CMA Investigations: What Online Businesses Need to Know (2026)

The Competition and Markets Authority (CMA) enforces competition law and consumer protection law in the United Kingdom. For online businesses, the CMA's relevance has increased significantly since the Digital Markets, Competition and Consumers Act 2024 (DMCCA 2024) came into force in April 2025, giving the CMA new direct enforcement powers and expanding its digital markets toolkit.

This guide explains what online businesses need to understand about CMA investigations: what triggers them, how they proceed, what powers the CMA has, and what the consequences of a finding look like.

To check whether your website's commercial practices — pricing transparency, subscription terms, cancellation mechanisms — create CMA-relevant risk, run a free scan at /uk/en/scan.

The CMA's legal powers over online businesses

The CMA enforces three main regimes relevant to online businesses.

Consumer protection enforcement under Part 4 of the Enterprise Act 2002, as amended by DMCCA 2024. This covers breaches of consumer law — including the Consumer Rights Act 2015, the Consumer Protection from Unfair Trading Regulations 2008 (CPUTRs), and the E-Commerce Regulations 2002. Before DMCCA 2024, the CMA had to seek court orders to enforce these rules. From April 2025, the CMA can issue enforcement notices and impose fines directly.

Competition law under the Competition Act 1998. The CMA investigates anti-competitive agreements (Chapter I prohibition) and abuse of dominant position (Chapter II prohibition). For online businesses, the most relevant Chapter II concern is anti-competitive conduct by a dominant platform, though dominance is hard to establish for most businesses.

Digital markets regulation under Part 1 of DMCCA 2024. This creates the new Strategic Market Status regime for large digital platforms. It is not directly relevant for SMEs but shapes the overall regulatory environment in which online markets operate.

What the CMA targets: online practices in focus

The CMA's 2025–26 enforcement priorities include several practices common in e-commerce and subscription-based online businesses:

Subscription traps: signing customers up to recurring payments that are difficult to cancel, inadequately disclosed at point of sale, or that renew after a free trial without clear advance warning. The CMA secured undertakings from several major subscription businesses in 2024 and is actively monitoring compliance. DMCCA 2024 now contains specific statutory requirements for subscription contracts including cooling-off periods and cancellation mechanisms.

Hidden fees and drip pricing: presenting an initial price that does not include mandatory charges, which are added during checkout. The CMA's 2023–24 work on hotel and holiday booking platforms examined drip pricing in detail. DMCCA 2024 makes hidden mandatory fees in consumer contracts a new category of unfair commercial practice.

Fake urgency and social proof: countdown timers that restart, limited availability claims based on real-time data the consumer cannot verify, and fake or incentivised reviews. The CMA's online reviews investigation has led to undertakings from several platforms. DMCCA 2024 codifies fake urgency and fake social proof as prohibited commercial practices.

Misleading environmental claims: greenwashing in product descriptions, sustainability claims that cannot be substantiated, and misleading use of eco-labels. The CMA's Green Claims Code published in 2021 remains the primary guidance. The CMA brought its first greenwashing enforcement case against a fashion retailer in 2024 under the existing CPUTRs framework.

How a CMA investigation starts

CMA investigations do not typically start with formal notice. The intelligence-gathering phase is informal and the business under investigation may not be aware of it. Sources of intelligence include consumer complaints submitted to Citizens Advice (which feeds the CMA's consumer intelligence network), super-complaints from designated consumer bodies, media and NGO reporting, sector regulator referrals, and the CMA's own market monitoring using commercial data.

A formal investigation begins when the CMA issues a case opening decision. At this point, the CMA has gathered sufficient intelligence to reasonably suspect a breach of consumer law or competition law. From April 2025, consumer protection cases use the new DMCCA 2024 enforcement process; competition cases continue to use the Competition Act 1998 process.

The DMCCA 2024 consumer enforcement process

Under DMCCA 2024, the CMA's consumer protection enforcement process has six main stages:

Stage 1 — Investigation: the CMA uses its information-gathering powers (section 46 of DMCCA 2024, which mirrors the Enterprise Act provisions) to require the production of documents and information. Failure to comply with an information notice is itself a breach.

Stage 2 — Provisional decision: if the CMA provisionally finds a breach, it issues a provisional enforcement decision. The business has an opportunity to make representations.

Stage 3 — Remediation: before a final decision, the business can offer undertakings — commitments to change the practice, provide redress, or take specified steps. The CMA can accept undertakings and close the case, or reject them and proceed to a final decision.

Stage 4 — Final enforcement decision: the CMA issues a final decision finding a breach and specifying the required action. If the business does not comply, the CMA can impose penalties.

Stage 5 — Penalties: directly imposed fines of up to £300,000 or 10% of global annual turnover for the breach. Ongoing non-compliance can attract further fines. The CMA can also require consumer redress schemes.

Stage 6 — Appeals: businesses can appeal a CMA enforcement decision to the Competition Appeal Tribunal (CAT) on grounds of law, fact, or the level of penalty.

What small businesses need to do

Most small and medium-sized e-commerce businesses will not face a CMA investigation. The CMA prioritises cases with significant consumer harm, widespread impact, and precedent-setting value. Single-business investigations of SMEs are rare unless the practice is egregious or there has been significant consumer complaint volume.

However, the DMCCA 2024 regime has lowered the barrier to enforcement action, and the CMA's direct fining power removes the old deterrent that enforcement required costly court proceedings. The practical risk-management steps for online businesses are:

Review your subscription and cancellation terms against the DMCCA 2024 subscription contract requirements. The requirements include clear pre-contract information, cooling-off periods, and cancellation mechanisms that do not impose disproportionate barriers.

Audit your checkout flow for hidden fees or mandatory charges that are not included in the headline price. All mandatory charges should be included in the first price shown.

Review urgency and social proof claims — countdown timers, "X people viewing this", "only 3 left" claims — and ensure they are accurate and not artificially generated.

Review environmental and sustainability claims against the CMA's Green Claims Code: claims must be accurate, substantiated, and not misleading by omission.

For how DMCCA 2024 affects your statutory cancellation button requirement, see consumer cancellation rights under DMCCA 2024.

Check your website's commercial practices now at /uk/en/scan.