On 9 March 2026, the UK Competition and Markets Authority published the first guidance from any major consumer-protection authority anywhere in the world specifically addressing AI agents in consumer-facing roles. It is not new law. It is the Consumer Rights Act 2015, the Consumer Protection from Unfair Trading Regulations 2008, and the DMCCA 2024 applied to a new operational context. The deployer was already on the hook. The guidance made it impossible to pretend otherwise.
You are responsible for what an AI agent does in the same way you are responsible for what an employee does. This is true even if someone else designed or provides the AI agent on your behalf.CMA · gov.uk · 9 March 2026
Most coverage of the CMA's framework has framed it as "rules for AI agents." It isn't. It is a pre-existing standard for what businesses owe their customers, applied to a new way of meeting them.
Published 9 March 2026 on gov.uk. Five action sections, four worked examples, enforced under existing UK consumer law and the Digital Markets, Competition and Consumers Act 2024. Not a consultation. Not draft. Already operative.
The CMA didn't legislate. It applied the Consumer Rights Act 2015, the Consumer Protection from Unfair Trading Regulations 2008, the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, and the DMCCA. Every obligation in the guidance was binding before the guidance existed.
Not the model provider. Not the agent platform. The business deploying the agent is responsible for what it does "in the same way you are responsible for what an employee does" — even where a third party designed or supplied it. Up to 10% of worldwide turnover. Imposed by the CMA directly, no court required.
An agent product is built from at least three contributions — the model, the runtime platform, and the deployer's own configuration. Each of those can be a different organisation. Under the CMA's framework, the legal exposure ignores that diversity entirely. It concentrates on the deployer.
The gov.uk page reads as a calm five-section walkthrough — one framing principle ("the same rules apply") plus four action sections. Each is short. None is optional. They are reproduced and expanded below.
The CMA derives its authority from four pieces of existing UK statute. The guidance is a particular reading of those statutes applied to a new technology. Knowing what feeds into it determines what counts as a breach.
The guidance includes four worked examples. The four scenarios were not chosen at random — each maps onto a specific cluster of consumer-protection obligations and a specific class of common operational failure.
A handful of statistics that the rest of the field note rests on. The first four are taken from the guidance and its enforcement architecture. The fifth is a peer-reviewed anchor for the dark-patterns concern the policy paper raises.
Maximum penalty under the DMCCA 2024 for consumer-protection breaches. Aligns the UK with the GDPR fine ceiling. The CMA can impose this directly, without court proceedings.
"Same rules apply" + four operational requirements (Tell, Train, Monitor, Refine). The most compact regulator framework of 2026 — short enough to fit a single A4 page.
Marketing campaigns, refund processing, customer-service queries, deal-comparison services. Each maps to a specific cluster of statutes and a specific operational failure mode the CMA expects to see.
Dark-pattern instances found across 11,000 shopping websites in Mathur et al's CSCW 2019 paper. Predates the agent era — the baseline before agents make the same patterns operate at greater scale and lower visibility.
The operational guidance tells deployers what to do. The companion policy paper, published the same day, tells regulators what to watch for. Five themes recur. None of them is fully addressable inside the four requirements. Each one is where the next round of enforcement will be drawn.
The UK CMA is the first major consumer-protection authority anywhere in the world to publish AI-agent-specific guidance. It will not be the last. How each jurisdiction enforces its position on deployer liability tells you what posture you need to take depending on where you ship.
Sources: CMA guidance · DMCCA 2024 · California AB 316 · Amazon.com Services LLC v. Perplexity AI Inc., N.D. Cal., 9 March 2026 · EU Regulation 2024/1689 (AI Act) · EU Directive 2024/2853 (revised PLD).
The CMA's guidance is short. That brevity has produced predictable misreadings. Below are the three most common claims the field note's analysis pushes back on.
If you are deploying an AI agent into a UK consumer-facing role — chatbot, refund handler, recommender, marketing assistant — these are the questions the CMA's framework expects you to be able to answer. They map directly onto the four requirements plus the policy paper's structural concerns.
Five categories of source: the primary regulator document, the legal-academic and computer-science peer-reviewed scholarship, the supporting regulator publications, the underlying UK statute, and the practitioner analyses. The CMA's own guidance is at the top because it is the document everything else interprets.
Mathur, Acar, Friedman, Lucherini, Mayer, Chetty and Narayanan (Princeton/Chicago). Automated detection identified 1,818 dark-pattern instances across 11,000 shopping websites, sorted into 15 types and 7 categories. The empirical baseline for the dark-patterns concern in the CMA's companion policy paper. Honored by the Future of Privacy Forum's Privacy Papers for Policymakers award.
Noam Kolt, forthcoming in Notre Dame Law Review Vol. 101. Brings two analytic frameworks to agent governance: the economic theory of principal-agent problems and the common-law doctrine of agency. Predicts the structural logic underneath the CMA's "responsible like for an employee" rule. The most-cited legal-academic anchor for any analysis of deployer liability in 2026.
Cohen, Kolt, Bengio, Hadfield & Russell. The argument for why governance frameworks cannot rely on empirical testing alone for sufficiently capable agentic systems. Long-term planning agents recognise test environments and behave differently in production — the structural insight underneath the CMA's "human in the loop" and "monitor performance" requirements.
Doctrinal and functional analysis of how EU AI Act transparency obligations compare to consumer-protection-law transparency duties. The CMA's "tell your customers" requirement and Article 50's "interaction with an AI" obligation overlap but do not align. Useful for any deployer operating across UK and EU markets.
Cross-regulatory paper from the Digital Regulation Cooperation Forum (CMA, FCA, ICO and Ofcom together) on 31 March 2026. Defines a five-level autonomy spectrum, catalogues seven categories of compliance risk, and distinguishes "amplified" from "novel" risks. Carries a polite disclaimer that it should not be read as policy. Should be read as policy.
The CMA's general framework for consumer-protection enforcement under the DMCCA. Sets out investigation procedures, undertakings, directions, and the scale of fines. Reads alongside the agent-specific guidance — anything found to be a breach via the agent route is enforced by the same processes that apply to any other consumer-protection breach.
The CMA's own guidance explicitly directs deployers here for case-study examples. The Hub aggregates worked scenarios across the four DRCF regulators — useful for deployers operating across multiple regulatory frameworks at once (FCA-regulated firms deploying agents, ICO/data-protection touchpoints, Ofcom-regulated platforms).
Statutory rights on goods, services, and digital content. Unfair contract terms (sections 62–65). The framework the CMA's refund-request worked example references directly. The CRA 2015 is what an agent must respect when handling returns, statutory faults, and contract performance.
The UK's general unfair-commercial-practices framework. Misleading actions, misleading omissions, aggressive practices, the average-consumer test. The most likely route for enforcing against an agent that steers, pressures, or misleads consumers at scale. The CMA's policy paper specifically connects dark-pattern personalisation to this regulation.
The act that transformed UK consumer-protection enforcement. The CMA can investigate, find, and fine for breaches of consumer protection law — up to 10% of worldwide annual turnover — directly, without court proceedings. The teeth that turn the CMA's guidance into a live operational risk.
The 14-day cancellation right for distance and off-premises contracts; specific information requirements. The framework the CMA's refund-request worked example cites for change-of-mind returns. An agent that doesn't recognise or apply the cancellation right breaches these regulations.
The cleanest practitioner walk-through of the CMA guidance's four operational principles — transparency, compliance by design, human oversight, swift remediation — and what each implies in practice. Includes the operational point most internal compliance teams miss: forward-looking remediation is not a cure for, or a defence against, previous breaches.
TLT's reading of the two-document structure (guidance + policy paper) and the new DMCCA enforcement architecture. Strong on the operational expectations: pre-launch due diligence, supplier-contract considerations, the higher bar that applies for vulnerable consumers and high-volume agents.
Compact summary of the four CMA requirements with the specific use-case implications spelled out: marketing campaigns (Digital Markets Act + ASA rules + influencer disclosure), refund processing (CRA 2015 + Consumer Contracts Regs 2013), customer service (CPRs 2008), and agentic collusion as a competition-law concern.
Ashurst's privacy team places the CMA framework alongside the parallel ICO consultation on automated decision-making under the Data (Use and Access) Act 2025. The intersection of the CMA's consumer-protection authority and the ICO's data-protection authority is where multi-track regulatory risk concentrates for any agent that processes personal data.