CMA Enforcement: What subscription businesses need to know
The Competition and Markets Authority is actively enforcing the DMCC subscriptions chapter. This guide explains their powers, enforcement priorities, and what evidence you need to protect your business.
Last reviewed March 2026 · Source: Competition and Markets Authority. This page is for general information only and is not legal advice — consult qualified counsel for advice on your specific situation.
CMA enforcement powers
The DMCC Act gives the CMA significantly strengthened powers compared to its previous consumer enforcement regime. Unlike the old Part 8 Consumer Rights Act powers, the CMA can now act faster and impose larger penalties directly — without needing a court order for financial penalties.
Investigation
The CMA can open investigations based on consumer complaints, its own monitoring, or referrals from Trading Standards. Investigations can be triggered by a single complaint.
Compliance Orders
The CMA can issue orders requiring businesses to change their practices immediately. Non-compliance with an order is itself a criminal offence.
Financial Penalties
Fines of up to 10% of global annual turnover or £300,000, whichever is higher. For a business with £5M global turnover, this means up to £500,000.
Public Enforcement
Enforcement decisions are published on the CMA website, naming the business and describing the breach. Reputational damage often exceeds financial penalties.
We expect businesses to be ready to demonstrate compliance if asked. Businesses that cannot show they have met the requirements will be treated as non-compliant — regardless of their intent.
— CMA, DMCC subscriptions enforcement guidance
High-risk areas and what EVIDENCEE records
Based on CMA guidance, consumer complaint patterns, and early enforcement signals, these are the areas most likely to attract investigation.
Fake and incentivised reviews
High riskThe CMA has named fake reviews and undisclosed incentivised reviews as a top enforcement priority under the DMCC banned-practices regime. Hosting them, commissioning them, or failing to take reasonable steps to remove them is a direct breach.
EVIDENCEE: EVIDENCEE connects to your review sources, scans for incentivised, paid, and duplicated patterns, and records every triage decision (actioned, dismissed, referred to legal) with handler, timestamp, and reason.
Drip pricing on sign-up flows
High riskRevealing taxes, mandatory fees, shipping, or add-on charges only at checkout — instead of in the up-front total — is the canonical DMCC price-clarity breach and a stated CMA priority.
EVIDENCEE: EVIDENCEE runs scheduled scans of your configured sign-up pages and logs every finding to the Evidence Vault with the page, the missing price component, and the operator who resolved it.
Pre-contract information
High riskCMA has indicated pre-contract information is a priority. Missing, unclear, or buried subscription summaries are a direct breach.
EVIDENCEE: EVIDENCEE logs every pre-contract display event with timestamp and content hash.
Cancellation parity
High riskComplex cancellation flows — more steps than sign-up, call centre requirements, waiting periods — are the most common complaint category.
EVIDENCEE: EVIDENCEE compares sign-up and cancel flows automatically, flagging any parity violations.
Annual renewal notices
High riskFailing to send renewal reminders before annual billing, or sending them too late, is a clear breach with clear evidence trail.
EVIDENCEE: EVIDENCEE schedules and logs all notice delivery with confirmation receipts.
Trial-to-paid conversion
Medium riskConverting free trials to paid subscriptions without adequate notice or pre-contract information is a common enforcement target.
EVIDENCEE: EVIDENCEE tracks trial-ending notices and logs pre-contract disclosure for trial sign-ups.
Cooling-off refusals
Medium riskRefusing or delaying cooling-off refund requests without documented justification creates enforcement risk.
EVIDENCEE: EVIDENCEE case management records every decision with handler, timestamp, and reason.
Evidence gaps
High riskClaiming compliance without being able to prove it is as dangerous as non-compliance. The CMA expects businesses to have evidence readily available.
EVIDENCEE: EVIDENCEE's Evidence Vault provides an immutable, exportable record of all compliance events.
What to have ready if the CMA contacts you
If the CMA opens an investigation, they will request specific documentation. Businesses that can provide this quickly and comprehensively are far better positioned than those scrambling to reconstruct records.
Records of pre-contract information displayed to subscribers
Notice delivery logs with timestamps and recipient evidence
Cancellation flow documentation showing step parity
Cooling-off requests, decisions, and refund records
Drip-pricing scan results and resolution actions for each finding
Fake-review scan results, triage decisions, and review-source connections
Evidence of your DMCC compliance controls and policies
Audit trail of any system changes affecting compliance
EVIDENCEE Audit Bundle Export
EVIDENCEE generates a complete, regulator-ready PDF + JSON audit bundle covering every category above. The bundle includes SHA-256 payload hashes on every evidence record, providing cryptographic proof of integrity. Export time: under 5 minutes.
Ready to become audit-ready?
Connect your platform in minutes, get your readiness score, and see exactly what needs to change — before the CMA asks.