while “Manage Preferences” is minimised.

DMCCA provision: Where the overall impression of the interface is misleading, this constitutes a misleading commercial practice. The CMA's Online Choice Architecture paper specifically identifies sludge (friction to prevent unwanted actions), dark nudges (exploiting behavioural biases), and forced action patterns.

“Harmful Online Choice Architecture” — the Legal Standard

Here's a detail many businesses miss: the DMCCA doesn't use the phrase “dark patterns” in the statute. The legal framework operates through existing consumer protection concepts — misleading actions, misleading omissions, aggressive practices, and unfair commercial practices — now with direct enforcement powers.

The CMA's preferred framing is “harmful online choice architecture” — the design of digital interfaces in ways that harm consumers by exploiting behavioural biases, obscuring information, or creating friction against consumer-beneficial actions.

The legal test under the DMCCA centres on whether a commercial practice:

Contravenes professional diligence — falls below the standard of honest market practice and good faith in the trader's field of activity
Materially distorts the economic behaviour of the average consumer — causes (or is likely to cause) the consumer to make a transactional decision they would not have made otherwise

This is a broad test. It doesn't require intent to deceive. If the design effect is that consumers make decisions they wouldn't otherwise make, and the design doesn't meet the standard of professional diligence, that's enough.

Who's Exposed

The DMCCA applies to any business engaging in commercial practices directed at UK consumers. This includes:

UK-incorporated businesses — obviously
Overseas businesses selling to UK consumers — if your website accepts UK orders, displays prices in GBP, or targets UK search terms, you're in scope
SaaS companies with UK customers — subscription models are under particular scrutiny
E-commerce platforms and marketplaces — both the platform and individual sellers may be liable
Businesses using third-party tools — if a Shopify app, WordPress plugin, or SaaS widget introduces a dark pattern on your site, you bear responsibility for the consumer experience

The CMA's November 2025 investigation targets include US-headquartered companies (StubHub, Wayfair) and international brands (Gold's Gym, Viagogo). Geography is not a defence.

Penalty Framework

The DMCCA penalty structure is designed to deter:

Penalty Type	Maximum	Mechanism
Turnover-based fine	10% of worldwide annual turnover	Direct CMA imposition, no court required
Information notice penalty	1% of worldwide annual turnover (or £300,000 for initial, 5%/£15,000 per day for continuing)	Failure to respond to information requests
Enhanced consumer measures	No cap	Mandatory practice changes, consumer compensation
Daily penalties	5% of daily worldwide turnover	Continuing non-compliance

For context: a business with £100 million in annual turnover faces a maximum fine of £10 million per infringement. With £1 billion in turnover, that rises to £100 million. And the CMA can impose these without going to court.

The Euro Car Parks penalty (£473,000) was merely for failing to respond to an information notice. The fines for substantive dark pattern violations will be significantly larger.

The CMA isn't the only UK regulator targeting dark patterns. The Information Commissioner's Office (ICO) has published guidance on deceptive design patterns in cookie consent mechanisms under UK GDPR.

Common cookie consent dark patterns that breach UK GDPR:

Prominent “Accept All” button with a hidden or greyed-out “Reject All” option
Requiring multiple clicks to reject cookies but only one click to accept
Pre-selecting non-essential cookie categories
Using confusing toggle switches where “on” and “off” aren't clear
Cookie walls that block access to content unless all cookies are accepted

A business can be compliant with the DMCCA on pricing and subscription practices but still face ICO enforcement for cookie consent dark patterns. Both need to be addressed.

5-Step Compliance Checklist for UK Businesses

Step 1: Audit Your Pricing Flows

Walk through every purchase flow on your website as a new customer. Is the total price — including all mandatory fees, taxes, and charges — displayed from the first moment a price appears? If fees appear later in the checkout, you likely have a drip pricing problem.

Step 2: Review Your Subscription Lifecycle

Map the complete subscription journey: sign-up, renewal, and cancellation. Can a customer cancel through the same channel they signed up? Is cancellation as frictionless as sign-up? Do you send clear renewal notices before each auto-renewal? The subscription contracts regime arrives in autumn 2026 — get ahead of it now.

Step 3: Check Your Defaults and Pre-Selections

Audit every pre-selected checkbox, pre-ticked add-on, and default setting across your site. Any paid service or add-on must require explicit opt-in from the consumer. Pre-selection is already prohibited under existing consumer contract regulations.

Step 4: Verify Your Urgency and Scarcity Claims

Every countdown timer, low-stock warning, and “people are viewing this” notification must reflect reality. If a countdown timer resets, if stock levels are inflated, or if activity notifications are fabricated, you have a misleading commercial practice.

Step 5: Set Up Continuous Monitoring

Dark patterns creep back in through A/B tests, new features, third-party widgets, and marketing campaigns. A one-time audit isn't enough. Implement continuous monitoring to catch new patterns as they appear — before the CMA does.

How TrustScan Helps

TrustScan's AI-powered compliance scanner detects dark patterns and maps findings to specific consumer protection provisions. While currently calibrated for Australian Consumer Law, UK law mapping is on our roadmap — because the pattern categories are universal, even if the statutory provisions differ.

The 10 dark pattern categories TrustScan scans for — subscription traps, drip pricing, confirm-shaming, misdirection, sneaking, false urgency, forced continuity, trick questions, disguised advertising, and nagging — map directly to the CMA's Online Choice Architecture taxonomy.

Scan your website now to get a baseline assessment of your dark pattern risk.

What's Coming Next

The DMCCA enforcement we've seen so far is just the beginning. Here's what UK businesses should prepare for:

Autumn 2026: The subscription contracts regime takes effect — mandatory cancellation parity, renewal notices, and 14-day cooling-off periods
2026-2027: Outcomes from the 13 formal investigations — expect precedent-setting fines
Ongoing: Further investigation waves — the CMA has signalled that the November 2025 and March 2026 rounds are “the first” of many
Cross-border coordination: The CMA is actively collaborating with the European Commission, ACCC (Australia), and FTC (US) on dark pattern enforcement

The direction is unambiguous: UK dark pattern enforcement is accelerating, penalties are increasing, and the CMA now has the tools to act fast. The businesses that audit and remediate now will be the ones that don't feature in the CMA's next press release.

Common Questions

Does the DMCCA apply to businesses outside the UK?

Yes. The DMCCA applies to commercial practices directed at UK consumers, regardless of where the business is incorporated. If you sell to UK customers, display GBP prices, or target UK search terms, you are in scope. The CMA's current investigations include US-headquartered and international companies.

What is the maximum CMA fine for dark patterns?

Up to 10% of worldwide annual turnover for substantive consumer protection infringements. Additional penalties apply for non-cooperation: up to 1% of turnover for failing to respond to information notices, plus daily penalties of up to 5% of daily turnover for continuing non-compliance.

What's the difference between a CMA information notice and a direct fine?

An information notice is a formal demand for documents, data, or explanations. Failure to comply results in a fixed penalty (as Euro Car Parks discovered at £473,000). A direct fine is imposed after a full investigation finds that a business has committed a consumer protection infringement. The investigation fines will be substantially larger.

How do UK dark pattern laws compare to GDPR consent requirements?

The DMCCA covers commercial practices — pricing, subscription, and purchase flows. UK GDPR covers data processing consent — cookie banners, data sharing, marketing opt-ins. A website can breach both simultaneously (e.g., a deceptive cookie banner that's also a misleading commercial practice). Both the CMA and the ICO can enforce, and both are actively doing so.