Legal Update for 2026: What every business needs to know about commercial law changes

January 16, 2026

2025 was a transformative year for UK and EU commercial law, with many updates due to come into effect this year. Businesses should start preparing now! From sweeping consumer protection reforms to landmark data legislation, the legal landscape is evolving rapidly. For businesses, these changes represent strategic opportunities to build trust, mitigate risk, and stay competitive.

In this update, we highlight four key developments that every business, general counsel, and decision-maker should understand coming into the new year.

    New Consumer Protection Provisions

    The Digital Markets, Competition and Consumers Act (as known as the DMCC Act), became law back in April 2024 and marked the most significant overhaul of UK consumer law in over a decade. The provisions within the Act have been implemented since in stages with a number coming into force in 2025 and 2026. While the Act has a wide scope and objectives, its overarching aim is to clamp down on unfair practices and empower consumers in the digital economy.

    Drip Pricing Ban

    Businesses must now display the total price upfront, including all mandatory fees, taxes, and charges (so far as they can be calculated at the time). For example, when booking tickets for an event, any unavoidable processing fees, booking fees or admin fees should be included in the total price of the product. Hidden costs added late in the buying process (known as drip pricing) are now prohibited. This, however, does not include optional fees, upgrades or add ons such as priority entry to an event.

    Failure to comply can result in fines of up to 10% of global turnover and reputational damage. The Competition and Markets Authority (CMA) has already launched investigations into eight businesses, including StubHub, Viagogo, and Gold’s Gym, for failing to disclose mandatory charges at the outset, signalling that enforcement is a priority.

    Fake Reviews Prohibited

    Businesses must take “reasonable and proportionate steps” to prevent and remove fake reviews and disclose any incentives clearly and prominently. This includes influencer endorsements, free products, or other benefits.

    The CMA has published guidance and expects businesses to implement robust policies for monitoring and removing prohibited reviews. Enforcement is already underway, and failure to comply could lead to significant penalties.

    Subscription Contracts

    New rules for subscription contracts (covering pre-contract information, renewal reminders, and simplified cancellation routes) are expected to take effect in 2026. While implementation has been delayed, businesses should start preparing now. The key is mapping your subscription lifecycle and identifying changes needed to meet upcoming requirements, including clear exit routes and reminder notices.

    Direct Enforcement Powers

    Perhaps the most transformative change: the CMA now has direct enforcement powers, enabling it to impose fines of up to 10% of global annual turnover without going through the courts. It can also order redress for consumers and impose compliance measures. Prohibitions on drip pricing and the use of fake reviews have been in effect since April 2025, and with the CMA taking an increasingly proactive enforcement stance, businesses must ensure they are fully compliant.

    The Cancel Button

    The EU Directive (2023/2673) introduces a mandatory “Cancel Contract” button for online consumer contracts. These changes stem from EU consumer protection regulations and will significantly impact e-commerce, digital services, and compliance strategies for businesses operating online.

    From June 2026, businesses selling to EU consumers must provide a clear, prominent, and easily accessible cancellation option on the same interface where the contract was made.

    The withdrawal function should be labelled with the words “withdraw from contract here” or the equivalent and presented in an easily legible way, ensuring clarity for consumers. Consumers must also receive instant confirmation of their cancellation containing information such as the date and time of the withdrawal.

    Although there are some exclusions and the directive currently applies only within the EU, UK businesses should take note of these changes and assess their potential impact on future trading. Non-compliance could result in cross-border enforcement, and we anticipated that similar regulations may be considered in the UK in due course.

    ASA Rulings – Key Case Studies reenforcing the DMCC Act

    The push for greater clarity and fairness doesn’t stop with legislation. The Advertising Standards Authority (ASA) has been active in holding businesses accountable for misleading practices, echoing the DMCC Act’s emphasis on upfront information.

    Subscription Pricing

    In August 2025, the ASA ruled against a fitness app for failing to disclose a 12-month minimum commitment on a “£7.99 monthly” plan. The lesson here is that significant conditions (like minimum terms) must be prominently displayed, not buried in small print.

    Headlines vs the Small Print

    Similarly, in October 2025, William Hill’s headline offer “Enjoy £40 on us! When you opt in and stake £20” was found to be misleading because the key condition of “Min. £40 stake on Marble Race Live” was hidden in the small print below. In this case, ASA confirmed that headlines cannot contradict or obscure essential terms.

    The ASA’s stance aligns closely with the DMCC Act’s emphasis on clear, upfront information. Ultimately, these changes are about compliance, but moreover, they are about building trust and transparency with customers. Businesses that embrace this approach will not only reduce regulatory risk but also create smoother customer experiences and foster long-term loyalty. By being proactive and clear about pricing, terms, and cancellation rights, you position your business as trustworthy and customer-focused in an increasingly regulated market.

    A New Era for Data Governance

    The EU Data Act, effective from 12 September 2025, is a cornerstone of the EU’s digital strategy and introduces broad obligations for businesses handling data from connected devices and cloud services that sell into the EU.

    Cloud Switching & Interoperability

    Providers must allow customers to switch services easily, without undue barriers or lengthy procedures. Providers cannot lock in customers without offering a right to switch, subject to a maximum notice period of two months and a transitional period of no more than 30 calendar days. From 12 January 2027, all switching charges must be eliminated.

    These provisions aim to unlock the market, benefiting both consumers and businesses by increasing choice and expanding the potential customer base.

    Additional Key Changes?

    • User Access & Sharing Rights: Users of connected products (e.g. smart appliances, vehicles, industrial machinery) must be able to access and share the data generated by their use.
    • Fair Contract Terms: The Act prohibits unfair or one-sided clauses in data-sharing agreements, particularly those imposed by dominant players on SMEs.
    • Scope & Applicability: Applies to EU-based businesses and non-EU entities (including UK businesses) offering connected products or services to EU customers. SMEs may benefit from exemptions or extended timelines.

    This legislation aims to unlock the value of industrial and non-personal data, foster innovation, and ensure fairness in the data economy.

    Our article on the EU Data Act (insert hyperlink if possible) provides further details on these key changes and more for businesses operating in the EU and the UK.

    The Data (Use and Access) Act

    The Data (Use and Access) Act 2025, which received Royal Assent in June 2025, represents a major update to the UK’s data regulation framework. Its overarching aim is to modernise data governance, enable smart data sharing, and strengthen digital identity standards while maintaining alignment with UK GDPR.

    Some of the Key Changes:

    • Subject Access Requests: Previously, organisations faced uncertainty over how far they needed to go when responding to an individual’s request to access their personal data. The Act clarifies this position: businesses are only required to conduct a reasonable and proportionate search for relevant information, rather than an exhaustive one.
    • International Transfers: The Act simplifies and clarifies rules for transferring personal data internationally. The adequacy test is eased: the transferee country’s protections must be “not materially lower” than UK standards, rather than “essentially equivalent.”
    • Smart Data Schemes: The Act creates a framework for regulated schemes enabling individuals to share data securely with authorised third parties across sectors such as finance, utilities, and telecoms.
    • Automated Decision-Making: Restrictions on automated decision-making (ADM) have been softened so long as certain conditions have been met such as having the option for meaningful human intervention and individuals being informed (as well as giving them opportunity to make representations or contest a decision).
    • Integration with Existing Laws: The Act amends UK GDPR, the Data Protection Act 2018, and PECR.
      • Removes consent for certain cookies (e.g. website appearance and website analytics) provided users are informed and can opt out.
      • Aligns PECR fines with UK GDPR (up to £17.5m or 4% of turnover), increasing enforcement risk for cookie and marketing breaches.
    • Data Protection Complaints: Controllers must implement a formal complaints process, acknowledge complaints within 30 days, and respond promptly.

    Both the EU Data Act and the UK Data (Use and Access) Act 2025 signal a clear shift toward greater transparency and access, interoperability, and consumer empowerment in the digital economy.

    Legal Foresight is Business Foresight

    2025’s legal changes underscore a clear message: compliance is no longer a back-office function and transparency is key. When working with consumers and data it is imperative to ensure you are in line with all new legal updates. Businesses that anticipate and adapt to these changes will not only avoid penalties but also gain a competitive edge in an increasingly regulated market.

    How We Can Help

    If you’re unsure how these changes affect your business, reach out to our Commercial team today. We can help you navigate the new rules and turn compliance into a competitive advantage. Our services include:

    • Contract Review: Ensure your agreements reflect new legal requirements.
    • Compliance and Data Protection: Align your processes with UK and EU obligations.
    • Strategic Advice: Guidance on timing, risk mitigation, and commercial impact.
    • Consumer Rights Advice: Guidance on new policies and any steps that may need to be taken in line with the new consumer protection provisions.

    Get in touch today to discuss how we can help you and your business.

    Cesare McArdle
    Partner, Commercial & Construction
    <script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
    View profileContact Us

    This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

    Latest Legal Insights