What powers does the CMA have to investigate online businesses?

The CMA can investigate online businesses under the Consumer Rights Act 2015 (consumer protection enforcement), the Digital Markets, Competition and Consumers Act 2024 (DMCCA 2024), and the Competition Act 1998. DMCCA 2024 gave the CMA new direct enforcement powers for consumer protection without needing to go to court, and created the digital markets regime for firms designated with Strategic Market Status. For most small and medium-sized online businesses, the consumer protection enforcement powers are the most directly relevant.

What triggers a CMA investigation of an online business?

CMA investigations typically start with intelligence gathering from multiple sources: super-complaints from designated bodies, complaints from consumers and businesses, referrals from sector regulators, the CMA's own market monitoring, and media reports. In the digital space, the CMA prioritises dark patterns (subscription traps, hidden fees, fake urgency), misleading environmental claims, and online reviews. A single complaint rarely triggers a formal investigation, but patterns of complaints about a specific business or practice do.

Can the CMA fine a business directly for consumer protection breaches?

Yes, since DMCCA 2024 came into force in April 2025. Under the pre-DMCCA regime, the CMA had to go to court to obtain undertakings or enforcement orders. DMCCA gives the CMA direct fining powers for consumer protection breaches: up to £300,000 or 10% of global annual turnover, whichever is higher, without needing court proceedings. This is a significant increase in enforcement risk for online businesses.

What is Strategic Market Status under DMCCA 2024?

Strategic Market Status (SMS) is a designation the CMA can apply to firms with substantial and entrenched market power in a digital activity. SMS firms are subject to conduct requirements set by the CMA (for example, on self-preferencing, data access, and interoperability) and can face fines of up to 10% of global turnover for breaches. SMS designation is currently being considered for a small number of large digital platforms; it is not relevant for most SMEs.

CMA investigations under DMCCA 2024: UK guide 2026

Steven | TrustYourWebsite · 8 May 2026 · Last updated: June 2026

The Competition and Markets Authority (CMA) enforces competition law and consumer protection law in the United Kingdom. For online businesses, the CMA's relevance has increased significantly since the Digital Markets, Competition and Consumers Act 2024 (DMCCA 2024) came into force in April 2025, giving the CMA new direct enforcement powers and expanding its digital markets toolkit.

This guide explains what online businesses need to understand about CMA investigations: what triggers them, how they proceed, what powers the CMA has and what the consequences of a finding look like.

To check whether your website's commercial practices, pricing transparency, subscription terms, cancellation mechanisms, create CMA-relevant risk, run a free scan at /uk/en/scan.

The CMA's legal powers over online businesses

The CMA enforces three main regimes relevant to online businesses.

Consumer protection enforcement under Part 3 of the Digital Markets, Competition and Consumers Act 2024, which replaced the Part 8 enforcement orders regime of the Enterprise Act 2002. This covers breaches of consumer law, including the Consumer Rights Act 2015, the Consumer Protection from Unfair Trading Regulations 2008 (CPUTRs) and the E-Commerce Regulations 2002. Before DMCCA 2024, the CMA had to seek court orders to enforce these rules. From April 2025, the CMA can issue enforcement notices and impose fines directly.

Competition law under the Competition Act 1998. The CMA investigates anti-competitive agreements (Chapter I prohibition) and abuse of dominant position (Chapter II prohibition). For online businesses, the most relevant Chapter II concern is anti-competitive conduct by a dominant platform, though dominance is hard to establish for most businesses.

Digital markets regulation under Part 1 of DMCCA 2024. This creates the new Strategic Market Status regime for large digital platforms. It is not directly relevant for SMEs but shapes the overall regulatory environment in which online markets operate.

What the CMA targets: online practices in focus

The CMA's 2025-26 enforcement priorities include several practices common in e-commerce and subscription-based online businesses.

Practice	DMCCA 2024 status	Common SME instance
Subscription traps	Explicit statutory requirements: cooling-off, cancellation mechanisms	Free trials that auto-renew without warning, multi-step cancellation flow
Drip pricing	Mandatory charges hidden from headline price now a banned commercial practice	Booking and ticketing platforms adding fees only at checkout
Fake urgency and social proof	Codified as prohibited commercial practices	Resetting countdown timers, fake "X people viewing this" widgets
Misleading environmental claims	Existing CPUTR rules backed by new direct enforcement powers	Unsubstantiated "eco" and "carbon-neutral" claims on product pages
Fake or incentivised reviews	Explicit prohibition under DMCCA 2024	Bought reviews. Reviews from staff. Unmarked incentivised reviews.

Subscription traps: signing customers up to recurring payments that are difficult to cancel, inadequately disclosed at point of sale or that renew after a free trial without clear advance warning. The CMA secured undertakings from several major subscription businesses in 2024 and is actively monitoring compliance. DMCCA 2024 now contains specific statutory requirements for subscription contracts including cooling-off periods and cancellation mechanisms.

Hidden fees and drip pricing: presenting an initial price that does not include mandatory charges, which are added during checkout. The CMA's 2023-24 work on hotel and holiday booking platforms examined drip pricing in detail. DMCCA 2024 makes hidden mandatory fees in consumer contracts a new category of unfair commercial practice.

Fake urgency and social proof: countdown timers that restart, limited availability claims based on real-time data the consumer cannot verify and fake or incentivised reviews. The CMA's online reviews investigation has led to undertakings from several platforms. DMCCA 2024 codifies fake urgency and fake social proof as prohibited commercial practices.

Misleading environmental claims: greenwashing in product descriptions, sustainability claims that cannot be substantiated and misleading use of eco-labels. The CMA's Green Claims Code published in 2021 remains the primary guidance. The CMA brought its first greenwashing enforcement case against a fashion retailer in 2024 under the existing CPUTRs framework.

How a CMA investigation starts

CMA investigations do not typically start with formal notice. The intelligence-gathering phase is informal and the business under investigation may not be aware of it. Sources of intelligence include consumer complaints submitted to Citizens Advice (which feeds the CMA's consumer intelligence network), super-complaints from designated consumer bodies, media and NGO reporting, sector regulator referrals and the CMA's own market monitoring using commercial data.

A formal investigation begins when the CMA issues a case opening decision. At this point, the CMA has gathered sufficient intelligence to reasonably suspect a breach of consumer law or competition law. From April 2025, consumer protection cases use the new DMCCA 2024 enforcement process, competition cases continue to use the Competition Act 1998 process.

The DMCCA 2024 consumer enforcement process

Under DMCCA 2024, the CMA's consumer protection enforcement process has six main stages.

Stage	What happens	Business action
1. Investigation	CMA uses s.46 DMCCA 2024 information-gathering powers	Comply promptly. Non-compliance is itself a breach.
2. Provisional decision	CMA provisionally finds a breach and notifies the business	Make written representations within the stated window.
3. Remediation	Business may offer undertakings (commitments to change practice, redress)	Strong stage to offer specific, measurable undertakings.
4. Final enforcement decision	CMA issues a final decision specifying required action	Comply within the stated deadline.
5. Penalties	Businesses face fines up to 10% of global annual turnover. Individuals face fines up to £300,000. Consumer redress schemes possible.	Pay within deadline or appeal.
6. Appeals	Competition Appeal Tribunal hears appeals on law, fact or penalty level	File appeal within tribunal time limits if grounds exist.

What small businesses need to do

Most small and medium-sized e-commerce businesses will not face a CMA investigation. The CMA prioritises cases with significant consumer harm, widespread impact and precedent-setting value. Single-business investigations of SMEs are rare unless the practice is egregious or there has been significant consumer complaint volume.

However, the DMCCA 2024 regime has lowered the barrier to enforcement action and the CMA's direct fining power removes the old deterrent that enforcement required costly court proceedings. The practical risk-management steps for online businesses are:

Review your subscription and cancellation terms against the DMCCA 2024 subscription contract requirements. The requirements include clear pre-contract information, cooling-off periods and cancellation mechanisms that do not impose disproportionate barriers.

Audit your checkout flow for hidden fees or mandatory charges that are not included in the headline price. All mandatory charges should be included in the first price shown.

Review urgency and social proof claims, countdown timers, "X people viewing this", "only 3 left" claims and ensure they are accurate and not artificially generated. The design patterns the CMA treats as unlawful nudges are covered in detail in DMCCA dark patterns: what the CMA enforces.

Review environmental and sustainability claims against the CMA's Green Claims Code: claims must be accurate, substantiated and not misleading by omission.

For how DMCCA 2024 affects your statutory cancellation button requirement, see consumer cancellation rights under DMCCA 2024. For what the penalties actually look like in practice, see DMCCA fines in 2025.

Check your website's commercial practices now at /uk/en/scan.

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on CMA investigations and consumer law compliance.

Sources

Share this article

Check your website now

Scan your website for consumer-rights issues and 30+ other checks.

Start free check

UK Website Guides

Consumer Rights Act 2015: What UK Websites Must Disclose

Mandatory disclosures for UK e-commerce under the Consumer Rights Act 2015 and Consumer Contracts Regulations 2013, and what Trading Standards enforce.

DMCCA fines 2025: 10% of global turnover for UK firms

DMCCA fines 2025: 10% global turnover for UK firms, £300,000 for individuals, plus daily continuing-breach penalties.

DMCCA 2024: 10% Turnover Fines for Dark Patterns on UK Sites

DMCCA 2024 gives the CMA power to fine UK sites up to 10% of global turnover for drip pricing, fake reviews and subscription traps. What's prohibited and when.

UK online cancellation: DMCCA 2024 and CCRs 2013

UK online cancellation 2026: CCRs 2013 14-day cooling-off, DMCCA 2024 subscriptions and CMA powers up to 10% turnover.