Mid-Year Commercial Legal Update for 2026: Are You Keeping Pace with Change?

If 2025 was the year of legal reform, 2026 is the year of real-world impact.

Across consumer law, data regulation and commercial practices, businesses are no longer simply preparing for change, they are being held to account. Regulators are actively enforcing new rules, expectations around transparency are rising, and digital business models are under increasing scrutiny.

For many organisations, this isn’t just about compliance. It’s about protecting your brand, maintaining customer trust, and staying competitive in a rapidly shifting legal landscape.

In this mid-year update, we highlight the developments that matter most, and what they mean in practice for your business.

A New Era for Data Governance

The EU Data Act

The EU Data Act, effective from 12 September 2025, is a key part of the EU’s digital strategy and introduces wide-ranging obligations for businesses handling data from connected devices and cloud services that sell into the EU.

In particular, providers of data processing and cloud services must allow customers to switch services easily, without undue barriers, with switching charges due to be eliminated by January 2027.

The Act also gives users the right to access and share data generated by connected products and places limits on unfair contractual terms, especially where SMEs are involved. It applies to both EU businesses and non-EU businesses, including those in the UK, offering relevant products or services into the EU. Overall, the legislation is designed to unlock the value of non-personal data, promote innovation and ensure fairness in the data economy.

Our article on What the EU Data Act Means for Your Business provides further detail on these changes and what they mean in practice for businesses operating in the EU and the UK.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 represents a significant update to the UK’s data framework, aimed at modernising data governance while maintaining alignment with UK GDPR.

The Act introduces a more practical and flexible approach in several key areas, including confirming that organisations only need to carry out reasonable and proportionate searches when responding to subject access requests, and relaxing the test for international data transfers. It also expands the use of recognised legitimate interests, giving businesses greater certainty when processing data in areas such as crime prevention, public interest and safeguarding.

There is also increased flexibility around automated decision-making, particularly where sensitive data is not involved, alongside changes to cookie rules, which reduce the need for consent in certain low-risk scenarios.

At the same time, enforcement risk has increased significantly, with PECR fines now aligned with UK GDPR levels (up to £17.5 million or 4% of global turnover).

Importantly, since 19th June 2026, organisations must also implement formal data protection complaints procedures, including acknowledging complaints within 30 days and responding without undue delay.

For a closer look at these new complaints requirements, please read our article: Data Protection Complaints: New Legal Requirements from June 2026

Both the EU Data Act and the UK Data (Use and Access) Act 2025 signal a clear shift toward greater transparency and access, interoperability, and consumer empowerment in the digital economy.

Late Payment Reforms: A Shift Towards Stronger Enforcement

The UK’s proposed late payment reforms signal a clear direction of travel towards greater accountability and improved cash flow across supply chains, particularly for SMEs.

While the reforms are not yet in force, they are expected to introduce stricter payment timelines, enhanced enforcement powers, and increased transparency obligations for businesses. In practice, this is likely to require organisations to revisit their payment terms, internal processes, and contractual arrangements to ensure compliance. For many businesses, this is not just a legal issue but a commercial one, with late payment increasingly viewed as both a regulatory risk and a reputational concern.

We explore these upcoming changes in more detail in our article on the topic, which can be accessed here: Pay Up or Pay the Price: Late Payment Reform Ahead – What Businesses Need to Know

As the position develops, businesses should keep these reforms on their radar and begin considering what changes may be required ahead of implementation.

New Consumer Protection Provisions

The Cancel Button

Since 19th June 2026, businesses selling to EU consumers online must comply with new rules requiring a mandatory withdrawal function. This reflects a broader move towards giving consumers clearer and simpler exit rights. Online interfaces must include a clear “Withdraw from contract” button, a simple process that can be completed in a few clicks, and immediate confirmation of cancellation with timing details. These rules apply to all businesses, regardless of size, and will particularly affect e-commerce, SaaS and subscription models. UK businesses should still take note, as the rules apply when selling into the EU, may influence future UK reforms, and directly impact customer experience and compliance risk.

Upfront Pricing: No Surprises Allowed

One of the most impactful changes is the ban on “drip pricing”. Businesses must now clearly display the total price upfront, including all mandatory fees and charges, wherever a consumer is invited to purchase. That means no hidden booking or admin fees appearing late in the checkout process, no disconnect between headline pricing and the true cost and no reliance on small print to clarify key charges.

Crucially, this is already moving beyond guidance with investigations and enforcement action underway, and regulators are actively reviewing pricing practices. With potential fines of up to 10% of global turnover, this is a clear enforcement priority.

What this means in practice: If your pricing journey isn’t completely transparent from the outset, it likely needs revisiting now, not later.

Online Reviews: Trust Must Be Earned (and Managed)

The rules around reviews reflect a wider regulatory focus on consumer trust in the digital environment. Businesses must take active steps to prevent fake or misleading reviews, remove problematic content and clearly disclose any incentives or endorsements. This isn’t just a platform issue. It applies across marketing, influencer activity, and customer engagement strategies.

What this means in practice: Passive oversight is not enough; businesses need robust systems and policies in place. Enforcement is already underway, and failure to comply could lead to significant penalties.

Subscription Contracts

Subscription models remain a key area of focus, with further reforms expected to come into force inSpring 2027 (with official dates to be confirmed). These changes are designed to address common consumer frustrations and will require businesses to:

  • Be clearer about pricing post-trial
  • Provide timely and meaningful renewal reminders, including in relation to auto-renewals
  • Offer simple, frictionless cancellation routes, including providing clear information on applicable cooling-off periods

What this means in practice: From a regulator’s perspective, if it’s easy to sign up, it must be just as easy to leave.

For many businesses, this will mean rethinking not just terms and conditions, but the entire customer journey.

Direct Enforcement Powers

Perhaps the most significant development is procedural: the CMA now has the power to enforce these new consumer reforms directly, without going through the courts. This means the CMA can impose substantial fines on businesses, order refunds or compensation for affected consumers, and require changes to business practices where breaches are identified. The overall effect is faster decision-making, more immediate penalties, and an increased level of regulatory risk for businesses.

So, What Should You Be Doing Now?

Across all of these developments, one clear theme emerges: compliance is no longer something that can be addressed reactively. Instead, it must be built into your business from the outset.

In practice, this means businesses should now be reviewing their pricing strategies, marketing materials and overall customer journeys to ensure transparency from the first point of engagement. It also means auditing subscription models and cancellation processes to ensure they are clear, fair and easy for consumers to navigate.

For those operating in or selling into the EU, online interfaces should be updated to reflect the new withdrawal requirements, while data governance frameworks and internal processes should be strengthened to align with the evolving UK and EU data landscape.

Alongside this, businesses should continue to monitor enforcement trends closely, as regulators increasingly move from guidance to action.

How We Can Help

Legal change can feel complex and, at times, overwhelming but it doesn’t have to be.

Our Commercial team works closely with businesses to provide clear, practical and commercially focused advice, helping you not only achieve compliance but also turn regulatory change into a strategic advantage. Our services include:

  • Contract Review: Ensuring your agreements and terms and conditions reflect the latest legal developments.
  • Consumer Law Compliance: Reviewing pricing, marketing practices and subscription models to meet evolving requirements.
  • Compliance and Data Protection: Aligning your data governance frameworks and internal processes with UK and EU obligations.
  • Implementation Support: Helping you embed new legal requirements into your business operations and customer journeys.
  • Strategic Advice: Providing pragmatic guidance on timing, risk mitigation and commercial impact.

Contact us today to discuss how we can help you and your business.

Cesare McArdle
Partner, Commercial & Construction
<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights