The question

Would a court be willing to imply a term into a business to business sale agreement in conflict with expressly allocated risk where the obligations on one party appear to lack commercial or practical coherence.

The key takeaway

Where commercial parties to a contract have expressly allocated risk, terms suggesting otherwise are unlikely to be implied.

The background

The Maltese Falcon, one of the largest masted yachts in the world, was sold by the claimant, Pleon, to Leonis. The sale agreement stipulated that the yacht would be delivered on 7 April 2022; it also provided for a sea trial before delivery and an option for Leonis to carry out a condition survey. The sale agreement contained the following clause:

“[The Yacht] shall be delivered safely afloat … in the same condition (fair wear and tear excepted) and outfitted as at the time of the Sea Trial, if any, and the Condition Survey…”.

By an access agreement (under the sale agreement) Leonis agreed that having purchased the yacht from Pleon and taken delivery, it would grant Pleon use of and access to the yacht for 61 days from 20 April 2022 to 20 June 2022. The access agreement contained clause 3.3:

"The [Yacht] and her tenders and gear shall be in commission and in full working order and [the Yacht] shall be seaworthy,…"

During the period of Pleon’s use and access, the yacht's starboard generator suffered an immobilising breakdown cutting short the use and access period.

The issue in this appeal of the arbitral tribunal's finding, was whether a term should be implied into the access agreement that Leonis’s obligations were “conditional on the [Yacht’s] hull and machinery on delivery under [the Agreement for Sale] having been properly maintained”. In the arbitration, the tribunal held that the above term was implied as without it, the contract would 'lack commercial or practical coherence'. The window between the delivery of the Maltese to the Defendant and the beginning of the Use Period was 12-13 days, not allowing enough time 'to effect any transformative maintenance'.

The decision

The High Court held that the standards set by clause 3.3 of the access agreement were clear. It was therefore required to determine whether a qualification to the circumstances in which that standard would apply was “necessary” (in the sense explained by the decisions referred to, principally Marks and Spencer plc v BNP Paribas Securities Services Trust Company [2016] AC 742) for the agreement between the parties to have business efficacy.

As at the time of delivery, under the sale agreement, the contractual possibilities were that the yacht was seaworthy or was unseaworthy. The provision for the sea trial and the option for a condition survey evidenced this. The risk that the yacht was unseaworthy at delivery to Leonis was, with Leonis as buyer and not Pleon as seller. Clause 3.3 of the access agreement confirmed that the risk that the yacht was unseaworthy remained with Leonis. It was not necessary to imply the suggested term into the agreement between the parties to give it business efficacy.

Pleon's appeal was allowed.

Why is this important?

The High Court's decision makes clear that the courts remain unwilling to imply terms that contravene clear and express allocations of obligation and risk – even where the obligations may seem harsh or impractical. The case reinforces the purpose of implied terms. They exist to make a contract workable, not fair.

Any practical tips?

Contracting parties should protect themselves when allocating risk; focusing on clear, joined up drafting to avoid a potential mismatch between key terms or obligations in related contracts.

Parties should ensure that they are comfortable with any risks they are assuming especially when these may be onerous. They should scrutinise the terms they are agreeing to and their practical implications. Are deadlines feasible? Is it possible to carry out obligations within the explicit and implied timeframes created by the contract?

Spring 2026

The question

How will a court determine whether onerous terms and conditions have been incorporated into a contract and can be relied on?

The key takeaway

An onerous or unusual contractual term or clause contained in one party's standard terms will not bind the other contracting party unless the party seeking to rely upon it can show that the clause was fairly and reasonably brought to the other party's attention. But the principle is unlikely to apply to commercial contracts between parties of equal bargaining power where the term is common in the industry.

The background

King Trading Limited (the Owner) time-chartered a vessel, the Solomon Trader to Bintan Mining Corporation (the Charterer and Insured). Sometime later, the Solomon Trader grounded in the Solomon Islands. This appeal concerns the proper interpretation of a marine insurance policy (the Policy) issued by the claimant insurer, MS Amlin Marine NV (the Insurer) to the Insured in respect of the Charterer's liability.

Key clauses of the Policy:

1. Part 1:

The Company [the Insurer] shall indemnify the Assured [the Charterer] against the Legal Liabilities [defined in part 7 of the Booklet as “Liability arising out of a final unappealable judgment or award from a competent Court, arbitral tribunal or other judicial body”], costs and expenses under this Class of Insurance which are incurred in respect of the operation of the Vessel, arising from Events occurring during the Period of Insurance as set out in sections 1 to 17 below.

2. Section 30.13 of part 5, the "pay first clause":

It is a condition precedent to the Assured’s right of recovery under this policy with regard to any claim by the Assured in respect of any loss, expense or liability, that the Assured shall first have discharged any loss, expense or liability.

There was also a hierarchy clause (clause 25) that provided that the terms of the specific Charterers' Liability clauses in the Policy should prevail over the General Terms and Conditions (in part 5, which included the pay first clause) "in the event of a conflict between them".

The Owner and another defendant obtained a significant arbitral award against the Charterer – the Charterer entered into insolvent liquidation, and they sought to pursue the Insurer direct.

In the Commercial Court, the Insurer successfully brought proceedings for declarations that the Policy's "pay first" clause meant that it did not have to indemnify the Charterer against its liability under the award. The proper interpretation of the Policy meant that it had no liability to the Owner (and others), even if the Charterer's liabilities passed to the Insurer under third party rights against insurers legislation.

The Owner and defendant appealed, arguing that the pay first clause should not be given effect on two main grounds. The first was that it was inconsistent with the Policy's insuring clause. Under that clause, the Insurer was required to indemnify the Insured when liability for the award arose and in the event of conflict, clause 25 meant that the insuring clause took hierarchy over the General Terms and Conditions which is where the pay first clause was located. The second ground was that it should not be given effect as it was an onerous and unusual term that was not brought fairly and reasonably to the Insured's attention. There was also an argument on incorporation, however, this argument was dismissed by the court and is not addressed.

The Court of Appeal rejected these arguments and dismissed the appeal, agreeing with the court of first instance.

The decision

A central question for the Court of Appeal was to determine whether, on interpretation, there was a conflict between the pay first clause and the insuring clause.

The inconsistency ground

The court endorsed the summary of the principles provided by Males LJ in Septo Trading Inc v. Tintrade Ltd (The Nounou) [2021] EWCA Civ 718 at [28]. To decide whether a general term qualifies or negates a specially agreed term, the court must consider "whether the two clauses can be read together fairy and sensibly so as to give effect to both". This must be assessed practically, having regard to "business common sense". If the court considers that the special term has been deprived of any effect, the two clauses are likely to be inconsistent. Additionally, if the specially agreed term is part of the main purpose of the contract, a term that detracts from it will likely be inconsistent. Ultimately, the object is to ascertain the intention of the parties as it appears from the language in its commercial setting.

Applying these principles, the court dismissed the inconsistency argument on the basis that, the indemnity in the insuring clause fell due when the award was made, however it could not be enforced until the Insured had paid the claim. The pay first clause was a qualification and did not negate the insuring clause, as the two clauses could still be "fairly and sensibly" read together. The court highlighted that pay first clauses are commonly used in the insurance and reinsurance industry. It also noted that, when Parliament had the opportunity to outlaw pay first clauses, it specifically excluded marine insurance policies from the prohibition (except in the context of death or personal injury).

The onerous clause ("red hand") ground

The court also dismissed this ground. Drawing on six cases that it recognised as authority for the doctrine, it summarised the doctrine as follows: where there is an onerous or unusual term contained in one party's standard terms, and the other party is not aware of that term, it will not bind the other party unless the party seeking to rely on it can show that the term was "fairly and reasonably" brought to the other party's attention. The onerous clause doctrine can be applied to both consumer and commercial contracts. The threshold for a finding that a clause is onerous or unusual will be high, particularly in commercial contexts where both parties are likely to be represented by professional agents and put on notice of the existence of such clauses. The doctrine is unlikely to have any application in commercial contracts where the parties are of broadly equal bargaining power, and where the challenged clauses in question are common form or usual terms regularly encountered in the business.

In applying all this to the facts of the case, the court found that inclusion of a pay first clause was not unusual; in fact, they are common in marine insurance. The owner could not benefit from the argument that the pay first clause was hidden away because the Insured was represented by a professional marine insurance broker who should have drawn the Insured's attention to it. This was a commercial contract between parties of broadly equal bargaining power, in which the court should be "slow to intervene".

Why is this important?

The court provided an in-depth review of the onerous clause doctrine and the qualifications it is subject to, reframing it as:

Where a particularly onerous or unusual term of a contract (an onerous clause) is contained in one party's standard terms, and where the other contracting party does not actually know of that term, it will not bind the other contracting party unless the party seeking to rely upon it shows that the clause in question (whether individually or as part of the standard terms) was fairly and reasonably brought to the other contracting party's attention.

Any practical tips?

Ensure onerous or unusual terms and conditions, including standard ones, are fairly and reasonably brought to the other party’s attention (in this case a reference to the Policy was acceptable). The more onerous or unusual the terms, the more that needs to be done to fairly and reasonably bring them to the notice of the other party. If on the receiving side, ensure that terms potentially embedded in other documents are caught in the review process. Extra care should be taken if an AI contact review tool is being utilised.

Despite the high threshold and qualifications attached to the onerous clause doctrine, and that it may prove challenging to apply in a commercial setting, consider that smaller businesses may seek to rely on the onerous clause doctrine where they have not received legal or professional advice.

The question

Is a party with an express contractual right to terminate the contract in response to certain trigger events, who continues to perform for a period of months after such an event has occurred, entitled to say that its conduct does not amount to an election to affirm the contract because it did not "know" that the contract entitled it to terminate?

The key takeaway

Even if a party is aware of facts that trigger a contractual termination right, unless a party is aware of the existence of the right to terminate itself, it cannot affirm the contract by its conduct and may therefore still terminate the agreement if it becomes aware of the right to terminate at a later date (unless estopped from doing so).

The background

URE Energy Limited (URE), a start‑up electricity supplier acquired by Mr Ensor, entered into a four‑year placeholder electricity supply contract with Genesis Housing Association Limited (Genesis) on 1 October 2017. URE and Genesis agreed that URE would supply electricity across Genesis’s estate for four years while the parties negotiated a longer‑term deal.

The four-year contract was detailed, both parties had specialist assistance during the negotiations, and it was drafted by a solicitor. It included clause 10.2(d): entitling URE (the supplier) to terminate the contract in certain events, including the passing of a resolution by Genesis for its amalgamation:

‘10.2 The Supplier may terminate this Contract at any time for all or any Supply Premises if: … (d) the Customer passes a resolution for its winding up which shall include amalgamation, reconstruction, reorganisation, administration, dissolution, liquidation, merger or consolidation (other than a solvent amalgamation, reorganisation, merger or consolidation approved in advance by the Supplier) or a petition is presented for, or a court of competent jurisdiction makes an order for, its winding up for dissolution, or an administration order is made in relation to it or a receiver is appointed over, or an encumbrance takes possession of or sells, one or more of its assets or the Customer makes an arrangement or composition with its creditors generally or ceases to carry on business; …’

The contract also contained the following term:

‘13.1 No delay or omission by either party in exercising any right, power or remedy under this Contract shall be construed as a waiver of such right, power or remedy and any single or partial exercise shall not prevent any other or further exercise of the same or the exercise of any other right, power or remedy.’

Clause 10.5 entitled URE to a termination payment equal to 50% of the remaining value of the contract in the event of a termination pursuant to clause 10.2.

In February 2018, Genesis passed a resolution to amalgamate with Notting Hill Housing Trust, creating Notting Hill Genesis (NHG). Genesis/NHG notified URE of the proposed amalgamation but did not seek its formal advance approval, and URE, through Mr Ensor, raised no objection and continued to supply power, invoice NHG and press ahead with meter roll out and the long‑term contract discussions.

By October 2018, the relationship had deteriorated and NHG gave written notice that it would not proceed with the long‑term contract. Mr Ensor sought advice from his solicitors. In November 2018 Mr Ensor was legally advised that URE could have a right to terminate the short-term contract without notice on the basis that NHG had not sought URE’s approval for the amalgamation. This was the first time Mr Ensor had become aware that URE might have such a right. The contract was terminated. URE ceased to operate and brought a claim for the termination payment under clause 10.5 on the basis that it was entitled to terminate the contract as a result of the amalgamation.

At first instance, the court considered whether URE had waived by "election" its right under clause 10.2(d)

to terminate by continuing under the contract. Election arises when a party has a choice between two alternative courses of action (typically, whether to terminate a contract or continue performance) and, with knowledge of the facts giving rise to that choice, acts in a way which is only consistent with having made a choice between them. As part of its consideration, the court examined whether Mr Ensor of URE was aware of its right to terminate (and, if so, when) and the impact of URE's receipt of legal advice from its solicitors.

The court found in favour of URE; the company had not elected to affirm the contract, as it had no knowledge of the right to terminate the contract until it received legal advice on termination in November 2018. Prior to that it only knew of "the facts giving rise to the right to terminate" – the amalgamation.

The decision

On appeal, the decision of the High Court was upheld. On the unchallenged finding of fact that Mr Ensor did not understand that clause 10.2(d) gave URE a right to terminate, until several months after the amalgamation event, the court found that no election to affirm could have occurred, despite URE’s post‑amalgamation conduct. To make an election, the party concerned must be aware both of the facts giving rise to terminate and of the right itself (knowledge would include "blind eye" knowledge).

The judge rejected NHG’s core submission that, where the right to terminate arises from an express contractual term, a commercial party has deemed knowledge of that term. Although it will be presumed that a party who has legal advice is aware of its rights, this presumption is rebuttable. A deemed knowledge rule would be at odds with this rebuttable presumption.

The court declined to carve out a special category for express termination clauses or to invent a deemed‑knowledge rule, stressing that to do so would, in substance, undermine the well established knowledge requirement of waiver by election and be unrealistic in the context of long and complex commercial contracts.

The court acknowledged that the knowledge requirement for waiver by election is difficult to reconcile with objective principles and the principle that ignorance of the law is no excuse but noted that any perceived unfairness could be mitigated in other ways. For example, courts will apply a “healthy scepticism” to self‑serving claims of ignorance and estoppel arguments can be utilised where there is detrimental reliance by the other party. In this case, however, the High Court had found no detrimental reliance by NHG.

Why is this important?

The case challenges the assumption that if a party appears to affirm the contract, by delaying in exercising its rights or by reason of its conduct in continuing to perform after a triggering event such as an amalgamation, the right to terminate is lost. A termination right will not be treated as waived by election unless the contracting party actually knows that the right exists and that it has a choice between terminating and affirming the contract.

Any practical tips?

Most commercial contracts contain detailed bespoke or standard termination provisions. These should be reviewed at the outset and, in terms of the right to terminate, monitored throughout the term of the contract for potentially triggering events (such as here, the amalgamation). Within a large business, ensure there is a joined-up approach to dealing with termination to avoid a situation where the actions of one part of the business end up affirming the contract while another part, with the requisite knowledge, seeks to terminate.

Consider, within the termination clause, specifying a clear time limit within which any termination right must be exercised, to prevent parties from seeking to rely on that right long after the triggering event has occurred.

When negotiating complex, lengthy contracts keep in mind that your counterparty may not have "knowledge" of all of the key provisions and that waiver is an option.

The question

Does an entire agreement clause that "supersedes and extinguishes all previous agreements…whether written or oral relating to its subject matter" within a settlement agreement have the effect of preventing all or any part of an underlying agreement from continuing to have effect?

The key takeaway

When formally varying or modifying an agreement, if the parties intend to dispose entirely of a previous or underlying agreement they should do so explicitly, rather than leave this to an entire agreement clause in the terms of the later agreement.

The background

Capgemini UK Plc (Capgemini) and Dassault Systemes UK Ltd (Dassault) are both providers of software and technology services and were engaged to create and provide a logistics planning software tool for the Royal Mail Group (RMG).

The underlying contract, the Prime Contractor Agreement (PCA), contained a long and detailed Statement of Work. Under the PCA, Dassault was required to test and tune the software. To do this it required test data from RMG. Some data was provided and Dassault performed the tests. Capgemini requested that Dassault test and tune the software against a larger dataset. A dispute arose between the parties as to whether this work was outside the defined scope, and formed part of a wider dispute involving Dassault's entitlement to additional payments.

To resolve the issue, the parties entered into the Settlement Agreement (SA), which settled the dispute for historic work and set out a way for the outstanding work. The SA contained an entire agreement clause:

"This Agreement constitutes the entire Agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter."

After signing the SA, there were subsequent delays in relation to the outstanding work, leading to Capgemini asserting repudiatory breach of the SA by Dassault. Dassault denied liability and relied upon the contractual obligations and limitations of liability within the PCA. Capgemini applied for summary judgment submitting that the PCA was a previous agreement that had been superseded and extinguished by the SA – Dassault could not rely on it, except for any specific clauses which had been expressly preserved.

The decision

The Judge did not consider the wording of the SA's entire agreement clause to simply have the effect of overriding the PCA. Entire agreement clauses are primarily aimed at ensuring that parties do not seek to rely on informal discussions and communications as tempering the meaning of the formal agreement, rather than aimed at dealing with the existence of multiple formal contracts between the parties.

For the purposes of this application, ultimately it was a matter of construing the words "relating to its subject matter" in the entire agreement clause. The Judge reasoned that it seemed more likely that the "subject matter" of the SA, was the settlement and the way forward as agreed in the SA, not the project generally. It was unlikely that the parties were intending to dispense with the PCA in the way suggested by Capgemini, or the scheme would not work. Therefore, the PCA continued to act as a baseline for the parties' substantive rights in relation to the outstanding work.

The SA addressed issues such as payment and working arrangements but was silent or limited when it came to certain key terms, including IP and confidentiality. While it was open to the parties to dispense with all of these protections when entering into the SA, why would they want to do so? The Judge was satisfied that there was a "respectable" argument that where the parties had agreed something in the SA, the entire agreement clause stopped them from contending that the meaning or effect of their agreement in the SA was tempered or modified by some oral term or prior agreement. But, if they had previously agreed something which was not covered by the SA, there was no inconsistency and it was not meaningful to refer to that separate agreement being "superseded" by the SA.

These matters were deemed to be unsuitable for summary determination – it would require a trial judge to determine these issues in full. The application was dismissed.

Why is this important?

The case confirms that clear drafting, particularly in the case of settlement agreements, is required to indicate whether all or part of a previous or underlying agreement is to continue in effect or be superseded by a later agreement.

Any practical tips?

When varying an agreement consider the impact of including boilerplate terms such as an entire agreement clause, and whether including such a clause will prevent key terms in any previous or underlying agreement from having effect or otherwise provide for contractual uncertainty.

Spring 2026

When are cross-border online ads subject to the ASA's oversight?

The key takeaway

The Advertising Standards Authority (ASA) can enforce the CAP Code against online advertisers where (a) paid ads target UK consumers; (b) unpaid ads are published by UK-registered companies; or (c) ads appear on a UK (.uk) domain, regardless of where the advertiser is based. Overseas advertisers of UK-only products, or adverts with pricing in GBP, should be particularly alert to the ASA's remit and sanctions powers.

The background

The ASA regulates non-broadcast advertising in the UK. Consumers may complain to the ASA about ads they believe breach the CAP Code, and the ASA may also take proactive enforcement action (see here for our previous Snapshot of this topic). In an online and platform-driven advertising environment, it is not always obvious whether an ad falls within the ASA’s jurisdiction – particularly where ads are uploaded from abroad, served dynamically, or appear on global platforms.

The development

The ASA has clarified that it has jurisdiction to regulate the following categories of online advertising:

1. Unpaid marketing communications published by, or on behalf of, advertisers with a UK-registered company address.
2. Marketing communications appearing on websites using a “.uk” top-level domain, regardless of where the advertiser is based.
3. Paid marketing communications that target UK consumers.

An ad may be treated as targeting UK consumers for a range of reasons, including where it:

• appears on a UK-focused website
• is priced in GBP
• promotes products or services available only in the UK
• contains content specific to UK consumers
• is targeted using location-based criteria.

These principles apply across advertisers’ own websites, social media pages and apps. The ASA also regulates direct marketing communications (such as emails and texts) sent by marketers based in the UK, but not equivalent communications sent from outside the UK.

Where an ad falls outside the ASA's scope, the ASA may still refer the matter to the relevant regulatory body in another jurisdiction. For EU-jurisdiction ads, the ASA will refer via the European Advertising Standards Alliance.

Why is this important?

Marketers can be caught out by the CAP Code’s reach when advertising online, particularly where content is published or distributed through third parties, platforms or automated systems. Even where advertisers are based overseas, UK-facing indicators such as GBP pricing or UK-specific availability may be sufficient to trigger ASA oversight.

The ASA has a wide range of enforcement tools at its disposal, including:

• naming and shaming non-compliant advertisers on its website (including through SEO visibility)
• requesting the removal of paid ads from search engines
• placing paid ads highlighting an advertiser’s non-compliance
• working with platforms to remove or restrict non-compliant content.

Any practical tips?

Advertisers with any international footprint should consider reviewing their online advertising practices to identify jurisdictional blind spots, including by asking:

• Do all online ads (including those on the organisation’s own website, social media pages and apps) comply with the CAP Code?
• Do ads promote products or services available only in the UK?
• Are prices displayed in GBP?
• Is the content clearly directed at UK consumers?
• Are ads targeted using location-based tools?

Spring 2026

When will the UK's Advertising Standards Authority (ASA) accept “from £X” price claims in social media ads, and what does this mean for platforms using dynamic pricing models?

The key takeaway

The ASA has confirmed that “from” price claims in paid social media ads are acceptable where a significant proportion of inventory is available at the headline price. Where complaints arise, advertisers must be able to substantiate their promotional claims with robust, date-specific pricing and sales data.

The background

A paid-for Meta ad for Zedwell Hotels promoted “YOUR OWN SPACE IN THE HEART OF PICCADILLY” and “FROM £20 P/NIGHT”, linking through to the brand's website via a "Book Now" button. The complainant, having been unable to find rooms in Piccadilly at £20 on 19 August 2025, argued that the ad was misleading and challenged whether the price claim could be substantiated.

The ASA investigated the ad under CAP Code rules on misleading advertising (3.1), substantiation (3.7) and pricing (3.17 and 3.22).

The development

Criterion Hospitality Limited (trading as Zedwell Hotels) responded that the “from £20 per night” rate related to its “capsule cocoon” accommodation at the Zedwell Capsule Hotel in Piccadilly, a distinct but nearby property within the same central location.

Zedwell explained that pricing operated dynamically and provided the ASA with detailed evidence, including:

• a date-by-date pricing table covering the promotional period (19 August–27 November 2025)
• confidential sales data showing actual booking prices.

The data demonstrated that rooms at £20 (or below) were available on over 70% of stay dates during the promotion.

In its ruling (4 February 2026), the ASA confirmed that consumers would interpret “from just £20 per night” to mean that a significant proportion of rooms would be available at that price. On the evidence provided, the ASA accepted that threshold had been met and concluded that the ad was not misleading. The complaint was not upheld.

Why is this important?

The decision follows a series of late-2025 rulings in which the ASA banned hotel and travel ads using “from” pricing where availability was insufficiently substantiated, including rulings on Accord, Booking.com, Hilton and Travelodge. See the Accord ruling here for more information.

Here, the ASA did not define a numerical benchmark but implicitly accepted that availability on 70% of stay dates satisfied the “significant proportion” test. The ruling therefore provides helpful guidance on what level of inventory coverage may be considered compliant.

It also illustrates that location references in headline claims (such as “Piccadilly”) will be assessed on overall impression. The ASA was satisfied that referring to Piccadilly was not misleading, even though the rate applied to a specific product type (capsule accommodation), because that accommodation was genuinely available within that location.

For businesses operating dynamic pricing models – particularly in hospitality and travel – this reinforces that headline pricing claims remain subject to strict evidential scrutiny.

Any practical tips?

Businesses using “from” pricing should:

• Ensure the headline price is available for a genuine and significant proportion of relevant dates and inventory, not only at fringe times or in extremely limited quantities.
• Retain detailed pricing tables and booking data capable of demonstrating availability across the promotional period.
• Consider carefully the overall impression created by location or product descriptors in headline claims.
• Monitor evolving ASA guidance, particularly as the regulator increases its use of AI tools to monitor social media advertising.

Spring 2026

Following three consultations on the implementation of the restrictions in the CAP Code (and the government being forced to implement specific and clear secondary legislation to deal with one specific exemption – see further below), CAP published its final guidance on the new restrictions on 4 December 2025.

Further to our updates in previous editions of Snapshots regarding the new restrictions, the final guidance contains some important clarifications – as follows:

• In-scope products: the final guidance lists additional examples of in-scope products, including ready meals, battered or breaded products and sandwiches. These are also set out in the relevant secondary legislation clarifying the scope of the products within the restrictions, but their inclusion signals that the ASA wants to highlight these categories as in-scope.

• Delivery services and intermediaries: the guidance confirms that ads by food delivery platforms or similar intermediaries showing or referring to LHF products will also be caught within scope of the restrictions. With that said, the SME exemption can apply to an ad by a non-SME delivery service where the ad does not promote its products and instead is on behalf of a food and drink SME. Sponsored or enhanced product listings on a non-SME platform may also benefit, provided only the SME pays for it.

• The identifiability test: the advertising restrictions only apply to ads that feature an identifiable LHF product. The test will be whether the notional "average consumer" could reasonably be expected to be able to identify the ad as promoting an LHF product. Additionally:
  • ads that feature or reference a specific less healthy product in a "clear and prominent" manner will likely meet the identifiability test
  • factors relevant to the assessment of "prominence" include the positioning and duration of product references and how attention is drawn to them
  • images shown briefly or in the background that are unlikely to be recognised (eg images of supermarket shelves or food or drink products on restaurant tables) are unlikely to meet the identifiability test
  • ads that do not directly show or refer to an LHF product may be caught where they use branding relating to "a range of mostly" LHF products or combine company logos or imagery associated with an LHF product.

• Brand advertising exemption: after a controversial journey, brand advertising has been confirmed within both secondary legislation and CAP's guidance as being exempt from the restrictions. There are, however, some key limitations to benefitting from this exemption, including that the exemption does not apply where (i) an LHF product is depicted within the ad (ii) the relevant brand name includes the name of a specific LHF product (unless the brand name was established an in use prior to 16 July 2025); (iii) there is any realistic imagery of unpackaged food or drink in the ad where such food that is visually indistinguishable from a less healthy product (eg Coca Cola and Diet Coke look the same in a glass).

• Influencer marketing: the prohibition on paid-for ads includes "reciprocal and affiliate" relationships and gifting arrangements between brands and influencers in exchange for the influencer publishing content on their own social media. Conversely, the guidance clarifies that paying influencers to create or feature in ads that are then posted by an advertiser only on that advertiser's own website or social media accounts will not be caught by the restrictions.

What are the developing criminal risks that companies need to be aware of when making green claims or representations and how can they take steps to mitigate those risks?

The key takeaway

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) increases the risk that allegations of greenwashing against a company may carry criminal, not just civil or regulatory, consequences for businesses. Since September 2025, large organisations may commit a criminal offence if an employee or other person performing services on their behalf commits a fraud offence. This may include making green claims or representations which are known to be misleading or untrue. The only defence is to show "reasonable fraud prevention procedures" were in place at the time of the alleged offending, making it vital that businesses review, consider and where necessary enhance their internal controls relating to fraud.

The background

ECCTA introduced a new corporate offence of failure to prevent fraud. Under this provision, a company or partnership that meets certain size-related thresholds (namely having two or more of 250 employees, £36m  turnover, or £18m in assets), will commit an offence if an "associated person" commits a UK fraud offence intending to benefit that company or partnership. “Associated person” is defined widely and includes employees, agents, subsidiaries, and contractors performing services for or on behalf of the company.

The offence applies to businesses wherever in the world they are established, although a necessary element of establishing the offence will be to demonstrate that a UK fraud offence has been committed (which will generally require either UK based victims or some part of the fraud to have been carried out in the UK). Penalties can be severe with potentially unlimited fines.

While the underlying fraud offences have not changed, the effect of the new offence is to make it significantly easier for the UK's criminal enforcement agencies to open investigations into and prosecute businesses for the allegedly fraudulent conduct of their staff, agents and other third parties. Importantly, there is no requirement to prove that senior management knew of, approved of or directed the conduct. Liability can arise from even the most junior employees or, in some cases, external marketing partners.

Greenwashing as a criminal risk

While greenwashing, ie making misleading environmental claims, has long presented risks of litigation or regulatory enforcement to businesses, this new offence greatly increases the potential criminal risks that they should be alive to when making green claims or representations. If green claims are known to be dishonest by the person making them and intended to make a gain for the business (or cause a loss to someone else), they may meet the threshold for a criminal offence. This can be the case even if the person acting dishonestly is a very junior employee or even an external consultant engaged to perform services for the business (such as an external marketing agency).

As to whether the green claim may be intended to make a gain for the business, there are multiple circumstances in which this may be the case. At its simplest, including green claims, such as stating a product is "fully recyclable" or "carbon neutral" in advertising or marketing materials with the aim of inducing consumers to purchase goods or services would clearly demonstrate an intention to benefit. However, green claims are often also made in other ways, such as in applications for funding or financing, in statements to investors or the market, in representations to regulators or in internal communications to employees on the state of the business. All of these types of statement could be made with the intention of benefitting the business, even if not in a direct financial way.

Why is this important?

Making green claims across a wide range of business areas is increasingly common. With this change in law, ensuring those statements are accurate and supported by data is increasingly important to ensure criminal risks do not materialise.

Any practical tips?

While businesses may already take steps to ensure the accuracy and substantiation of green claims in line with regulatory guidance from the Competition and Markets Authority and the Advertising Standards Authority, there may be further steps that can be taken to mitigate the specific criminal risks under ECCTA.

The only defence to the failure to prevent fraud offence is for a company to demonstrate that it had in place "reasonable" prevention procedures at the relevant time. Therefore, businesses should consider the controls and processes they have in place to identify and prevent fraud, including with respect to green claims, to determine their adequacy. The government has issued guidance to assist businesses in implementing procedures that meet the required standard. That guidance sets out the key elements of "reasonable" fraud prevention procedures. They will be based on six core principles, namely, risk assessment, due diligence, proportionate procedures, top-level commitment, communication and training and monitoring and review.

From a practical perspective, the key starting point is for a business to conduct a fraud-focused risk assessment to determine where its risk might lie and whether controls already in place are suitable to manage those risks. Depending on the outcome of that assessment, businesses may deem it appropriate to provide additional training to employees (for example relating to making green claims), update compliance polices and implement updated clauses in contracts with third parties to provide fraud-related protections.

Spring 2026

The CMA issues new guidance on making green claims

• On 22 January 2026, the CMA issued new guidance, to be read in conjunction with its 2021 Green Claims Code, setting out how businesses can comply with consumer protection law when making environmental claims. The guidance clarifies how responsibility for such claims attaches to different businesses across the supply chain. The guidance also includes checklists for retailers, brands, suppliers and manufacturers setting out key points to consider when working with others in the supply chain to help ensure that green claims are not misleading.

Incoming EU legislation – Empowering Consumers for the Green Transition Directive (ECGTD)

• Key rules: prohibits vague or general environmental claims and unsubstantiated statements that a business or product is "green" or "environmentally friendly" and restricts the use of unreliable voluntary sustainability labels.
• Timing: entered into force in 2024. Member States must transpose the rules by 27 March 2026, with application from 27 September 2026.
• Guidance: the Commission recently published a Q&A providing further clarification on the ECGTD's anti-greenwashing provisions and how they will be applied.

ASA rulings

ASA ruling on Kit & Kin Ltd

• The ASA upheld Procter & Gamble UK's complaint that the advertised claims were misleading.
• Kit & Kin advertised “eco nappies wipes” with claims such as “PROTECTING YOUR WORLD, NATURALLY”, “better for our world”, “sustainable”, “made from sustainable, plant-based materials”, “biodegradable baby wipes" and "0% plastic”.
• The ASA found that “eco”, “better for our world” and “protecting your world, naturally” gave an overall impression that the products were environmentally beneficial or harmless across their life cycle, and that buying them protected the environment and rainforest. Kit & Kin’s certifications, carbon-neutral factory and charity partnership did not substantiate such broad, absolute environmental claims.
• The claims “sustainable” and “made from sustainable, plant-based materials” were treated as absolute sustainability claims about both the nappies and their materials. Kit & Kin had not provided full life cycle evidence, and the nappies still contained plastic components, so these claims were likely to mislead consumers.
• “Biodegradable baby wipes” was understood to mean the entire wipe would fully biodegrade in normal disposal conditions, more quickly than plastic alternatives and without harmful residue; the evidence only showed biodegradation of the viscose component under specific test conditions and did not address the whole product, real-world conditions, timeframes, or by-products.

• The ASA upheld the complaint in relation to all three issues, finding breaches of CAP Code rules on misleading and environmental claims and ruled that the ads must not appear again in their current form. Kit & Kin was told to clarify the basis of environmental and comparative claims and to hold robust, product-specific substantiation.

ASA ruling on The Cheeky Panda Ltd

• The ASA upheld a complaint made by Procter and Gamble UK that green claims made by Cheeky Panda's advertisements for "Bamboo Nappies" were misleading.
• Cheeky Panda’s website advertised nappies and baby wipes using claims such as “sustainable bamboo”, “100% sustainable bamboo fibre”, “biodegradable baby wipes/biodegradable fibres” and that the products were “kinder to the planet” and “protecting the planet”.
• On “sustainable bamboo" and "100% sustainable bamboo fibre”, the ASA found the claims were unqualified, absolute environmental claims requiring full life cycle evidence for the actual nappies and wipes. They found that Cheeky Panda’s life cycle analysis (LCA) and Forestry Stewardship Council (FSC) certification did not cover the whole product life cycle or the specific advertised products.
• On “biodegradable baby wipes" and "biodegradable fibres”, the ASA felt that consumers would expect the entire wipe to fully biodegrade in normal disposal conditions, leaving “no trace”. The evidence only showed partial biodegradation of the viscose fibre under specific conditions and did not substantiate the claims.
• On “kinder to the planet […] protecting the planet”, the ASA treated this as a comparative environmental claim implying that by containing bamboo, the nappies were less harmful than conventional nappies. The reports provided by Cheeky Panda did not show a clear environmental advantage or that the product “protected the planet”, so the claim was found to be also misleading.
• The ASA upheld all three issues, found breaches of the CAP Code on misleading and environmental claims, and ordered that the ads must not appear again in their current form. Cheeky Panda was told to clarify the basis of environmental claims and to hold robust substantiation in future.

Sector-specific updates

Food & Drink

The Guardian finds that Europe's supermarkets are filled with products misleadingly claimed to be packaged with recycled plastic.

• A recent report by The Guardian claims that "only a fraction" of the packaging materials used in Europe's supermarkets are recycled. Instead, it is claimed that most of the packaging is made from petroleum from Saudi Aramco, an oil company.
• Accused products include Kraft’s Heinz Beanz and Mondelēz’s Philadelphia.
• Read more here.

Coca-Cola introduces new paper-cardboard packaging

• Coca-Cola has introduced a corrugated paper-and-cardboard handle for multipacks of bottles in Europe. Coca-Cola has estimated that the change could reduce plastic waste by around 220 tonnes per year
• Read more here.

Spring 2026

What does the 2026 Best Practice Guide for the Responsible Use of Generative AI (GenAI) in advertising mean for brands, agencies, and media owners?

The key takeaway

The new Best Practice Guide for the Responsible Use of GenAI (the Guide) in advertising establishes eight key principles that brands, agencies and media owners are advised to follow to use GenAI responsibly and effectively. It addresses common questions around disclosure, data use, bias, oversight, wellbeing, brand safety and monitoring, and provides practical guidance on implementation. Although voluntary, it is likely to shape industry standards and regulatory expectations.

The full Guide is available here and there is also an SME version is available here (which contains changes has been adapted from the full guide, focusing on the principles of most relevance for SMEs and making it easier and more proportionate for them to implement).

The background

When GenAI use in advertising exploded in late 2022, the IPA and ISBA responded the following year by publishing 12 industry principles to encourage ethical use. Since then, adoption has only ramped up. By July 2025, ISBA reported that the share of advertisers using GenAI had jumped from 9% to 41% in just over a year. The technology now touches everything from initial ideation through to full creative production, with fully AI-generated commercials, synthetic actors, and infinitely localised campaigns becoming the new norm.

Building on the IPA and ISBA 2023 principles, the Advertising Association has published the Guide, developed under the government and industry-led Online Advertising Taskforce.

The development

The Guide is intended to help advertising practitioners use GenAI in an ethical and effective manner. It is designed to complement existing law (including UK GDPR and the Equality Act 2010) and self-regulatory regime (including the CAP/BCAP Codes). The Guide is targeted at advertisers and brands, advertising agencies, media owners and technology providers and platforms serving the advertising industry. It is voluntary and not legally binding.

The Guide establishes eight principles:

1. Ensuring transparency: Disclose AI-generated or AI-altered ad content where appropriate, using a risk-based approach focused on avoiding consumer harm.
2. Ensuring responsible use of data: Use personal data for training, targeting and personalisation of GenAI lawfully.
3. Preventing bias and ensuring fairness: Design, deploy and monitor GenAI to reduce bias and prevent discrimination.
4. Ensuring human oversight and accountability: Put proportionate human review in place before publishing, with clear responsibility for outputs.
5. Promoting societal wellbeing: Avoid creating or amplifying harmful, misleading or exploitative content and use GenAI to support consumer protection where possible.
6. Driving brand safety and suitability: Assess and mitigate reputational and placement risks, ensuring GenAI outputs align with brand values and safety standards.
7. Promoting environmental stewardship: Consider environmental impacts when choosing tools and workflows and favour energy-efficient options where practical.
8. Ensuring continuous monitoring and evaluation: Monitor deployed GenAI systems to spot issues (eg performance, bias drift, compliance gaps) and intervene when needed.

Why is this important?

The Guide provides clarity on key issues the industry has been grappling with: how to manage risks like bias and privacy, and when disclosure is required.

Though voluntary, it is likely to establish new 'bare minimum' standards, as brands and agencies start baking 'adherence to the AA GenAI guide' into supplier contracts. Some of the principles could also become a reference point for the ASA when assessing whether advertisements are materially misleading or inadequately substantiated.

Any practical tips?

The Guide provides a useful preview of what future regulation might look like – in that typically best practice guidance emerges first, then if harms persist, principles get formalised into binding requirements. Therefore, as a priority, advertisers should consider implementing a risk-based framework so that the decision to disclose GenAI use is proportionate to the risk of consumer harm or misinterpretation. This should take into account whether the AI-generated content:

• could mislead a reasonable consumer
• could materially affect a transactional decision
• involves real or synthetic people, voices, testimonials or spokespersons
• appears in a context where confusion is more likely
• targets vulnerable audiences.

Advertisers should also:

• Ensure compliance with existing data protection and privacy legislation.
• Evaluate brand reputation risks associated with GenAI content, including alignment with brand voice, cultural sensitivities and placement safety.
• Design AI systems using diverse training datasets and test outputs for bias across different demographics.
• Implement human oversight mechanisms proportionate to the risk level.
• Evaluate whether AI is necessary or whether traditional methods are sufficient.

Separately, platforms should be looking to implement systems that facilitate advertisers in carrying out appropriate human oversight. They are also recommended to use AI proactively to enhance the automated detection of harmful or non-compliant content.

Spring 2026

When does online price presentation become “misleading advertising” under the CAP Code, and what do the recent ASA rulings on TUI and easyJet indicate for platforms displaying dynamic or ancillary pricing?

The key takeaway

The ASA is taking a strict approach to price accuracy and substantiation. It expects the prices displayed to be based on genuine, evidenced availability, and where prices are supplied by third parties and subject to change, businesses should take reasonable steps to reduce the likelihood of consumers being misled by pricing that changes or ultimately becomes unavailable during the consumer's user journey.

The background

CAP Code section 3 sets out the overarching rules on misleading advertising, substantiation, and price presentation in UK non-broadcast marketing communications. It requires that marketing communications and price statements do not materially mislead consumers (by omission, undue emphasis, distortion, or otherwise), and that pricing claims are supported by documented evidence.

In January 2026, the Advertising Standards Authority (ASA) upheld complaints against TUI UK Ltd and easyJet regarding online price claims. Both decisions turned on how consumers understand price statements in digital journeys and the evidence advertisers must hold to substantiate “from” prices and discounts.

TUI: dynamic pricing, discounts and missing context

On TUI’s UK website, a listing for a Caesars Palace Las Vegas package showed “£1248.13pp” and “Total Price £2496.26”, with red print stating “Inc £187.74 Total Discount”, and a qualification that “Price may update at checkout based on availability. Local taxes may apply.” At the next stage, the price increased to £1608.44pp (total £3216.88), with messaging that the price had gone up by £722.62 due to updated third-party airline costs.

The ASA considered that consumers would understand the initial per person and total prices as the actual price payable at the time of viewing, reinforced by the apparent “total discount” claim, giving the impression of a static, genuinely discounted offer. TUI argued that their holidays combine dynamically priced third-party flights and accommodation, that prices are refreshed several times a day, and that a notification flags any increase before booking. They also explained that the “discount” reflected a difference between online and offline (in store) pricing.

The ASA found that, because flight data was not updated in real time, TUI should have made clear to consumers when the last price update had occurred and that prices were liable to change. The qualification “Price may update at checkout based on availability” was insufficient to counter the overall impression of a firm price and genuine discount.

Additionally, the ASA held that the discount claim was misleading. This was because the ad did not explain that the comparison was between online and offline prices, and it was unclear how the reference price was calculated, given the frequent/dynamic price changes.

easyJet: “from £5.99” and substantiating ancillary fees

The “Fees and charges” page on easyJet’s website stated the following under the “Bags” heading: “Large cabin bag from £5.99”. Consumer protection group, Which?, challenged whether this “from” pricing claim was misleading and capable of substantiation. easyJet argued that £5.99 was the starting price across their network, and that individual bag prices vary by route, demand and operational cost.

The ASA considered that consumers would understand “From £5.99” to mean that large cabin bags were available to book at that price across a significant proportion of routes and dates. It therefore expected evidence, in the form of pricing and availability data, showing that bags could be booked at £5.99 across a range of flights and dates. easyJet could not provide specific data, and the ASA held that general assurances of availability were insufficient to substantiate the claim. Therefore, because the ASA had not seen sufficient evidence that large cabin bags were available at £5.99 across a range of routes and dates, the “from” claim was found misleading and in breach of the CAP Code.

Why is this important?

These rulings reinforce that marketers and advertisers – including large aggregators – are responsible for the accuracy of price information, even where prices are controlled or supplied by third parties. CAP guidance on working with third parties makes clear that marketers must take reasonable steps to reduce the likelihood of consumers being misled, for example by using “from” prices appropriately and indicating when prices were last updated.

More broadly, CAP Code section 3 requires that material information is not omitted and that comparative or “from” pricing is supported by robust data. The ASA’s willingness to find breaches where advertisers cannot produce detailed availability data for “from” prices is a clear signal that platforms must have defensible datasets and audit trails behind any price claims displayed to UK consumers.

Any practical tips?

• For platforms aggregating travel, retail or ancillary services, it will be important to map all touchpoints where prices or discounts are displayed and assess whether consumers are likely to interpret them as firm, bookable prices or merely indicative starting points.
• For dynamic or third‑party‑fed pricing, use clearly labelled “from” prices, disclose when prices were last updated and avoid any presentation suggesting a guaranteed fixed price or unqualified “total discount”.
• Third party pricing that changes regularly and/or dynamically should also be regularly refreshed and updated so as to minimise the risks of outdated pricing being displayed to consumers.
• Platforms should be able to substantiate all “from”, “up to” and discount claims with availability and pricing data showing that quoted prices apply across a significant proportion of relevant products, services or dates. This may require structured data retention, periodic sampling, and service level commitments with third party suppliers whose feeds power platform pricing.

Spring 2026

How far will regulators expect social media platforms to proactively detect, verify and block illegal gambling ads targeting UK users?

The key takeaway

The UK Gambling Commission (UKGC) has accused social media platforms of “turning a blind eye” to illegal gambling operators targeting UK audiences. While platforms maintain that they act when ads are reported, the UKGC considers the current practices insufficient and believes that illegal gambling ads remain widespread across social media channels.

The background

The UK gambling market is tightly regulated. Licensed operators must follow strict advertising rules and participate in GamStop, a national self-exclusion scheme allowing individuals in the UK to self-exclude from participating with online gambling operators for a defined period of time.

Unlicensed operators, including those “not on GamStop”, are prohibited from targeting UK consumers. However, such operators continue to promote their services online, including through social media advertising, exposing vulnerable and self-excluded users to potential harm. Concerns have therefore grown over the role of tech platforms in enabling these illegal promotions.

The development

In a speech at ICE Barcelona 2026, one of the world’s largest gambling and gaming industry conferences, Tim Miller, Executive Director at the UKGC, warned that illegal online gambling remains a persistent and evolving threat to UK consumers.

Miller criticised social media platforms for failing to carry out meaningful proactive monitoring, noting that illegal gambling ads are often visible in publicly searchable advertising libraries. This, he argued, undermines claims that platforms can only act once ads are reported and highlights the limitations of purely reactive, report-and-remove enforcement models.

The UKGC also indicated that engagement with platforms to date has delivered limited progress, and rejected suggestions that regulators should deploy their own AI tools to identify and report illegal ads. Such an approach, it said, would inappropriately shift enforcement costs onto public authorities across multiple jurisdictions. The underlying question raised by the UKGC was whether platforms are doing enough to protect vulnerable users, rather than continuing to benefit commercially from illegal advertising activity.

Why is this important?

The speech signals increasing regulatory scrutiny and a shift towards greater expectations on online intermediaries to prevent illegal gambling content from reaching UK users. While the government has committed additional funding and proposed legislation to strengthen regulatory powers, the UKGC made clear that enforcement action alone will not be sufficient.

Instead, meaningful progress will require coordinated action across regulators, government, industry and technology platforms, alongside clearer expectations that companies should not profit from illegal activity. This focus on online advertising controls also reflects broader regulatory momentum in gambling advertising, including recently updated CAP and BCAP guidance aimed at strengthening protections for under-18s and vulnerable consumers (see our previous Winter 2025 Snapshot).

Any practical tips?

Social media platforms should consider:

• strengthening advertiser verification processes to ensure only licensed operators can promote gambling services
• adopting proactive monitoring techniques (including keyword analysis, ad-library reviews and automated detection tools) to identify illegal ads before harm occurs
• establishing clear internal escalation pathways for responding to regulatory concerns
• engaging transparently with regulators to demonstrate effective compliance and risk mitigation.

Taking these steps can help protect vulnerable users while reducing regulatory, legal and reputational risk.

Spring 2026

How will Ireland's distributed enforcement model and new AI Office supervise AI use and development and ensure compliance with Regulation (EU) 2024/1689 (EU AI Act) in Ireland?

The key takeaway

AI providers and deployers operating in Ireland should expect coordinated enforcement from several Irish regulators, with inspection and sanctioning powers that extend to online channels and app interfaces; they should now map likely competent authorities and update governance and incident processes to meet these new supervisory expectations.

The background

The EU AI Act, which entered into force on 1 August 2024 (see our Summer 2024 edition of Snapshots), intends to establish a harmonised, risk-based regulatory framework for the development and use of AI systems across the EU. The EU AI Act has direct legal effect in EU member states, however, member states are required to enact national legislation to implement its provisions. In particular, Member States were required to establish or designate independent national competent authorities, including a market surveillance authority and a notifying authority, by 2 August 2025.

The development

On 4 February 2026, the Irish Government published the General Scheme to implement and enforce the EU AI Act in Ireland. The General Scheme proposes a new framework for EU AI Act enforcement in Ireland. This framework will include:

• a new AI Office of Ireland (Oifig Intleachta Shaorga na hÉireann) which will be designated as a market surveillance authority (MSA) and the Single Point of Contact (SPOC) for the purposes of the Regulation. Ireland's formal adoption of a “distributed model” of competent authorities/MSAs, which leverages existing regulators (eg Central Bank, Coimisiún na Meán, HPRA, CCPC, HSA), will cooperate with the AI Office to oversee the national rollout and ongoing supervision and enforcement of the EU AI Act in Ireland
• the ability for MSAs to rely on and extend Market Surveillance Regulation (EU) 2019/1020 powers which enable them to: require the provision of extensive technical documentation and data (including embedded software), supply chain information, and website ownership details; carry out unannounced inspections; enter premises/land/transport; start investigations on their own initiative; order corrective actions; withdraw/recall/prohibit AI systems; and impose penalties (EU AI Act Art 99) (including significant administrative fines)
• that MSAs will ensure mechanisms are in place for providers to receive serious incident reports for high‑risk systems, follow Market Surveillance Regulation procedures, notify the Commission, AI Office and Article 77 fundamental rights bodies of the serious incident and ensure corrective measures for response and oversee coordination
• an allowance for Ireland's nine “Fundamental Rights Authorities” to "make reasoned request to the MSA" to organise technical testing of high‑risk systems where needed to assess the impact of fundamental rights;
• a requirement that the MSAs must accept complaints about AI Act infringements and coordinate handling, with whistleblower protections under Directive (EU) 2019/1937 (EU whistleblowing directive)
• an AI Office obligation to establish a national AI regulatory sandbox and/or participation in an EU‑level sandbox. Following its establishment, the Office may issue guidelines, set participation conditions, supervise activities, and cooperate with EU AI Board. Where personal data is processed in the sandbox, the Data Protection Commission must supervise
• MSA powers that extend explicitly to online distribution channels and interfaces where authorities can conduct unannounced inspections, acquire AI systems under cover identities and demand access to source code of high‑risk systems where other methods are insufficient, and may require removal of content or restriction of access to digital interfaces to secure compliance.

Ireland’s enforcement architecture is particularly significant given its role as the European HQ for various major tech companies. Accordingly, the General Scheme also sets out a general administrative sanctions framework that will apply to AI Act breaches. Maximum fines will mirror the EU AI Act: up to €35m/7% global turnover for prohibited practices; €15m/3% for other core operator obligations; €7.5m/1% for incorrect/misleading information.

To meet the key obligations of the EU AI Act, the AI Office must be operational by 1 August 2026 and will coordinate with these authorities through a mandatory Cooperation Forum meeting at least quarterly, chaired by the AI Office.

Why is this important?

Businesses with AI operations in Ireland may face EU AI Act supervision in Ireland via multiple regulators rather than a single AI agency.

Additionally, given that MSA powers expressly cover online distribution channels and digital interfaces, businesses which deploy apps should assume that Irish regulators can act directly against AI‑enabled functionality in its apps where accessed from Ireland, including by requiring content removal or interface changes for compliance.

Any practical tips?

• Identify which AI systems used or provided in or through Ireland are likely to fall within Annex III high‑risk categories and map the most likely MSA. This will aid quick responses and coherence on the commencement of the supervision under the distributed model.
• Build or adapt internal incident‑management processes so that serious AI incidents with an Irish nexus (death or serious health harm, serious disruption of critical infrastructure, or fundamental‑rights infringements) can be identified, triaged and reported to the relevant Irish MSA within the EU AI Act deadlines (2, 10 or 15 days depending on the case).

Spring 2026

What new measures does the Competition and Markets Authority (CMA) propose to impose on Google Search in order to maintain fair competition in the UK and improve search services for users?

The key takeaway

The CMA has proposed a package of four measures in relation to Google's search services in the UK, which as noted by the CMA, marks the first set of conduct requirements under the digital markets competition regime. These measures are aimed at supporting innovation in the sector and helping ensure transparency and fairness for content publishers and consumers.

The background

In October 2025, the CMA designated Google with strategic market status (SMS) in the general search and search advertising services category. This allowed the CMA to impose proportionate targeted rules or "conduct requirements" on Google to ensure fair dealing, open choices, trust, and transparency. Prior to officialising the SMS status, the CMA had prepared a roadmap proposing potential measures it might take in a bid to reassure relevant stakeholders. Those early measures will continue to be assessed alongside the new proposed measures, as set out below.

Ahead of finalising the new measures, the CMA held a consultation which closed on 25 February 2026, seeking comments from stakeholders on its proposed conduct requirements for Google Search. The responses to the consultation will be reviewed by the CMA and used in conjunction with wider analysis undertaken before ratifying the measures.

The development

The measures are as follows:

• publisher controls: the first measure proposed by the CMA is centered around choice and transparency; two key focuses for publishers. Publishers and content creators will be able to opt-out of their content being used for AI Overviews or to train other generative artificial intelligence models outside of Google. This will give content creators stronger bargaining powers and ensure AI generated results are reliable and trustworthy. In addition, this measure also requires Google to ensure AI results are properly attributed to publisher content.
• fair ranking: Google must demonstrate to the CMA that it ranks search results fairly; not only in respect of general results but also in AI Overviews and AI Mode to make sure it is not biased towards websites that have commercial arrangements with Google. If Google fails to do so, it will be subject to investigation. An effective complaints process will also be in place to tackle any ranking issues. This ensures fairness and transparency for businesses and customers will be able to have confidence knowing measures are in place to ensure transparency and mitigate bias in search results.
• choice screens: the CMA will legally require Android mobiles and Chrome browsers to let users choose their default search service through choice screens. These should be easily accessible to users at all times.
• data portability: this measure would assist users to transfer their search data to other search engines/services or even use a third-party tool alongside Google's products. It would also allow users to extract their search data for their own use. From an innovative perspective, this could promote the development of new data-driven services to assist users with their search data.

Why is this important?

Google Search makes up over 90% of all general search queries in the UK with £10bn being spent on Google's search advertising by over 200,000 businesses in the UK in 2025 alone. Its widespread use is pushing the CMA to look at ensuring that users and businesses have appropriate control and choice over their interactions with the search engine.

Any practical tips?

Businesses should note the principles the CMA has applied in their proposed measures, which the CMA has referred to as the "4Ps" – proportionality, pace, predictability and process. Businesses should bear these principles in mind when developing AI tools to ensure their tools promote innovation, fairness and transparency for businesses, investors and consumers alike.

Spring 2026

How does the UK's Online Safety Act apply to AI chatbots, and when are chatbot providers required to comply with online safety duties?

The key takeaway

Ofcom has clarified that AI chatbots fall within the Online Safety Act (OSA) only when they operate as user‑to‑user services, search services, or publish pornographic content. Many standalone chatbots will however fall outside the regime unless they enable user interaction, search the internet, or generate pornographic material.

The background

Ofcom has published on its website a short explainer outlining how AI chatbots are regulated under the OSA. Ofcom's explainer responds to increasing public concern about harmful chatbot outputs, including reports of chatbots imitating real people or generating distressing content. Ofcom emphasises that the Act applies only to specific service types and that “chatbots are not subject to regulation at all if they only allow people to interact with the chatbot itself and no other users”. The update follows Ofcom’s recent investigation into X, where it reiterated that not all chatbot-generated content is in scope of the OSA.

The development

Ofcom’s explainer highlights three key points:

1. an AI chatbot is in scope of the Act if it forms part of:

• a user‑to‑user service, enabling users to share content with each other;
• a search service, returning results from multiple websites or databases; or
• a pornographic content service, which must use “highly effective age assurance”.

2. AI chatbots fall outside the Act if they:

•  only interact one‑to‑one with users;
• do not search multiple websites or databases
• cannot generate pornographic content. As Ofcom notes in its Grok update: “images and videos that are created by a chatbot without it searching the internet are not generally in scope.”

3. limits of current powers: Ofcom stresses that it “can only take action on online harms covered by the [OSA]”, and any extension of powers would be for government and Parliament.

Ofcom is supporting government work on potential future regulation of chatbots and will continue monitoring emerging risks as AI tools evolve.

Why is this important?

The explainer provides welcome clarity for businesses deploying conversational AI tools. It confirms that many standalone chatbots, particularly those that do not enable user‑to‑user interaction or internet search, are currently outside the OSA. However, where chatbots are integrated into wider platforms, or where they generate content that can be shared between users, providers may fall squarely within the regime. The update also signals that policymakers are actively considering whether the current framework, which is applicable to the regulation of AI in the UK more generally, adequately addresses AI‑driven harms, suggesting further regulatory developments are likely.

Any practical tips?

Businesses integrating AI chatbot functionality into existing services should assess whether the proposed use of the AI chatbot and its functions would mean that it would be subject to the OSA. Providers of AI chatbots should also consider whether its AI chatbot outputs could be shared on user‑to‑user platforms, triggering online safety duties. Given Ofcom’s ongoing investigations and its emphasis on risk assessment, providers of AI chatbots and businesses that integrate them should document design choices, monitor emerging harms, and ensure age‑assurance measures are in place where relevant.

Spring 2026

What steps is the UK government taking to improve children's relationship with mobile phones and social media?

The key takeaway

The government continues to strengthen its approach to children's online safety and wellbeing with the announcement of a new consultation, entitled "A safer digital childhood".

The background

On 19 January 2026, the government announced it will be launching a consultation to map out a plan to boost children's wellbeing online. This announcement forms part of the government's approach following the Online Safety Act (OSA), which came into force in July 2025. Following the implementation of the OSA, the government has reported that 47% of children now encounter age checks online, rising from 30% previously. It is also reported that 58% of parents believe the measures are improving children's safety online.

This consultation follows similar recent developments that relate to protecting young people online such as strengthening under-18 protections for gambling and lottery advertising and Ofcom's call for evidence into age-assurance measures in app stores.

The development

The consultation will seek input from parents, young people and the wider public, with a response from government to follow this summer. The consultation will explore:

• the appropriate minimum age for access to social media
• how to improve the accuracy of age assurance
• the digital age of consent
• removing or limiting addictive functionalities such as "streaks" and "infinite scrolling"
• interventions to support parents.

The current plan also includes an immediate action in that it requires Ofsted to check the mobile phone policies in place in schools, with phone-free environments as the default position. There will also be tougher and clearer guidance issued for schools.

The social media ban on children in Australia will also be explored as part of the consultation, with Ministers scheduled to visit the country.

Why is this important?

The announcement of the consultation is consistent with the trend of regulation surrounding online content to ensure the safety of young people. The outcome of the consultation will undoubtedly contribute to the growing conversation and will form part of any regulation that may be imposed on websites and apps to protect the safety of children. Businesses should be aware and monitor the consultation as it may form the background for increased regulation and guidance in the future.

Any practical tips?

Businesses should be aware of the growing regulatory landscape supporting the safety of young people. To prepare, businesses should:

• review their own age policies in place to access online content
• ensure controls are in place to align with legislation already in force
• monitor the progress of the consultation
• consider whether existing policies already align with the consultation or whether any changes will be required, such as with respect to minimum age requirements, improving accuracy of age assurance or releasing guidance to parents. This is to ensure that any measures required for compliance can be quickly implemented if any regulations come into force.

Spring 2026

In allowing users to create sexualised images of real people using the Grok AI chatbot, has X complied with its duties under UK and EU law to protect its users, including children, from seeing illegal content?

The key takeaway

In January 2026, Ofcom and the European Commission opened separate investigations into possible regulatory breaches by X following reports that the Grok AI chatbot was being used to create sexualised versions of images of real people posted on the X social media platform. The European Commission is also investigating whether X has taken appropriate steps to mitigate harm arising from the use of Grok to power its recommender systems. The investigations are ongoing and if X is found to have breached its legal obligations, the regulators have the power to impose significant fines.

The background

Grok, an integrated AI chatbot developed by the social media company X, is one of a number of chatbots capable of generating text and images. In the UK, social media companies such as X are subject to the provisions of the Online Safety Act 2023 (OSA) which places duties on platforms to protect users from seeing illegal content (see our Spring 2025 edition of Snapshots for more information on the OSA). Ofcom, the UK's independent online safety watchdog, is responsible for investigating non-compliance with and enforcing the OSA. From an EU perspective, platforms such as X fall within the scope of the Digital Services Act (DSA) which places obligations on such platforms to assess and mitigate systemic risks, including of the dissemination of illegal content (see our Winter 2024 edition of Snapshots for more information on the DSA).

The development

On 12 January 2026, Ofcom opened an investigation into X under the OSA in light of widespread reports of the Grok AI chatbot being used to generate undressed images of real people, including sexualised images of children potentially amounting to child sexual abuse material (CSAM) under UK law.

Under the OSA, user-to-user services have an obligation to take proportionate measures to prevent users from encountering priority illegal content, such as non-consensual intimate images andCSAM. Such services have a further obligation to implement "highly-effective" age assurance measures to prevent children from accessing harmful content, including pornography. Ofcom's investigation will seek to establish whether X failed to discharge its legal duties to implement such measures in allowing the Grok AI chatbot to be used in this way.

Two weeks later, the European Commission also announced that it had opened a formal investigation into the use of the Grok AI chatbot on X under the DSA. The DSA imposes obligations on very large online platforms (VLOPs), such as X, to assess and mitigate systemic risks, including in allowing users in the EU to access illegal content on the platform, such as digitally manipulated sexual images. It requires such platforms to implement "reasonable, proportionate and effective mitigation measures" where such risks are identified. Concurrently, the European Commission has extended its previous investigation into X's recommender systems (algorithms which suggest content to users based on past behaviour or preferences), to take account of the platform's shift to a recommender powered by Grok AI. The Commission's investigations will assess whether the platform breached its obligations under the DSA.

X published a statement on its platform on 14 January 2026, in which it stated that it had removed the ability of the [@] Grok account to edit images of real people in revealing clothing. It also announced the implementation of Geoblock technology to prevent users from generating such images in jurisdictions where such content is illegal. X has since restricted the use of image creation and image editing tools via the [@] Grok account to paid subscribers.

Why is this important?

Ofcom's investigation – and the speed at which it was opened – suggests that the regulator is likely to be increasingly confident in using its powers under the OSA. As social media and internet search platforms move towards integrating AI tools into their offering, it is important that they understand the legal risks should sufficient controls not be in place to prevent illegal or harmful content being generated. Ofcom's recent £1m fine against the AVS Group for failing to implement sufficient age assurance checks in respect of pornographic content underlines the strength of the enforcement actions that Ofcom is prepared to take. Under the OSA, Ofcom can issue a fine of up to £18m or 10% of qualifying worldwide revenue.

The European Commission's decision to open formal proceedings under the DSA is also a significant development in that it relieves national regulators in EU member states of their powers to take enforcement action in respect of the potential breaches under investigation. Rather, it allows the European Commission to take enforcement action, such as the issuing of a non-compliance decision. A previous non-compliance decision against X, on 5 December 2025, resulted in a fine of €120m for breaches of transparency obligations under the DSA.

Any practical tips?

Service providers implementing AI functionality in their platforms, either as a user-to-user chatbot or as technology underpinning a recommender system, should ensure that they understand the ways in which this is open to abuse by users and take proportionate measures to mitigate such abuse. The necessary measures will depend on the level of harm and the risk of children accessing harmful material. As a minimum, businesses should ensure that they understand and fulfil their obligations under the OSA in the UK and the DSA in the EU, or risk enforcement action including substantial fines.

Spring 2026

What does the UK government’s new research briefing tell us about labelling GenAI content, and how might this inform future transparency requirements for large online platforms?

The key takeaway

There is currently no UK legal requirement to label GenAI content, but the House of Commons Library briefing and related government note show a clear policy direction towards risk‑based transparency and technical content provenance, closely aligned with the EU AI Act’s forthcoming Article 50 obligations.

The background

On 20 January 2026, the House of Commons Library published a research briefing on “AI content labelling”. The paper explains what AI content labelling is, why it is being used and how it works, with a particular focus on deepfakes and other synthetic media. The briefing outlines current practice in the UK and internationally and surveys policies adopted by online platforms, news organisations, search engines and gaming companies.

The development

The government’s research briefing can be distilled into the following key points:

• No current UK legal duty to label AI content
  • The government’s copyright and AI work acknowledges the benefits of clear AI labelling, but highlights technical challenges and uncertainty over whether future legislation will impose mandatory labelling.
• Forthcoming EU AI Act transparency regime
  • Article 50 of the EU AI Act will introduce transparency duties for AI systems that interact with humans, generate or manipulate content, or produce deepfakes.
  • Providers of such systems must mark AI outputs in a way that is machine‑readable and detectable, while deployers must disclose when content has been artificially generated or manipulated.
  • These rules are due to apply from August 2026, but the European Commission has proposed delaying implementation until 2027 and is developing guidance and a code of practice to clarify content labelling obligations.
• Concepts and objectives of AI content labelling
  • AI content labelling is described as marking content generated or altered by AI so users understand its origin and can better assess reliability, particularly where realistic deepfakes and synthetic media may mislead.
  • The briefing distinguishes between:
    • “impact‑based” labels, which flag content that could be misleading or harmful (such as deepfakes, fraud, or disinformation)
    • “process‑based” labels, which explain how content was created (including use of AI) without necessarily suggesting risk or harm.
• Technical mechanisms and standards
  • Visible labelling methods include text overlays, captions, UI badges, watermarks and audio notices applied to content, including where AI tools are used in‑platform.
  • Invisible approaches include digital watermarks and embedded metadata in line with emerging standards.
  • The Coalition for Content Provenance and Authenticity’s “content credentials” system (C2PA) is an open protocol that uses cryptography to encode information on content origin and editing history, signposted to users by a “cr” watermark that links to provenance details.
  • Major technology companies and platforms (including Adobe, LinkedIn and Meta) are already adopting such provenance standards.
• Challenges and user behaviour
  • Practical problems, including inconsistent standards, limited interoperability between watermarking tools, and the possibility that labels or watermarks can be removed or spoofed.
  • Usability concerns, such as how prominent labels should be and whether visible markers might disrupt user experience.
  • Suggestion that generic “AI‑generated” labels tend to reduce users’ perceived accuracy of, and willingness to share, content (including truthful or human‑created material) and do not always improve users’ ability to judge veracity.
  • The impact of labels varies by context, with stronger effects in “high‑stakes” content areas (such as politics or health) than in entertainment or low‑stakes contexts.
• Current platform and media practice
  • Social media services are combining automated detection technologies, provenance metadata (eg C2PA and IPTC standards) and user disclosures to label AI content, often with more prominent labels for realistic synthetic or sensitive material (eg elections and health).
  • Many news organisations have adopted editorial policies requiring that substantial use of AI in content creation is disclosed, while maintaining human responsibility for accuracy and compliance.

Why is this important?

Although the briefing has no formal legal effect, it is likely to influence UK Parliamentary and regulatory thinking on how AI content should be labelled (including Ofcom’s approach under the Online Safety Act). It also reinforces the trajectory of EU law under Article 50 of the AI Act, underlining machine‑readable marking and risk‑based, user‑facing labels as emerging expectations. For large platforms and AI providers, policymakers are looking to existing industry practice to judge what is technically and operationally feasible. Businesses that already use a combination of standards, automated detection, and nuanced label taxonomies will be better placed to comply with future transparency rules in both the UK and EU.

Any practical tips?

Large digital platforms should treat this briefing as an early signal of policy expectations rather than a new compliance obligation. It supports a risk‑based, dual‑track labelling model:

• impact‑based labels for potentially harmful or misleading AI content (for example deepfakes, scams or election‑related material)
• alongside broader process‑based transparency where AI is used in content creation or editing.

In practice, this points towards deploying a multi‑layered technical solution that combines visible labels with invisible provenance signals (such as C2PA content credentials and metadata) to ensure AI outputs are both understandable to users and machine‑detectable.

Businesses should also consider how label wording, placement and granularity vary between low‑stakes and high‑stakes content. Aligning global product design with the EU AI Act’s upcoming Article 50 requirements and documenting how current labelling decisions reflect this kind of evidence will help demonstrate that organisations are keeping pace with emerging “good practice” in anticipation of future regulation.

Spring 2026

What is the EU doing to protect the rights of copyright owners against GenAI?

The key takeaway

A draft report by Members of the European Parliament's Legal Affairs Committee (LAC) has identified significant legal uncertainty in EU copyright rules, including the Digital Single Market Directive, which were not designed to regulate AI training. It highlights unresolved questions over compensation for copyright holders whose works are used to train GenAI, calls for AI providers to disclose the copyrighted content they use for training, and emphasises the need for clear rules on what constitutes lawful use, opt-out mechanisms, and enforcement of rights. Ultimately, the European Parliament aims to encourage AI innovation and development while safeguarding Europe's creative and cultural sectors through IP protection.

The background

On 28 January, the LAC approved new proposals aimed at clarifying how EU copyright law should apply to GenAI operating in the EU market. The proposals, which were ratified by a majority, respond to growing concerns that GenAI models rely heavily on copyrighted works for training often without transparency, consent, and duly compensating creators. The draft LAC report is being finalised and put to a Parliamentary vote in plenary in March 2026. The report seeks to ensure that access to high quality data for AI development works concurrently with fair remuneration and legal certainty for the creative sector.

The development

The report contains proposals for the European Commission and other EU institutions, and it calls on the Commission to immediately evaluate whether existing copyright laws are fit for the legal challenges posed by GenAI.

• Core principle: at the core of the proposals is the principle that EU copyright law must apply to all GenAI systems made available in the EU, regardless of where training occurs.
• Transparency obligations: AI providers must:
  • produce detailed records of web crawling activities
  • disclose which copyrighted works are used in training datasets. Non-compliance could amount to a copyright infringement and where providers fail to properly disclose, they would be obliged to prove that no copyrighted material was used.
• Compensation: the LAC asks the Commission to consider whether compensation mechanisms for rights holders should apply retroactively.
• Licensing: to support lawful access to content, LAC proposes:
  • onew licensing rules
  • ovoluntary collective licensing schemes accessible to creators of all sizes, ensuring work is protected across the creative spectrum.
• Opt-out mechanisms: the LAC calls on the Commission to develop tools that enable rightsholders to protect their work from general-purpose AI systems, including standardized machine-readable opt-out mechanisms, potentially managed by the European Union Intellectual Property Office (EUIPO).

The LAC does not support a global licence scheme which would allow AI providers to train models in exchange for a flat-rate payment, and also opposes granting copyright protection to content generated entirely by AI, calling instead for safeguards against manipulated, misleading or illegal AI-generated content.

Finally, the LAC stresses concerns with the news media sector, warning that selective aggregation of news content by AI systems risks undermining media pluralism which can reduce traffic, revenues, and trust. It therefore supports media autonomy when deciding whether they consent to their content being used for training purposes.

Why is this important?

GenAI is rapidly developing and as important as it is for the EU to remain globally competitive in AI technology, the fundamental rights of the creative industry should not be neglected. Compensating rights holders when their copyrighted work is used by GenAI is important to ensure the economic basis for creative industries is not undermined. It is clear that a fully developed and enforceable legal framework tackling AI could be the key to ensuring the EU becomes a global AI pioneer in a safe, predictable environment thus strengthening its market position.

Any practical tips?

Rights holders and creators should be aware of any opt-out mechanisms and licensing arrangements that will ensure the protection of their work. They should also document any current use of their work by AI datasets in order to enforce their rights immediately when legal frameworks are solidified.

On the other hand, AI developers and tech companies should monitor developments in EU law on AI training and it is likely to be helpful to maintain a clear and transparent record of what copyrighted material they use for training, so they are not caught off guard when the new measures are enforced. If the report is approved in the Parliamentary vote, they should also seek advice from legal experts on how to prepare thoroughly for their forthcoming obligations and should ensure they have enough cashflow for potentially remunerating rights holders when the time comes.

Spring 2026

What does the EU's first draft Code of Practice on transparency of AI-generated content (the Code) mean in practice for providers of AI systems and AI deployers?

The key takeaway

The Code acts as a broad blueprint for how providers and deployers should mark, detect and label AI-generated and AI-manipulated content under Article 50 of the EU AI Act. Although in its early form and entirely voluntary, the Code provides a good indication of the line of thinking in the EU, and in scope businesses should begin aligning products and internal processes accordingly. The final version is expected to be published in late-Summer 2026.

The background

Article 50 of Regulation (EU) 2024/1689 (AI Act), which comes into full effect on 2 August 2026, introduces transparency obligations for providers and deployers of AI systems. Providers of AI systems generating AI content (audio, image, video or text) must ensure that the content is marked and detectable as AI generated or manipulated. Deployers of AI systems that generate deepfakes or text published for public interest purposes, must disclose that the content has been AI generated or manipulated.

In September 2025, the Commission announced that it would begin developing a Code of Practice on the Article 50 obligations (see our Winter 2025 edition of Snapshots). The drafting process for the Code of Practice has involved input from a multi-stakeholder consultation and independent experts.

The development

On 17 December 2025, the Commission published its first draft of the Code stating the overarching objective of promoting "human-centric and trustworthy AI" whilst ensuring the protection of fundamental rights in the EU against any harmful effects of AI. To achieve this, the Code introduces key commitments and considerations to help in-scope businesses comply with Article 50.

Commitments for providers of AI systems

• Implementation of 'multi-layered' AI marking techniques: providers should use markings that are machine-readable and multi-layered. This will include an "imperceptible watermark" interwoven within the content, making it difficult to remove. Any metadata should also include provenance information and a signature of the GenAI system. Providers should have in place functions allowing deployers of AI generated content to label their output with a "perceptible mark" in line with their own commitments in the Code.
• Free AI detection system: AI systems should include publicly available detection mechanisms allowing users to check whether content has been AI generated or manipulated. All users should be able to understand any results produced by the detection systems and should be provided with the necessary guidance and training material to enable them to make an informed decision on what marking tools they may use.

Commitments for deployers of AI systems

• Consistent disclosure of origin of deepfakes: deployers must implement a common taxonomy for classifying deepfakes that distinguishes between fully AI-generated content and AI-assisted content (content with mixed human and AI involvement). Deployers should also use a common two-letter AI acronym icon as a method of disclosure and commit to the future development of a common interactive EU icon (the draft Code provides examples for potential icons).
• Labelling deepfakes and AI-generated text: deployers must have in place internal processes to identify and label in "a clear and distinguishable manner" deepfake image, audio and video content, applying any necessary exceptions such as artistic or satirical work or law enforcement use. Deepfake labelling that relies on automation should be supported by appropriate human oversight. The Code sets out specific placement rules for AI-generated video (real-time and non-real time), multimodal content, images, audio‑only content and text publications with a public interest purpose. Disclosure is not required for AI-assisted text publications that have undergone human review or editorial control, however deployers should retain appropriate documentation to evidence this. Icons and labels must also meet applicable EU accessibility requirements.

Both providers and deployers are expected to maintain appropriate compliance documentation setting out the practices and processes used, train personnel and cooperate with market surveillance authorities. Deployers must provide secure channels for the public and third parties to flag mislabelled or unlabelled deepfakes and AI‑generated text and remediate any issues without undue delay.

Why is this important?

Although voluntary, the Code is explicitly framed as a means for providers and deployers to demonstrate compliance with Article 50, but is not "conclusive evidence" of compliance. The final version may inform market surveillance authorities' expectations and enforcement criteria. Businesses can expect a more detailed Code in the future. Additional commitments and measures may also be added, and existing ones removed or revised through further stakeholder engagement.

Any practical tips?

In-scope businesses should ensure they understand whether they act as "providers" or "deployers" (or both) under the AI Act and assess their current policies, practices and technology around marking, detection tools and labelling to identify any compliance gaps. Social media platforms that may already employ similar measures to those set out in the Code should begin to assess if they align with the Code.

Interested businesses should engage with future Commission consultations or working groups where possible, to help keep ahead of any future revisions to the Code.

Spring 2026

Why has the European Commission initiated specification proceedings to assist Google in complying with the Digital Markets Act (DMA)?

The key takeaway

The European Commission is showing increased focus on ensuring fair competition between AI developers. This includes close monitoring of compliance with provisions in the DMA which require large platforms to share knowledge and resources with third parties.

The background

The DMA imposes requirements on large online platforms known as "gatekeepers" to regulate fairness and encourage competition in the digital market. Under the DMA, the European Commission can commence "specification proceedings" as a procedure by which the Commission can clarify how a gatekeeper must comply with its legal obligations.

Google was designated as a gatekeeper platform by the European Commission on 6 September 2023 and has been required to comply with the provisions of the DMA since 7 March 2024.

The development

On 27 January 2026, the European Commission announced that it had opened two sets of specification proceedings to assist Google to comply with its regulatory obligations under the DMA. These proceedings concern the obligation for Google to:

• make available, at no cost, interoperability tools that allow third-party developers to access and use hardware and software features of the Google’s Android operating system, particularly those used by Google’s AI services, including Gemini
• allow third-party online search engine providers access to anonymised ranking, query, click and view data held by Google Search on "fair, reasonable and non-discriminatory" (FRAND) terms.

The proceedings are scheduled to last for six months, with preliminary findings communicated to Google within three months and non-confidential summaries of those findings to be subsequently made available to third parties. The proceedings will not make a determination on Google's compliance with the DMA.

Why is this important?

The proceedings are significant because they will test how the DMA’s interoperability requirements apply in practice to AI-related services. They will also help clarify how the DMA’s data access obligations extend to search engine data and shed further light on the anonymisation standards and “FRAND” terms the Commission considers appropriate.

Although the Commission cannot allege non-compliance through specification proceedings, these processes are likely to shape future enforcement action.

More generally, these proceedings evidence increased concern from the European Commission regarding competition in the digital sector with the rapid development of AI. There are similarities between these proceedings and the guidance that the Commission gave to Apple in 2024 to provide competitors easy interoperability with Apple's systems. The parallels with the Apple guidance also highlight the Commission's willingness to use the DMA as a tool to ensure fair competition in digital markets.

Any practical tips?

Gatekeepers and other large online platforms should monitor these proceedings closely, as they are likely to influence how the DMA’s interoperability and data-access obligations are interpreted and enforced in practice. Platforms may also wish to assess whether to proactively develop and publish interoperability tools and to make them available to third-party developers.

Spring 2026

What does the European Commission's renewal of its data protection adequacy decisions mean for the free flow of personal data between the UK and the EU?

The key takeaway

The Commission’s renewal of the adequacy decisions granted to the UK in 2021 means that EU-UK data flows can continue largely as they do today, without the need for additional assessments or safeguards for each transfer. For most organisations with operations in the EU and UK, this preserves a familiar and relatively low-friction basis for sharing personal data across borders until at least December 2031, albeit against a backdrop of ongoing EU monitoring of the UK regime.

The background

EU Regulation 2016/679 (the EU GPDR) empowers the European Commission to determine whether the data protection framework of a non-EU country offers an adequate level of protection for personal data transferred from the EU and the European Economic Area (EEA) to that country. If the Commission determines that the protection offered to personal data in a jurisdiction is equivalent to that in the EU, it can grant an adequacy decision that allows the free flow of data subject to the EU GDPR to that jurisdiction without further safeguards.

In 2021, the Commission adopted two Implementing Decisions concluding that the UK's laws and regulatory framework provided adequate protection for personal data transferred from the EU to the UK (the Decisions). In doing so, the Commission took account that the UK would adopt a new data protection regime post-Brexit, amending the regime that applied while the UK was an EU Member State. The Decisions were limited to four years as a result and were scheduled to expire on 27 June 2025, however this was later extended to 27 December 2025 following the introduction of the Data (Use and Access) Act (DUAA), which amended the UK GDPR and DPA 2018 (see our Summer 2025 edition of Snapshots), to allow the Commission to complete its assessment of the UK's new data protection landscape.

The development

On 19 December 2025, the Commission announced that it had renewed its 2021 Implementing Decisions under both the GDPR and the Law Enforcement Directive (LED), concluding that the UK's data protection framework continues to provide an adequate level of protection for personal data that is "essentially equivalent" to the protection provided within the EU itself.

In its assessment, the Commission considered whether the data protection rights, and their effective implementation, supervision and enforcement and the legal system as a whole, remain effective in delivering the required level of protection. The Decision is not however a finding that the UK's framework offers an identical level of protection to the EU.

The renewed Decision reviews and considers UK legislative and regulatory developments including changes made by DUAA, such as:

• the new provisions around processing personal data for scientific and statistical purposes, which the Commission found to be consistent with the "letter and spirit" of the GDPR
• an additional lawful ground of processing for the purposes of a "recognised legitimate interest". The Commission noted that this new ground is subject to several important limitations, including that processing must serve a clear public interest
• new powers allowing the Secretary of State to add new special categories of data that are subject to additional protection. The Commission concluded that this does not affect the level of protection for special categories of data that it found adequate in 2021
• clarification of the time limit for responding to data subject access requests (DSARs) and codification of case law such that searches should be "reasonable and proportionate". The Commission observed that this reflects existing ICO guidance and ensures that DSARs are handled in reasonable timeframes, preserving the right of access
• the replacement of the ICO with a reformed Information Commission as the data protection enforcement authority, and the introduction of new powers (including the right to require reports and issue interview notices). The Commission concluded that safeguards to ensure the authority’s independence remain equivalent to those assessed in 2021.

The Commission's 2021 Decision remains in force for aspects of UK data protection law that have not been amended. The renewed Decisions will remain in force until 27 December 2031, when it is anticipated that the position will be reviewed again.

Why is this important?

Adequacy decisions are binding on all EU Member States. The renewal of the UK's adequacy status means that personal data can continue to flow from the EU to the UK and without the need for additional authorisations, and vice versa

For UK businesses operating in or with the EU, this avoids the need to put in place additional safeguards and assessments for data transfers, reducing cost while maintaining assurances that customer and employee data will be appropriately protected. The Commission will continue to monitor the UK's data protection framework and any legislative or regulatory developments, on an ongoing basis, to ensure its decision remains valid.

Any practical tips?

Businesses should confirm that EU partners are aware that the adequacy decisions have been renewed and consider this in their processes for establishing any new EU-UK transfers.

Spring 2026

Why did the Information Commissioner’s Office (ICO) fine two companies a total of £225k for nuisance marketing messages, and what does this mean for businesses sending emails and texts?

The key takeaway

The ICO's message remains clear. If you send electronic marketing without valid consent, or you misuse the “soft opt-in” exception, you risk significant potential fines under the Privacy and Electronic Communications Regulations 2003 (PECR).

The background

PECR sits alongside the UK GDPR and the Data Protection Act 2018. It includes specific rules for electronic direct marketing by email and SMS.

Under PECR:

• businesses must have prior consent to send marketing emails or texts to an individual, unless the narrow “soft opt-in” applies
• the soft opt-in can only be used where:
  •  contact details were obtained during a sale or negotiations for a sale to that individual;
  • marketing relates to the sender’s own similar products or services;
  • the individual was given a clear opportunity to refuse marketing at the point of data collection
  • an opt-out is provided in every message.

The development

In January 2026, the ICO fined Allay Claims Ltd (£120k) and ZMLUK Limited (£105k) for sending millions of unlawful marketing messages.

Allay Claims Ltd (Allay) sent over four million marketing SMS messages promoting PPI tax refund services over the course of 12 months. The ICO found that the messages were not service messages but were clearly direct marketing. Allay did not obtain consent to send the messages, nor could it (as it claimed) rely on the soft opt-in as it failed to provide individuals with an opportunity to opt-out of direct marketing at the point of obtaining the individuals' contact details.

From January 2023 to July 2023, ZMLUK Limited (ZML) sent more than 67 million marketing emails using data it obtained from a third-party. Individuals were presented with a list of 361 "partner" organisations on the third-party website but were not given a way to choose which companies could contact them. The ICO concluded this did not amount to specific, informed consent. Further, ZML did not carry out sufficient due diligence to check that personal data has been obtained fairly and lawfully, and that consent had been validly obtained, by the third parties on which it relied for the relevant marketing lists.

Why is this important?

These decisions reinforce that:

• direct marketing consent mechanisms should be clear and granular, so individuals understand, and have a choice about, the direct marketing they receive
• soft opt-in is narrow and strictly applied. It cannot be used for third-party marketing, where no sale or negotiation for sale occurred or where no opt-out was given at collection and in each subsequent communication
• when buying in marketing lists or sending marketing on behalf of a third party, the organisation sending the direct marketing must conduct due diligence and be able to evidence lawful consent
• the ICO continues to treat nuisance direct marketing as a serious privacy infringement.

Any practical tips?

The fines are a strong reminder around the basics of obtaining marketing consent, including:

• using clear, unticked opt-in boxes for marketing
• providing a simple opt-out at collection and in every message
• conducting due diligence on third party data sources
• keeping auditable records of consent
• treating promotional content as marketing, regardless of how it is labelled and even if combined with a service-related message.

Spring 2026

What does the Data (Use and Access) Act 2025 (DUAA) change for UK data protection law, and what are the practical implications for businesses' data uses, governance and compliance strategies?

The key takeaway

As of 5 February 2026, most of the remaining DUAA data protection provisions have come into force. Some provisions commence on 19 June 2026, and certain ICO governance provisions will follow later. Following the commencement of these new provisions, businesses should review their existing processes and consider a number of changes, including: assessing whether any current reliance on legitimate interests can be transitioned to a "recognised legitimate interest basis"; updating playbooks to reflect potentially simpler UK GDPR compliance requirements; and identifying potential scope for automated decision making (ADM) process changes.

The background

The DUAA, which received Royal Assent on 19 June 2025, updates current UK data protection legislation such as the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), introducing a number of pro-business changes (see our Summer 2025 edition of Snapshots).

While some of its provisions came into force automatically, many required commencement regulations. The government has taken a four-staged approach towards commencement.

The development

On 5 February 2026, most of the remaining DUAA data protection provisions came into force via the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82). Some provisions, for example those relating to complaints procedures (section 103 and Schedule 10), commence on 19 June 2026, and certain ICO governance provisions will follow later. Some key changes that are now in force include:

• clarification on what constitutes processing for research and statistical purposes (such as certain research for a commercial interest) and additional flexibility for obtaining valid consent for scientific research related processing
• a new lawful basis for personal data processing: “recognised legitimate interest”
• clarification on purpose limitation requirements and the factors to consider when determining whether a new purpose of processing is compatible with the original purpose
• controllers can now rely on relevant international law obligations to justify some processing activity, potentially widening justification for certain cross‑border or public‑interest processing
• codification of the existing ICO guidance on DSARs, including information relating to timeframes to respond to requests and the position that controllers only need to carry out reasonable and proportionate searches for personal data
• a new exception to the obligation to provide transparency information when controllers process personal data for a further purpose, where that purpose is for research, archiving or statistical purposes, subject to certain additional restrictions
• an updated ADM framework, expanding the circumstances in which the lawful basis will apply and adding provisions on safeguards (eg around human involvement and transparency)
• provides factors to be considered when implementing data protection by design when providing information society services likely to be accessed by children
• alters the test to determine whether a third country may receive an adequacy decision, which is now that the standard of data protection offered to data subjects in the third country is not materially lower than that in the UK
• enhances ICO powers including in relation to manifestly unfounded/excessive requests made to the ICO, demanding reports relating to data protection compliance, issuing interview notices, penalty notices and PECR enforcement. In particular, Schedule 13 brings PECR fines in line with UK GDPR levels (up to the greater of £17.5m or 4% of global turnover).

Why is this important?

The majority of the long anticipated data protection provisions of DUAA are now in force. It is hoped that these changes will reduce administrative burdens on businesses and foster innovation and economic growth. Given the amount of notice we have had for these changes, the market may have started to consider implementing any necessary changes in advance of commencement.

Any practical tips?

Businesses may want to consider:

• mapping UK processing where they currently rely on legitimate interests and assess whether businesses can shift to a “recognised legitimate interest” basis, noting that in certain scenarios both lawfulness and purpose limitation can be assumed, particularly for activities such as fraud/crime prevention, security and safeguarding under‑18s
• identify scenarios for potential ADM process changes eg automation in recruitment
• include children’s higher protection in DPIA templates and/or design governance artefacts
• review research, experimentation and measurement activities using personal data subject to UK GDPR to identify whether it may fall under the broad definition of scientific research.

Spring 2026

What do recent enforcement decisions say about the Information Commissioners Office's (ICO) expectations of security and children's privacy, in particular around public data and privacy assurances?

The key takeaway

The ICO treats both security and children’s privacy as enforcement priorities, with “reasonable” security assessed holistically across endpoints. Regulators will actively test whether technical and organisational measures genuinely match the public assurances that organisations give on those points, and UK‑specific standards should be treated as hard compliance baselines for large tech platforms. Robust governance and early, constructive engagement and remediation after incidents are critical to managing enforcement risk and penalty exposure.

The background

The ICO has recently issued two notable penalties, demonstrating sharpened expectations on security and children’s privacy for organisations processing personal data.

LastPass UK Ltd

LastPas UK Ltd was fined £1.2m following two linked security incidents which together compromised the personal data of up to 1.6 million UK users.

A hacker first compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment. No personal data was taken at this stage, but the attacker obtained encrypted company credentials, which it used to target a senior employee with access to a decryption key and to exploit a known vulnerability on their personal device. Malware (specifically a keylogger) was installed, capturing the employee’s master password, and multi‑factor authentication was bypassed using a trusted device cookie.

The hacker then gained access to the employee's personal vault, which was linked to their professional one, and obtained the information needed to unlock LastPass's backup database. By combining information from both incidents, the hacker was able to access and extract the contents of that backup database, which contained customers' personal information (including customer names, email addresses, phone numbers and stored website URLs).The ICO found no evidence that customer passwords themselves were decrypted, due to LastPass’ “zero knowledge” system where master passwords are stored locally on users’ devices and not by LastPass.

MediaLab

MediaLab, owner of the online image hosting and sharing platform Imgur, was fined £247,590 for unlawfully processing children’s data, including failing to implement any effective age assurance or conduct a data protection impact assessment (DPIA), thereby exposing under‑13s to potentially harmful content between September 2021 and September 2025.

Despite terms stating that under 13s could only use the platform with parental supervision, Imgur failed to implement measures to check the ages of its users. The platform therefore processed, in direct breach of UK GDPR, the personal data of children under 13 without parental consent. Children were at risk of exposure to harmful content on the platform as a result.

Security as "duty of care"

In the case of LastPass, the ICO's focus on “two isolated incidents” leading to a major breach underlines that regulators will scrutinise how individual control failures can interact, not just each control in isolation. The ICO also criticised the lack of “sufficiently robust technical and security measures” to prevent compromise of backups in the second part of the incident. This penalty confirms that “reasonable” security under UK GDPR and the Data Protection Act 2018 is assessed holistically: device security, third party software vulnerabilities, MFA implementation, internal segregation of environments, and protection of backup infrastructure all matter.

The ICO also highlighted that services that “promise to help people improve their security” are under a heightened obligation not to “leave them vulnerable”. The regulator called on “all UK business” to urgently review systems and procedures, pointing to ICO and National Cyber Security Centre (NCSC) guidance on device security, working from home policies and data security.

Children’s data as a strategic enforcement priority

The ICO declared that this decision forms part of a “wider intervention” in line with its Age-Appropriate Design Code (the Children's Code), which requires platforms likely to be accessed by under 18s to put children’s best interests at the forefront and provide “a high level of privacy by default”. This signals that the enforcement is not isolated, but part of a broader regulatory push around children’s privacy online.

The regulator considered three main factors to reach its decision: the number of children affected, potential harm and nature of risks, and duration. MediaLab’s acceptance of the ICO’s provisional findings and its commitment to remediate the infringements acted as mitigation and contributed to the level of fine issued.

To ensure compliance, the ICO expects MediaLab (and similar platforms) to:

• implement effective age assurance that is proportionate to the risks on the platform
• obtain valid parental consent where under‑13s’ data is processed on the basis of consent
• conduct DPIAs to identify and mitigate privacy risks to children
• design services in line with the Children’s Code.

Why is this important?

In both cases, public‑facing assurances were undermined by design and implementation failures. The ICO’s language suggests increased willingness to test whether technical and organisational measures genuinely reflect what is promised to users. It is likely that data breaches of sufficient seriousness will result in thorough investigations and significant monetary fines.

For large tech platforms, this reinforces the need to treat UK‑specific regulatory expectations (eg Children’s code, ICO security guidance) as hard compliance baselines, not soft best practice.

Any practical tips?

As the ICO's enforcement drive continues, businesses should ensure that technical measures genuinely match what is promised to users, treating security and privacy as core design obligations. Taking a holistic, risk-based approach is key to assess how multiple weaknesses can interact and match the strength of control to the level and nature of the risk.

Implementing robust governance and accountability are paramount to effectively address breach risks, access control, device security and high-risk user groups. Carrying out and updating DPIAs is not just a compliance formality but should drive concrete mitigation steps for high-risk processing.

Finally, early engagement in the event of a breach and ability to demonstrate credible remediation after an incident can benefit businesses. The ICO has shown in both decisions that acceptance of findings and concrete commitments to improve can influence enforcement outcomes.

Spring 2026

What data protection concerns has the Information Commissioner’s Office (ICO) identified in relation to X’s deployment of the Grok AI system?

The key takeaway

The ICO has launched formal investigations into X’s processing of personal data in respect of Grok, X's AI chatbot. The investigations will focus on whether the system unlawfully generated sexualised manipulated images and whether appropriate safeguards were built into Grok's design and deployment.

The background

On 7 January 2026, the ICO contacted X Internet Unlimited Company (XIUC) and X.AI LLC (X.AI) following reports that Grok had been used to generate sexual images of individuals, including children, in breach of data protection law. The ICO has now opened formal investigations into both entities. According to the ICO, the reported creation and circulation of such content “raises serious concerns under UK data protection law and presents a risk of significant potential harm to the public”. The investigations will examine whether personal data was processed lawfully, fairly and transparently, and whether Grok incorporated adequate safeguards to prevent harmful manipulated images being generated.

The development

The ICO’s investigations, which are ongoing, will assess:

• lawfulness, fairness and transparency: whether XIUC and X.AI had a lawful basis to process the personal data, whether they did so fairly and if they provided sufficient information to individuals about the processing of their data for these purposes. As the ICO notes: “losing control of personal data in this way can cause immediate and significant harm… particularly where children are involved”
• design and deployment safeguards: whether Grok’s technical design included appropriate measures to prevent the generation of intimate or sexualised images using personal data
• high‑risk processing obligations: whether the companies identified and mitigated risks associated with synthetic or manipulated imagery involving real individuals, and whether high‑risk processing was subject to appropriate safeguards.

The ICO is working closely with Ofcom and other regulators in relation to the data protection and safety compliance of digital platforms. Ofcom and the European Commission have launched separate investigations into X under the Online Safety Act and Digital Services Act respectively, but those relate to content‑safety and systemic‑risk obligations rather than data protection. On 23 February 2026, the European Data Protection Supervisor released a Joint Statement on AI-Generated Imagery and the Protection of Privacy. The statement, which represents the views of 61 data protection authorities around the world (including the ICO), highlighted the risks and the requirement for "robust safeguards" around image generation.

Why is this important?

The investigations highlight regulators’ increasing scrutiny of AI systems that process personal data to generate synthetic or manipulated content. For businesses deploying generative AI, the ICO’s focus on lawful processing, transparency, and built‑in safeguards underscores the need for robust risk assessments, particularly where models may generate harmful or privacy-intrusive content. The regulatory activity across the ICO, Ofcom, the European Commission and other data protection regulators also signals a broader trend towards multi‑regulator oversight of AI‑driven platforms, with potential implications for compliance strategies across jurisdictions.

Any practical tips?

Businesses developing or deploying generative AI tools should ensure that high‑risk processing, especially involving real individuals’ images, is supported by clear legal bases, strong safeguards, and effective monitoring. Controllers should carry out due diligence on model‑training inputs, ensure guardrails to prevent harmful outputs have been implemented, and maintain responsive mechanisms for complaints and takedown requests. Given the cross‑regulatory interest in Grok, organisations should also anticipate increased expectations around transparency, risk documentation and cross‑functional governance when rolling out new AI features.

Spring 2026

The question

In what circumstances will a party be entitled to terminate a contract for the supply of goods where it has committed an earlier repudiatory breach? 

The key takeaway

A failure to communicate acceptance of a repudiatory breach means the contract remains alive. Therefore, if the innocent party later commits a material breach of the contract, the initial wrongdoing party that committed the repudiatory breach may terminate the contract and claim damages.

The background

Uniserve Ltd ("Uniserve"), an English logistics company, began supplying PPE to the NHS during the Covid-19 pandemic. On or around 23 – 24 April 2020, Uniserve entered into an agreement with Advanced Multi-Technology for Medical Industry t/a Hitex ("Hitex"), a Jordanian manufacturer of medical supplies, whereby Hitex would supply Uniserve with 80 million face masks.

Under the supply agreement, Hitex was required to make the masks available for collection at its factory in Jordan according to a delivery schedule. Delivery dates were of the essence, meaning Uniserve was entitled to terminate the contract and claim damages if Hitex failed to deliver on time. Time was not of the essence regarding Uniserve's collection obligations. The contract included an entire agreement clause excluding liability for non-fraudulent pre-contractual representations.

Hitex failed to fulfil the first four deliveries due to production issues and had only delivered 1 million masks by May 2020. On 26 May 2020, the parties agreed a revised delivery schedule for the remaining 79 million masks. The following is an excerpt of the revised schedule:

Hitex made the first two deliveries under the revised schedule, which Uniserve collected but no further deliveries occurred. On 17 June 2020, Uniserve purported to terminate the contract by communicating to Hitex that the supply contract was over. Hitex nonetheless continued production and on 11 July 2020, complained that Uniserve had failed to collect further deliveries. In response, Uniserve reiterated that the contract was terminated.

Hitex then commenced a claim in damages for non-acceptance of the goods on the basis that the supply agreement had never been validly terminated.  Uniserve argued before the court of first instance that it was entitled to terminate the supply contract for failure to meet the delivery obligations, or alternatively to rescind the contract for misrepresentation, relying on a pre-contractual statement by Mr Waller, an intermediary, that Hitex could "produce 5 million [masks] a week".  Uniserve's own pre-contractual investigations found actual production capacity to be closer to 1 million masks per week. The court rejected Uniserve's misrepresentation argument, finding (1) that Mr Waller was not authorised to make statements on behalf of Hitex, despite Hitex's admission in its pleading that Mr Waller was authorised; and (2)  that Uniserve had entered into the contract in reliance on its own investigations and so there was no wrongful inducement required for misrepresentation (for a full breakdown of the High Court judgment see our Autumn 2024 Snapshots). Additionally, the judge found that Uniserve had wrongfully terminated the contract on 17 June, as Hitex had in fact fulfilled its delivery obligations under the revised schedule, amounting to a repudiatory breach by Uniserve. Despite Hitex asserting that it had kept the contract alive, the judge found that by 13 July Hitex was no longer producing sufficient masks to meet deliveries or contacting Uniserve to arrange collection, constituting valid acceptance of Uniserve's repudiation by Hitex (and that the contract was therefore validly terminated by Hitex on 13 July 2020). The judge in the court of first instance awarded Hitex damages of US $16.94 million, which Uniserve appealed.

The decision

The main issue for the Court of Appeal was whether Uniserve had been entitled to terminate the contract. The court also considered the matter of whether Uniserve would have been entitled to rescind the contract for misrepresentation.

On the latter issue, the court rejected Uniserve's misrepresentation argument, finding that Uniserve had not relied on Mr Waller's statement, as it had conducted its own investigation and knew his statement to be untrue upon entering into the supply contract. The presumption of inducement was therefore rebutted on the facts and Uniserve was not entitled to rescind the contract for misrepresentation.

As to the main issue of valid termination, the court found that Uniserve was entitled to validly terminate the supply contract on 11 July 2020. It was common ground that Hitex had not communicated acceptance of Uniserve's initial purported termination on 17 June 2020. Accordingly, the contract remained in force and Hitex was obliged to continue delivering masks under the revised schedule. As time was not of the essence regarding Uniserve's collection obligation, the total number of masks that Hitex was required to have for shipment on each specified date under the schedule was cumulative, meaning Hitex had to keep accumulating stock to meet the cumulative outstanding totals. For example, in addition to the 2 million masks due on 14 June, it also had to have the 3 million additional masks due on 21 June available for delivery, and so forth.

The court considered Hitex's Production Reports, showing available quantities against the quantities due on each specified delivery date and the evidence of Hitex's Operation and Export Manager who admitted that 15% of Hitex's stock was reserved for the Jordanian government and unavailable for Uniserve. Applying this reduction, the court found that on 21 June and 5 July, Hitex lacked sufficient stock to deliver the cumulative outstanding quantity and was therefore in breach of its delivery obligations. As time for performance of these obligations was of the essence, Uniserve was entitled to terminate the contract on 11 July 2020 (when it reiterated that the supply contract had finished). This was the case despite its own earlier repudiatory breach arising from its purported (but unlawful) termination on 17 June 2020.

This finding meant Hitex's claim for damages for non-acceptance of 77 million masks also failed. The court concluded that, even if Uniserve had not been entitled to terminate, Hitex had not accumulated sufficient stock to fulfil its obligations and could not recover damages for Uniserve's failure to accept stock that was not available for delivery.

Why is this important?

The judgment demonstrates the importance of performing ongoing contractual obligations where a repudiatory breach is not accepted. This is because where purported termination amounting to a repudiatory breach has not been accepted, the innocent party is still obliged to performance according to the agreement.

Additionally, the court made it clear that when deliveries are missed, a seller cannot just "retender" or "reuse" the same goods for successive deliveries or claim damages for non-accepted goods that were never available. A supplier cannot mitigate future breaches by not performing its own obligations, as Hitex had done by ceasing production and such actions may open the supplier up to liability for breach of contract.

Any practical tips?

When a party to a contract has committed a repudiatory breach, the innocent party faces a critical decision. Until the innocent party communicates acceptance of the breach and thereby terminates the contract, their contractual obligations continue. If the innocent party fails to perform these obligations without formally accepting the breach, they may themselves be in breach of contract and exposed to liability. Therefore, it is essential for the innocent party to quickly and carefully consider whether to accept the breach and to communicate their decision clearly, ensuring they remain compliant with their ongoing contractual duties until acceptance is given.

Winter 2025

]]>Fri, 02 Jan 2026 15:04:00 ZCommercial casesAdvanced Multi-Technology for Medical Industry (t/a Hitex) and others v Uniserve Ltd [2025] EWCA Civ 1212

The question

In what circumstances will a party be entitled to terminate a contract for the supply of goods where it has committed an earlier repudiatory breach? 

The key takeaway

A failure to communicate acceptance of a repudiatory breach means the contract remains alive. Therefore, if the innocent party later commits a material breach of the contract, the initial wrongdoing party that committed the repudiatory breach may terminate the contract and claim damages.

The background

Uniserve Ltd ("Uniserve"), an English logistics company, began supplying PPE to the NHS during the Covid-19 pandemic. On or around 23 – 24 April 2020, Uniserve entered into an agreement with Advanced Multi-Technology for Medical Industry t/a Hitex ("Hitex"), a Jordanian manufacturer of medical supplies, whereby Hitex would supply Uniserve with 80 million face masks.

Under the supply agreement, Hitex was required to make the masks available for collection at its factory in Jordan according to a delivery schedule. Delivery dates were of the essence, meaning Uniserve was entitled to terminate the contract and claim damages if Hitex failed to deliver on time. Time was not of the essence regarding Uniserve's collection obligations. The contract included an entire agreement clause excluding liability for non-fraudulent pre-contractual representations.

Hitex failed to fulfil the first four deliveries due to production issues and had only delivered 1 million masks by May 2020. On 26 May 2020, the parties agreed a revised delivery schedule for the remaining 79 million masks. The following is an excerpt of the revised schedule:

Hitex made the first two deliveries under the revised schedule, which Uniserve collected but no further deliveries occurred. On 17 June 2020, Uniserve purported to terminate the contract by communicating to Hitex that the supply contract was over. Hitex nonetheless continued production and on 11 July 2020, complained that Uniserve had failed to collect further deliveries. In response, Uniserve reiterated that the contract was terminated.

Hitex then commenced a claim in damages for non-acceptance of the goods on the basis that the supply agreement had never been validly terminated.  Uniserve argued before the court of first instance that it was entitled to terminate the supply contract for failure to meet the delivery obligations, or alternatively to rescind the contract for misrepresentation, relying on a pre-contractual statement by Mr Waller, an intermediary, that Hitex could "produce 5 million [masks] a week".  Uniserve's own pre-contractual investigations found actual production capacity to be closer to 1 million masks per week. The court rejected Uniserve's misrepresentation argument, finding (1) that Mr Waller was not authorised to make statements on behalf of Hitex, despite Hitex's admission in its pleading that Mr Waller was authorised; and (2)  that Uniserve had entered into the contract in reliance on its own investigations and so there was no wrongful inducement required for misrepresentation (for a full breakdown of the High Court judgment see our Autumn 2024 Snapshots). Additionally, the judge found that Uniserve had wrongfully terminated the contract on 17 June, as Hitex had in fact fulfilled its delivery obligations under the revised schedule, amounting to a repudiatory breach by Uniserve. Despite Hitex asserting that it had kept the contract alive, the judge found that by 13 July Hitex was no longer producing sufficient masks to meet deliveries or contacting Uniserve to arrange collection, constituting valid acceptance of Uniserve's repudiation by Hitex (and that the contract was therefore validly terminated by Hitex on 13 July 2020). The judge in the court of first instance awarded Hitex damages of US $16.94 million, which Uniserve appealed.

The decision

The main issue for the Court of Appeal was whether Uniserve had been entitled to terminate the contract. The court also considered the matter of whether Uniserve would have been entitled to rescind the contract for misrepresentation.

On the latter issue, the court rejected Uniserve's misrepresentation argument, finding that Uniserve had not relied on Mr Waller's statement, as it had conducted its own investigation and knew his statement to be untrue upon entering into the supply contract. The presumption of inducement was therefore rebutted on the facts and Uniserve was not entitled to rescind the contract for misrepresentation.

As to the main issue of valid termination, the court found that Uniserve was entitled to validly terminate the supply contract on 11 July 2020. It was common ground that Hitex had not communicated acceptance of Uniserve's initial purported termination on 17 June 2020. Accordingly, the contract remained in force and Hitex was obliged to continue delivering masks under the revised schedule. As time was not of the essence regarding Uniserve's collection obligation, the total number of masks that Hitex was required to have for shipment on each specified date under the schedule was cumulative, meaning Hitex had to keep accumulating stock to meet the cumulative outstanding totals. For example, in addition to the 2 million masks due on 14 June, it also had to have the 3 million additional masks due on 21 June available for delivery, and so forth.

The court considered Hitex's Production Reports, showing available quantities against the quantities due on each specified delivery date and the evidence of Hitex's Operation and Export Manager who admitted that 15% of Hitex's stock was reserved for the Jordanian government and unavailable for Uniserve. Applying this reduction, the court found that on 21 June and 5 July, Hitex lacked sufficient stock to deliver the cumulative outstanding quantity and was therefore in breach of its delivery obligations. As time for performance of these obligations was of the essence, Uniserve was entitled to terminate the contract on 11 July 2020 (when it reiterated that the supply contract had finished). This was the case despite its own earlier repudiatory breach arising from its purported (but unlawful) termination on 17 June 2020.

This finding meant Hitex's claim for damages for non-acceptance of 77 million masks also failed. The court concluded that, even if Uniserve had not been entitled to terminate, Hitex had not accumulated sufficient stock to fulfil its obligations and could not recover damages for Uniserve's failure to accept stock that was not available for delivery.

Why is this important?

The judgment demonstrates the importance of performing ongoing contractual obligations where a repudiatory breach is not accepted. This is because where purported termination amounting to a repudiatory breach has not been accepted, the innocent party is still obliged to performance according to the agreement.

Additionally, the court made it clear that when deliveries are missed, a seller cannot just "retender" or "reuse" the same goods for successive deliveries or claim damages for non-accepted goods that were never available. A supplier cannot mitigate future breaches by not performing its own obligations, as Hitex had done by ceasing production and such actions may open the supplier up to liability for breach of contract.

Any practical tips?

When a party to a contract has committed a repudiatory breach, the innocent party faces a critical decision. Until the innocent party communicates acceptance of the breach and thereby terminates the contract, their contractual obligations continue. If the innocent party fails to perform these obligations without formally accepting the breach, they may themselves be in breach of contract and exposed to liability. Therefore, it is essential for the innocent party to quickly and carefully consider whether to accept the breach and to communicate their decision clearly, ensuring they remain compliant with their ongoing contractual duties until acceptance is given.

Winter 2025

]]>{F0AD3201-9FB6-49AA-B4A4-DFD408442915}https://www.rpclegal.com/snapshots/commercial-cases/winter-2025/the-court-of-appeal-finds-wrongdoing-shareholders-can-remedy-a-repudiatory-breach/Kulkarni v Gwent Holdings Ltd [2025] EWCA Civ 1206

The question

Is a repudiatory breach incapable of remedy for the purposes of a compulsory transfer clause in a shareholder's agreement?

The key takeaway

Repudiatory breaches of contract are capable of being remedied so any contract drafting should specify if a repudiatory breach is to be considered irremediable. Whether or not a breach is remediable requires a practical assessment of the facts. Technical assessments of the breach are not helpful or necessary.

The background

Mr Kulkarni, a consultant surgeon and medical director at St Joseph's Independent Hospital (the Hospital) partnered with successful businessman Mr Lewis via his investment vehicle Gwent Holdings Limited (Gwent). Together, they agreed to invest in a company (the Company) to acquire the Hospital due to its owner experiencing financial difficulties. On 13 February 2020, Mr Kulkarni, Gwent and the Company entered into a Shareholders Agreement (the SHA) under which Mr Kulkarni was allocated 1,652 A Shares and Gwent was allocated 1,718 A Shares. In practice however, Mr Kulkarni held only one share, having believed he did not need to pay for the remainder.

Clause 3 and Schedule 2 of the SHA stated that certain actions of the Company – such as changes to its share capital or registration of new members – required the "Shareholder Consent" of Mr Kulkarni and Gwent. Clause 6 required shareholders wishing to transfer shares to give a "Transfer Notice" following which the Company would offer the shares to other shareholders for "Fair Value" or, if within 3 years of the SHA, a maximum of the lower of the subscription price paid for each share and the Fair Value of each share. Finally, under clause 7.1(d), a shareholder who commits a "material or persistent breach" of the SHA which, if remediable, has not been remedied within 10 Business Days of notice to remedy the breach, was deemed to have served a Transfer Notice immediately before the breach. Under Clause 6.7, a "Deemed Transfer Notice" "may not be withdrawn".

On 25 June 2020, following an ongoing dispute between Mr Kulkarni and one of the Gwent appointed directors of the Company over hospital management and Covid-19 shielding, Mr Kulkarni resigned as a director and employee of the Company. Mr Kulkarni failed to transfer his sole share in the Company to Gwent and on 28 August 2020, the Company served on Mr Kulkarni a notice to terminate the SHA alleging it was fundamentally flawed as Mr Kulkarni never actually held the full 1,652 A Shares allocated to him, and he only held 1 A share. The Company had also allotted Mr Kulkarni's 1,651 A Shares to Gwent.

Mr Kulkarni claimed Gwent had breached the SHA by (i) procuring the Company to allot the 1,651 A shares to itself; (ii) causing the Company to allot 2,000 B shares to itself: (iii) purporting to terminate the SHA (as above); and (iv) refusing to recognise Mr Kulkarni's appointment of Mr Hussain as a director of the Company (an appointment which Mr Kulkarni was entitled to make under the SHA). Accordingly, Mr Kulkarni argued that Gwent was deemed to have served a Transfer Notice under clause 7.1(d).

By the trial, Gwent had admitted that the first and third breaches were repudiatory and that the second breach was material. The High Court agreed that Gwent had breached the SHA and found all four breaches to be material and persistent. However, it found that all the breaches were remediable and had been remedied by Gwent returning the shares to the Company (which were then paid for by, and transferred to, Mr Kulkarni) and approving Mr Hussain's appointment. Similarly, the purported termination had "charged nothing" in practical terms as it was ineffective in law and Mr Kulkarni never accepted the repudiatory breach. Mr Kulkarni appealed against the Judgment.

The High Court also found that as no notice to remedy had been served, as required by clause 7.1(d), the 10 business day period to remedy had not started and could not have expired, accordingly no Transfer Notice was deemed served.

The decision

The main issue for the Court of Appeal (the Court) was whether Gwent was deemed to have served a Transfer Notice under clause 7.1(d) of the SHA, notwithstanding that the breaches had been remedied and no notice to remedy had been served. The Court also considered whether a repudiatory breach of the SHA was incapable of remedy.

Clause 7.1(d) of the SHA provided:

"A Shareholder is deemed to have served a Transfer Notice under clause 6.4 immediately before any of the following events:

…

(d)  the Shareholder committing a material or persistent breach of this agreement which, if capable of remedy, has not been so remedied within 10 Business Days of notice to remedy the breach being served by the Board (acting with Shareholder Consent)."

Mr Kulkarni argued that remediation was irrelevant and that a "material or persistent" breach triggered a Deemed Transfer Notice, subject to reversal only if the Company served a notice to remedy the breach (and the breach was cured within 10 business days). The Court rejected this interpretation, holding that a Deemed Transfer Notice only arises where breach is not remedied within 10 business days following service of a notice to remedy. The Court further noted that clause 6.7 expressly precluded withdrawal of a Deemed Transfer Notice, and emphasised that, given the consequence of a Deemed Transfer Notice was to compel the wrongdoing shareholder to transfer his shares and potentially for a lower price than what was paid, a narrower interpretation of clause 7.1 was appropriate. There may, however, be other remedies available: an innocent shareholder may be able to accept a repudiatory breach, claim damages for loss or seek relief for unfair prejudice under s.994 of the Companies Act 1996.

The Court also dismissed Mr Kulkarni's argument that repudiatory breaches are inherently incapable of remedy for the purposes of clause 7.1(d) and so there was no need to serve a notice to remedy. The Court noted that had this been the parties' intention, they could have (i) stated in the SHA that a repudiatory breach would be considered irremediable (which they did not do, and in fact, there was no reference to the word "repudiatory"); and (ii) drawn a distinction between repudiatory and other breaches (e.g. for the purposes of remediation). Clause 7.1(d) was drafted such that a "material or persistent" breach (which may or may not be repudiatory in nature) would be "capable of remedy". Drawing on established authorities, including Schuler v Wickman, the Court affirmed that when deciding whether a breach of contract is "capable of remedy" for the purposes of a contractual provision or a comparable statutory one, a practical approach should be taken, rather than a technical one. Ultimately, the Court upheld the lower court's findings that Gwent's breaches were remediable and had in fact been remedied. Whether or not remediation could have occurred within 10 business days was immaterial, as a notice to remedy had not been served.

Why is this important?

The Court has affirmed that, repudiatory breaches are not automatically incapable of remedy for the purposes of interpreting contractual provisions referring to remediable and irremediable breaches.

Rather, the remendability of a breach should be determined by way of a practical assessment, taking into consideration all the facts and whether the breach can be put right for the future. This principle is well-established in case law.

The court also emphasised that contractual transfer clauses in shareholder agreements should be narrowly interpreted, particularly where the transfer consequences on wrongdoing shareholders are punitive. The harsher the consequences, the clearer and more exact the clause wording must be.

Any practical tips?

Where the parties to contractual agreements intend repudiatory breaches to be irremediable, an express clause to this effect must be included in the contract. Similarly, what constitutes a "material" or "persistent" breach should be clearly defined in the agreement, along with the consequences of such a breach.

Winter 2025

]]>Fri, 02 Jan 2026 15:04:00 ZCommercial casesKulkarni v Gwent Holdings Ltd [2025] EWCA Civ 1206

The question

Is a repudiatory breach incapable of remedy for the purposes of a compulsory transfer clause in a shareholder's agreement?

The key takeaway

Repudiatory breaches of contract are capable of being remedied so any contract drafting should specify if a repudiatory breach is to be considered irremediable. Whether or not a breach is remediable requires a practical assessment of the facts. Technical assessments of the breach are not helpful or necessary.

The background

Mr Kulkarni, a consultant surgeon and medical director at St Joseph's Independent Hospital (the Hospital) partnered with successful businessman Mr Lewis via his investment vehicle Gwent Holdings Limited (Gwent). Together, they agreed to invest in a company (the Company) to acquire the Hospital due to its owner experiencing financial difficulties. On 13 February 2020, Mr Kulkarni, Gwent and the Company entered into a Shareholders Agreement (the SHA) under which Mr Kulkarni was allocated 1,652 A Shares and Gwent was allocated 1,718 A Shares. In practice however, Mr Kulkarni held only one share, having believed he did not need to pay for the remainder.

Clause 3 and Schedule 2 of the SHA stated that certain actions of the Company – such as changes to its share capital or registration of new members – required the "Shareholder Consent" of Mr Kulkarni and Gwent. Clause 6 required shareholders wishing to transfer shares to give a "Transfer Notice" following which the Company would offer the shares to other shareholders for "Fair Value" or, if within 3 years of the SHA, a maximum of the lower of the subscription price paid for each share and the Fair Value of each share. Finally, under clause 7.1(d), a shareholder who commits a "material or persistent breach" of the SHA which, if remediable, has not been remedied within 10 Business Days of notice to remedy the breach, was deemed to have served a Transfer Notice immediately before the breach. Under Clause 6.7, a "Deemed Transfer Notice" "may not be withdrawn".

On 25 June 2020, following an ongoing dispute between Mr Kulkarni and one of the Gwent appointed directors of the Company over hospital management and Covid-19 shielding, Mr Kulkarni resigned as a director and employee of the Company. Mr Kulkarni failed to transfer his sole share in the Company to Gwent and on 28 August 2020, the Company served on Mr Kulkarni a notice to terminate the SHA alleging it was fundamentally flawed as Mr Kulkarni never actually held the full 1,652 A Shares allocated to him, and he only held 1 A share. The Company had also allotted Mr Kulkarni's 1,651 A Shares to Gwent.

Mr Kulkarni claimed Gwent had breached the SHA by (i) procuring the Company to allot the 1,651 A shares to itself; (ii) causing the Company to allot 2,000 B shares to itself: (iii) purporting to terminate the SHA (as above); and (iv) refusing to recognise Mr Kulkarni's appointment of Mr Hussain as a director of the Company (an appointment which Mr Kulkarni was entitled to make under the SHA). Accordingly, Mr Kulkarni argued that Gwent was deemed to have served a Transfer Notice under clause 7.1(d).

By the trial, Gwent had admitted that the first and third breaches were repudiatory and that the second breach was material. The High Court agreed that Gwent had breached the SHA and found all four breaches to be material and persistent. However, it found that all the breaches were remediable and had been remedied by Gwent returning the shares to the Company (which were then paid for by, and transferred to, Mr Kulkarni) and approving Mr Hussain's appointment. Similarly, the purported termination had "charged nothing" in practical terms as it was ineffective in law and Mr Kulkarni never accepted the repudiatory breach. Mr Kulkarni appealed against the Judgment.

The High Court also found that as no notice to remedy had been served, as required by clause 7.1(d), the 10 business day period to remedy had not started and could not have expired, accordingly no Transfer Notice was deemed served.

The decision

The main issue for the Court of Appeal (the Court) was whether Gwent was deemed to have served a Transfer Notice under clause 7.1(d) of the SHA, notwithstanding that the breaches had been remedied and no notice to remedy had been served. The Court also considered whether a repudiatory breach of the SHA was incapable of remedy.

Clause 7.1(d) of the SHA provided:

"A Shareholder is deemed to have served a Transfer Notice under clause 6.4 immediately before any of the following events:

…

(d)  the Shareholder committing a material or persistent breach of this agreement which, if capable of remedy, has not been so remedied within 10 Business Days of notice to remedy the breach being served by the Board (acting with Shareholder Consent)."

Mr Kulkarni argued that remediation was irrelevant and that a "material or persistent" breach triggered a Deemed Transfer Notice, subject to reversal only if the Company served a notice to remedy the breach (and the breach was cured within 10 business days). The Court rejected this interpretation, holding that a Deemed Transfer Notice only arises where breach is not remedied within 10 business days following service of a notice to remedy. The Court further noted that clause 6.7 expressly precluded withdrawal of a Deemed Transfer Notice, and emphasised that, given the consequence of a Deemed Transfer Notice was to compel the wrongdoing shareholder to transfer his shares and potentially for a lower price than what was paid, a narrower interpretation of clause 7.1 was appropriate. There may, however, be other remedies available: an innocent shareholder may be able to accept a repudiatory breach, claim damages for loss or seek relief for unfair prejudice under s.994 of the Companies Act 1996.

The Court also dismissed Mr Kulkarni's argument that repudiatory breaches are inherently incapable of remedy for the purposes of clause 7.1(d) and so there was no need to serve a notice to remedy. The Court noted that had this been the parties' intention, they could have (i) stated in the SHA that a repudiatory breach would be considered irremediable (which they did not do, and in fact, there was no reference to the word "repudiatory"); and (ii) drawn a distinction between repudiatory and other breaches (e.g. for the purposes of remediation). Clause 7.1(d) was drafted such that a "material or persistent" breach (which may or may not be repudiatory in nature) would be "capable of remedy". Drawing on established authorities, including Schuler v Wickman, the Court affirmed that when deciding whether a breach of contract is "capable of remedy" for the purposes of a contractual provision or a comparable statutory one, a practical approach should be taken, rather than a technical one. Ultimately, the Court upheld the lower court's findings that Gwent's breaches were remediable and had in fact been remedied. Whether or not remediation could have occurred within 10 business days was immaterial, as a notice to remedy had not been served.

Why is this important?

The Court has affirmed that, repudiatory breaches are not automatically incapable of remedy for the purposes of interpreting contractual provisions referring to remediable and irremediable breaches.

Rather, the remendability of a breach should be determined by way of a practical assessment, taking into consideration all the facts and whether the breach can be put right for the future. This principle is well-established in case law.

The court also emphasised that contractual transfer clauses in shareholder agreements should be narrowly interpreted, particularly where the transfer consequences on wrongdoing shareholders are punitive. The harsher the consequences, the clearer and more exact the clause wording must be.

Any practical tips?

Where the parties to contractual agreements intend repudiatory breaches to be irremediable, an express clause to this effect must be included in the contract. Similarly, what constitutes a "material" or "persistent" breach should be clearly defined in the agreement, along with the consequences of such a breach.

Winter 2025

]]>{30198099-CCB3-46AA-ACBC-EBC9FE499B5B}https://www.rpclegal.com/snapshots/advertising-and-marketing/winter-2025/asa-publishes-results-of-cutting-edge-trial-using-ai-to-monitor-alcohol-ads/The question

How will AI-driven monitoring by the ASA change the advertising landscape?

The key takeaway

AI assessments enhance the speed and scale at which the ASA can identify non-compliant advertising. This development is likely to lead to an increase in proactive enforcement and less reliance on complaint-driven investigations. Staying ahead requires rigorous CAP Code adherence by advertisers and proactive risk checks to avoid being flagged by automated systems.

The background

The Advertising Standards Authority (ASA) has published the findings of its recent trial integrating cutting-edge AI in the assessment of online advertising for alcohol.

Using its internal Active Ad Monitoring system, the trial captured nearly 6,000 paid ads served to UK consumers over a one month period through social media, search, and display channels in early 2025. The ads were then evaluated by large language models (LLMs) capable of interpreting and applying the rules set out in Section 18 (‘Alcohol’) of the CAP Code. As part of its review, the LLMs (also referred to as ‘AI agents’) highlighted ‘probable non-compliant content’ warranting further human review.

The ASA report states that: “overall compliance was very encouraging: 96% of ads were likely compliant with the CAP Code, with just 1-3% (101 total) assessed as likely non-compliant, with the remainder being ambiguous requiring further investigation". The rate of non-compliance was significantly higher within the alcohol-free category (also monitored under Section 18 regulations). In this category, 48% of ads were assessed as having compliance issues.

Though largely a success, the trial highlighted the LLMs’ limitations. “While they can spot clear-cut rule breaches with impressive speed and consistency, they do not possess the same depth of judgement or contextual reasoning as human experts. As a result, the tool tended to flag many potential breaches - a significant proportion of which were ultimately judged not to be problematic upon closer (human) inspection.”

The development

The trial showed that the majority of ads within the sector are compliant, but the significant win was its illustration of AI’s ability to identify potential non-compliance with the Code at scale. The ASA’s aim of discovering whether AI could effectively flag a range of potential breaches was demonstrated through the LLM’s ability to systematically assess thousands of ads in minutes – significantly surpassing the capacity of a human team.

Why is this important?

The success of this trial has prompted further investment in the ASA’s Active Ad Monitoring system. Widespread implementation of tech-assisted assessment is expected to result in increased speed in issue identification, increased ASA responsiveness to noncompliance, and the ability to more swiftly recognise critical areas of advertising that may require increased enforcement, clarity, or guidance.

The automated boost in the scale and speed at which the ASA assesses ads for compliance will reduce the ASA’s reliance on complaint-driven investigations and spur the ASA’s ability to proactively identify breaches that require further investigation.

Any practical tips?

Though this trial highlighted the potential for AI review, it also identified its limitations. Preliminary LLM review easily spotted clear-cut breaches of the CAP code, but was less accurate in assessing the compliance of ‘borderline’ advertisements. To ensure compliance at the preliminary assessment, advertisers should strictly adhere to the CAP Code(s) regulating advertising in their sector. This means:

• staying alert and adaptable to CAP Code revisions, formal guidance, and ASA rulings;
• stress testing ads against recent ASA rulings to attempt to determine whether ads might survive ASA scrutiny; and
• surpassing minimum requirements by prioritising clarity, transparency, and full disclosure of material consumer information.

Winter 2025

]]>Fri, 02 Jan 2026 14:18:00 ZAdvertising & marketingOliver BrayThe question

How will AI-driven monitoring by the ASA change the advertising landscape?

The key takeaway

AI assessments enhance the speed and scale at which the ASA can identify non-compliant advertising. This development is likely to lead to an increase in proactive enforcement and less reliance on complaint-driven investigations. Staying ahead requires rigorous CAP Code adherence by advertisers and proactive risk checks to avoid being flagged by automated systems.

The background

The Advertising Standards Authority (ASA) has published the findings of its recent trial integrating cutting-edge AI in the assessment of online advertising for alcohol.

Using its internal Active Ad Monitoring system, the trial captured nearly 6,000 paid ads served to UK consumers over a one month period through social media, search, and display channels in early 2025. The ads were then evaluated by large language models (LLMs) capable of interpreting and applying the rules set out in Section 18 (‘Alcohol’) of the CAP Code. As part of its review, the LLMs (also referred to as ‘AI agents’) highlighted ‘probable non-compliant content’ warranting further human review.

The ASA report states that: “overall compliance was very encouraging: 96% of ads were likely compliant with the CAP Code, with just 1-3% (101 total) assessed as likely non-compliant, with the remainder being ambiguous requiring further investigation". The rate of non-compliance was significantly higher within the alcohol-free category (also monitored under Section 18 regulations). In this category, 48% of ads were assessed as having compliance issues.

Though largely a success, the trial highlighted the LLMs’ limitations. “While they can spot clear-cut rule breaches with impressive speed and consistency, they do not possess the same depth of judgement or contextual reasoning as human experts. As a result, the tool tended to flag many potential breaches - a significant proportion of which were ultimately judged not to be problematic upon closer (human) inspection.”

The development

The trial showed that the majority of ads within the sector are compliant, but the significant win was its illustration of AI’s ability to identify potential non-compliance with the Code at scale. The ASA’s aim of discovering whether AI could effectively flag a range of potential breaches was demonstrated through the LLM’s ability to systematically assess thousands of ads in minutes – significantly surpassing the capacity of a human team.

Why is this important?

The success of this trial has prompted further investment in the ASA’s Active Ad Monitoring system. Widespread implementation of tech-assisted assessment is expected to result in increased speed in issue identification, increased ASA responsiveness to noncompliance, and the ability to more swiftly recognise critical areas of advertising that may require increased enforcement, clarity, or guidance.

The automated boost in the scale and speed at which the ASA assesses ads for compliance will reduce the ASA’s reliance on complaint-driven investigations and spur the ASA’s ability to proactively identify breaches that require further investigation.

Any practical tips?

Though this trial highlighted the potential for AI review, it also identified its limitations. Preliminary LLM review easily spotted clear-cut breaches of the CAP code, but was less accurate in assessing the compliance of ‘borderline’ advertisements. To ensure compliance at the preliminary assessment, advertisers should strictly adhere to the CAP Code(s) regulating advertising in their sector. This means:

• staying alert and adaptable to CAP Code revisions, formal guidance, and ASA rulings;
• stress testing ads against recent ASA rulings to attempt to determine whether ads might survive ASA scrutiny; and
• surpassing minimum requirements by prioritising clarity, transparency, and full disclosure of material consumer information.

Winter 2025

]]>{1A4C81BA-8A1D-4AB1-B04A-598547704861}https://www.rpclegal.com/snapshots/advertising-and-marketing/winter-2025/beware-countdown-clocks-and-broad-superiority-messaging-following-hammonds-furniture-asa-ruling/The question

How much care needs to be taken with countdown timers and "best price" claims, and what evidence is required to substantiate comparative price and quality claims?

The key takeaway

The ASA confirmed that countdown timers must accurately reflect the full scope of the promotion to which they relate and must not imply that an entire offer is ending when only part expires. It also warned that comparative price claims involving bespoke or non-like-for-like services are high risk and may be impossible to substantiate or verify. Broad claims of price or quality superiority require robust, contemporaneous evidence.

The background

On 8 October 2025, the ASA upheld complaints against Hammonds Furniture Ltd following a challenge by a competitor. The case focused on whether promotional countdown timers misled consumers and whether broad comparative claims about price and quality could be substantiated. The challenged claims were "we won't be beaten on quality and price" and "we can offer you better quality furniture at a price others can't beat". The ASA assessed these by reference to how the average consumer would understand them, rather than Hammonds’ internal intent.

The development

The ASA upheld three challenges against Hammonds Furniture (Hammonds). The ruling builds on existing principles but sharpens how they apply in practice:

1. Countdown timers must align with the true scope of the offer

   Hammonds ran a banner stating “Up to 40% off selected finishes + an extra 5% – offer ends in [countdown]”.
   The ASA found that the banner gave the impression of a single, unified promotion ending imminently when, in reality, only the additional 5% element was expiring while the wider discount continued. Countdown timers cannot be used to exaggerate the scope of what is ending, particularly where they are likely to create artificial urgency and pressure consumers into making quick decisions.

2. Broad “won’t be beaten on price” claims still require full, objective substantiation

   A separate webpage on the Hammonds website claimed, “We won’t be beaten on […] price” and “we can offer you better quality furniture at a price others can’t beat”. The ASA confirmed that general price superiority claims are treated as objective claims, not price-match promises, unless clearly explained. Hammonds conducted only seven price searches against a single competitor group, which the ASA considered insufficient evidence of sustained and robust market-wide price monitoring. Limited spot-checks against one competitor will not meet the evidential threshold for broad “best price” claims.

3. Bespoke services create a verifiability problem

Where products or services are bespoke and not capable of like-for-like comparison, the ASA confirmed that comparative price claims may be inherently difficult, or even impossible, to substantiate and verify. Hammonds argued that it could not make direct comparisons because its furniture was bespoke. The ASA accepted that this may be true of bespoke services but held that this meant the claims should not have been made at all, because consumers could not realistically verify them.

Why is this important?

The Hammond ruling reinforces the ASA's increasingly strict approach to both artificial urgency techniques and broad price superiority messaging. Even common marketing language such as “won’t be beaten on price” is treated as an objective, evidence-based claim unless clearly confined or explained. For businesses offering bespoke or highly variable services, the decision highlights that some comparative claims may be inherently impossible to substantiate, and therefore too risky to deploy in advertising at all.

Any practical tips?

Businesses should:

• ensure countdown timers relate precisely to the element of the promotion that is expiring;
• avoid broad superiority claims unless supported by systematic, up-to-date market monitoring;
• ·only make comparative claims that consumers can realistically verify from the advert itself; and
• retain robust documentary evidence in anticipation of regulatory scrutiny.

Winter 2025

What changes have CAP and BCAP made in their updated guidance on protecting under-18s from gambling and lotteries advertising?

The key takeaway

CAP and BCAP have updated their 2022 guidance to provide clearer, more detailed expectations for assessing when gambling or lottery ads carry a “strong appeal” to under-18s. The revised Guidance places greater emphasis on social-media influence, sports associations, follower demographics, and contextual factors. Marketers must now undertake a more rigorous assessment to ensure that ads do not inadvertently target or appeal to minors.

The background

In 2022, CAP replaced the previous “particular appeal” test with the stricter “strong appeal” standard, prohibiting content that is likely to resonate powerfully with under-18s regardless of adult appeal. Following two years of enforcement experience, stakeholder feedback and new research, CAP has issued updated Guidance to help advertisers understand how modern trends - particularly social-media culture and sport - influence youth appeal.

The update aims to clarify risk categories, address evolving online behaviours, and provide practical tools for compliance.

The development

The Guidance now begins with a practical checklist to help advertisers identify and mitigate strong-appeal risks. Key updates include:

1. Reinforced “black-letter” rules: Advertisers must continue to comply with strict prohibitions, including:

• no featuring individuals aged under 25 in gambling or lottery ads (subject to narrow exceptions); and
• the 25% audience threshold, ensuring ads are not targeted at media where under-18s comprise more than 25% of the audience.

2. Updated high-risk content indicators: CAP highlights content types that are particularly likely to appeal strongly to under-18s, including:

• animations, cartoon styles and video-game-inspired graphics,
• youth-culture references, memes or influencer-driven trends, and
• themes or aesthetics common to games popular among under-18s.

3. Clearer categories of inherently high-appeal activities: Certain activities are treated as high risk by default, including:

• football (especially top-tier UK clubs and national teams),
• eSports,
• scratchcards, and
• online games with mechanics or characters attractive to younger audiences.

Where these are referenced at all, advertisers must limit references to generic, low-appeal depictions.

4. Refined casting guidance and risk tiers: The Guidance significantly expands the rules relating to individuals featured in ads, dividing them into risk categories:

• High-risk: leading eSports players; children’s TV or film personalities; individuals with a substantial under-18 social-media following; UK top-tier or national-team footballers; and sportspeople associated with sports popular among under-18s.
• Moderate-risk: mid-tier footballers, retired footballers now in punditry (depending on profile), lower-profile international footballers, and sportspeople in adult-centric sports who nonetheless have wide youth recognition.
• Low-risk: non-league or lower-league footballers, long-retired players with minimal public profile, and sportspeople involved in sports with negligible under-18 participation.

5. Social-media influence and follower demographics: CAP introduces a 100,000 under-18 follower benchmark across platforms as an indicator of strong youth appeal. This is not determinative:

• a personality may still be considered high-risk with fewer followers, and
• a personality with more than 100,000 under-18 followers may be permitted if contextual factors show low appeal.

CAP also warns that actual under-18 follower numbers are likely to be higher due to mis-reported ages and that UK-specific follower data is often limited.

6. Contextual factors and media placement: The “strong appeal” rules do not apply where advertisers can essentially guarantee under-18s will not be exposed to the ad (e.g., certain strictly age-gated media). Situational context - including tone, visuals and placement - remains critical.

Why is this important?

The updated Guidance reflects the fast-evolving influence of social media and sport on youth audiences. It significantly narrows the scope for compliant gambling and lottery advertising by:

• expanding categories considered inherently risky,
• raising expectations around evidence gathering (including follower demographics), and
• emphasising contextual and presentation-driven risks.

Marketers must demonstrate a robust, well-documented assessment of youth appeal for every campaign. Ads featuring popular personalities, sports associations or online-culture references are now more likely to face scrutiny - and removal - if they risk engaging under-18s.

Any practical tips?

• Carry out thorough audience analysis for any personality featured in ads, paying close attention to follower demographics, platform insights and emerging viral trends.
• Maintain comprehensive audit trails, including justification for casting and content decisions, to support compliance if challenged by the ASA.
• Assess situational context - music, tone, visual style and placement - not just the individuals featured.
• Review ads regularly after publication, as personalities can quickly gain youth appeal due to viral moments.
• Treat the Guidance as a risk framework, not a checklist: individual cases will always depend on the ad's overall impression.

Winter 2025

]]>Fri, 02 Jan 2026 14:18:00 ZAdvertising & marketingOliver BrayThe question

What changes have CAP and BCAP made in their updated guidance on protecting under-18s from gambling and lotteries advertising?

The key takeaway

CAP and BCAP have updated their 2022 guidance to provide clearer, more detailed expectations for assessing when gambling or lottery ads carry a “strong appeal” to under-18s. The revised Guidance places greater emphasis on social-media influence, sports associations, follower demographics, and contextual factors. Marketers must now undertake a more rigorous assessment to ensure that ads do not inadvertently target or appeal to minors.

The background

In 2022, CAP replaced the previous “particular appeal” test with the stricter “strong appeal” standard, prohibiting content that is likely to resonate powerfully with under-18s regardless of adult appeal. Following two years of enforcement experience, stakeholder feedback and new research, CAP has issued updated Guidance to help advertisers understand how modern trends - particularly social-media culture and sport - influence youth appeal.

The update aims to clarify risk categories, address evolving online behaviours, and provide practical tools for compliance.

The development

The Guidance now begins with a practical checklist to help advertisers identify and mitigate strong-appeal risks. Key updates include:

1. Reinforced “black-letter” rules: Advertisers must continue to comply with strict prohibitions, including:

• no featuring individuals aged under 25 in gambling or lottery ads (subject to narrow exceptions); and
• the 25% audience threshold, ensuring ads are not targeted at media where under-18s comprise more than 25% of the audience.

2. Updated high-risk content indicators: CAP highlights content types that are particularly likely to appeal strongly to under-18s, including:

• animations, cartoon styles and video-game-inspired graphics,
• youth-culture references, memes or influencer-driven trends, and
• themes or aesthetics common to games popular among under-18s.

3. Clearer categories of inherently high-appeal activities: Certain activities are treated as high risk by default, including:

• football (especially top-tier UK clubs and national teams),
• eSports,
• scratchcards, and
• online games with mechanics or characters attractive to younger audiences.

Where these are referenced at all, advertisers must limit references to generic, low-appeal depictions.

4. Refined casting guidance and risk tiers: The Guidance significantly expands the rules relating to individuals featured in ads, dividing them into risk categories:

• High-risk: leading eSports players; children’s TV or film personalities; individuals with a substantial under-18 social-media following; UK top-tier or national-team footballers; and sportspeople associated with sports popular among under-18s.
• Moderate-risk: mid-tier footballers, retired footballers now in punditry (depending on profile), lower-profile international footballers, and sportspeople in adult-centric sports who nonetheless have wide youth recognition.
• Low-risk: non-league or lower-league footballers, long-retired players with minimal public profile, and sportspeople involved in sports with negligible under-18 participation.

5. Social-media influence and follower demographics: CAP introduces a 100,000 under-18 follower benchmark across platforms as an indicator of strong youth appeal. This is not determinative:

• a personality may still be considered high-risk with fewer followers, and
• a personality with more than 100,000 under-18 followers may be permitted if contextual factors show low appeal.

CAP also warns that actual under-18 follower numbers are likely to be higher due to mis-reported ages and that UK-specific follower data is often limited.

6. Contextual factors and media placement: The “strong appeal” rules do not apply where advertisers can essentially guarantee under-18s will not be exposed to the ad (e.g., certain strictly age-gated media). Situational context - including tone, visuals and placement - remains critical.

Why is this important?

The updated Guidance reflects the fast-evolving influence of social media and sport on youth audiences. It significantly narrows the scope for compliant gambling and lottery advertising by:

• expanding categories considered inherently risky,
• raising expectations around evidence gathering (including follower demographics), and
• emphasising contextual and presentation-driven risks.

Marketers must demonstrate a robust, well-documented assessment of youth appeal for every campaign. Ads featuring popular personalities, sports associations or online-culture references are now more likely to face scrutiny - and removal - if they risk engaging under-18s.

Any practical tips?

• Carry out thorough audience analysis for any personality featured in ads, paying close attention to follower demographics, platform insights and emerging viral trends.
• Maintain comprehensive audit trails, including justification for casting and content decisions, to support compliance if challenged by the ASA.
• Assess situational context - music, tone, visual style and placement - not just the individuals featured.
• Review ads regularly after publication, as personalities can quickly gain youth appeal due to viral moments.
• Treat the Guidance as a risk framework, not a checklist: individual cases will always depend on the ad's overall impression.

Winter 2025

]]>{55EF2A19-7E42-4A38-AB07-699E37DB8CB2}https://www.rpclegal.com/snapshots/advertising-and-marketing/winter-2025/cma-and-asa-publish-updated-influencer-guidance-on-social-media-endorsements/The question

How should influencers and online content creators disclose sponsorships and brand relationships to comply with ASA and CMA rules?

The key takeaway

The ASA and CMA have reiterated that any form of incentivised content - including paid partnerships, gifted items, affiliate links, discount codes or self-promotion - must be clearly and prominently identified as advertising. Ambiguous disclosures, hidden labels or reliance on platform tools that are not sufficiently visible may amount to a breach. The ASA can publicly name non-compliant influencers, and the CMA - now armed with enhanced fining powers under the DMCC Act - may impose substantial penalties for consumer-law infringements.

The background

Influencer marketing remains a high-risk area for consumer-protection enforcement. ASA monitoring has repeatedly shown widespread non-compliance: in some reviews, nearly two-thirds of Instagram Stories containing ads were not labelled clearly. In 2024, the ASA contacted over 150 repeat offenders and continues to receive significant complaints about unclear advertising.

To improve compliance, the ASA and CMA have published updated guidance clarifying how influencers should disclose commercial relationships across social media, consolidating learning from recent rulings and CMA enforcement actions.

The development

The updated guidance confirms three core principles:

1. Incentivised content must be disclosed

If a creator receives payment, a gift, a loaned product, free services, affiliate commission or any other commercial benefit, the post will generally be considered an ad under the CAP Code or a commercial practice under consumer-protection law. Even where the brand has no editorial control, consumer-protection law still requires a clear disclosure because the relationship is material to the audience.

2. No ambiguity is acceptable

Disclosures must be immediate, prominent and easy to understand. Labels such as “#ad”, “advert”, and “paid partnership” are generally acceptable. Vague terms - “collab”, “spon”, “thanks X”, or simply tagging a brand - are not. Disclosures must appear at the start of a caption or be clearly overlaid on visual content, not hidden in hashtags or expandable text.

3. Applies across all formats

The same rules apply to:

• posts and stories;
• reels and videos;
• livestreams and podcasts; and
• blogs, newsletters and longform content.

Creators promoting their own products or services must also label this as advertising.

Are platform disclosure tools sufficient?

Platform tools (e.g., Instagram’s “Paid Partnership” banner) may satisfy disclosure requirements if they are clear, prominent and unavoidable. However, regulators warn that platform tools alone may be insufficient, and creators should use additional explicit labels where needed.

Authenticity and accuracy

Endorsements must reflect genuine experience. Misleading claims or fabricated impressions may breach both advertising standards and consumer-protection law.

Why is this important?

Regulators now view influencer transparency not as a technical formality but as a material consumer-protection issue:

• the ASA may publicly name non-compliant influencers or impose sanctions through its compliance procedures;
• the CMA, equipped with new fining powers under the DMCC Act 2024, may impose penalties of up to 10% of global turnover for serious or repeated consumer-law breaches.

For brands, inadequate influencer disclosures create direct legal liability and significant reputational risk.

Any practical tips?

Organisations should consider:

• using explicit labels such as “ad”, “advert”, “paid partnership”;
• making disclosures immediate and prominent - not buried in hashtags or lengthy captions;
• avoid ambiguous terminology;
• ensuring influencer contracts require compliance and provide clear instructions on disclosure obligations;
• auditing influencers' content regularly and provide training where needed;
• maintaining records of gifted products, affiliate arrangements and approvals; and
• seeking legal advice where promotional claims risk being treated as exaggerated or misleading.

Winter 2025

• The House of Commons published a report on their briefing regarding fossil fuel advertising, climate misinformation, UK policy, regulatory responses, and stakeholder views.
• Debating whether the advertising of fossil fuels should be banned, MPs in favour of a ban argued that it would signal the UK taking its role in climate leadership seriously. Public health arguments were also made. For those in opposition, freedom of expression and commercial impacts on the UK's energy industry were key concerns.

Energy suppliers’ green claims under scrutiny as new rankings revealed

• The newly launched Matched Clean Power Index allows consumers to see how much of the energy they pay for is actually renewable. The platform provides insight into hourly renewable supply, debunking claims of 100% renewable energy from certain suppliers.

Twenty-one European airlines commit to change their practices regarding misleading environmental claims

• Following dialogue with the European Commission and the Consumer Protetion Cooperation (CPC) Network, the airlines, which includes EasyJet, Ryanair, Vueling, and Air France, have agreed to stop claiming that the CO2 emissions of a specific flight could be neutralised, offset, or directly reduced by consumer financial contributions to climate protection projects or by the use of alternative aviation fuels.
• The airlines have also agreed to stop using "vague green language or terminology" and implied environmental claims. A full list of the airlines involved and the commitments can be found here.

New UK legislation introduced to regulate ESG rating providers

• The UK government has finalised new legislation, The Financial Services and Markets Act 2000 (Regulated Activities) (ESG Ratings) Order 2025, granting the FCA powers to regulate the ESG rating providers to ensure that there are transparent, reliable and comparable ESG ratings.
• Alongside this new legislation, the FCA has also been developing its regime for ESG ratings which it intends to consult on before the end of the year.

 Series of ASA rulings against the fashion sector

• Nike, Superdry and Lacoste have all been found to have made misleading green claims in various paid-for Google ads. As we've seen before, the offending claims included terms such as "sustainable materials", "sustainable style", "sustainable clothing" and "sustainable & elegant clothing" etc.
• These are the first green claims rulings against brands in the fashion retail sector that we've seen in the UK since the CMA's sector-specific investigation and guidance in September last year. It's also interesting to see that the ASA has taken up the mantle as they have typically not enforced against companies in this sector (instead leaving this to the CMA). The ASA has said that these rulings are "part of a wider piece of work investigating environmental claims in the retail fashion sector" so we may see further enforcement work by them in this space. (Notably the CMA has gone very quiet on the green claims front). As is par for the course now, the ads were identified using the ASA's Active Ad Monitoring System.
• In response to the ASA, Nike, Superdry and Lacoste each highlighted lots of positive work they are doing to reduce the environmental impact of their products (including in line with external standards like the Textiles Exchange) and pointed out that further information about their sustainability efforts was available on their websites/ products listings. However, because the claims were broad, absolute and ambiguous, and none of the brands could show that their products had no detrimental impact on the environment across the full product lifecycle, they were found to be misleading.

ASA Ruling on Assured Food Standards t/a Red Tractor

• The ASA has ruled that a television advert for the Assured Food Standards' Red Tractor Scheme (RT) misleadingly implied that all products carrying the Red Tractor Logo meet certain environmental standards.
• RT assured quality standards apply primarily to farming standards, animal welfare and food traceability.
• The advert contained a poster with the RT logo and the text "CERTIFIED STANDARDS", as well as the following voice-over rhyme: "Farmed with care, that's the Red Tractor way. A label to trust, found on food every day. This promise is kept by the checks put in place, to care for our animals with the right food and space. Our cows have a health plan, and a personal vet, from field to store all our standards are met. When the Red Tractor's there, your food's farmed with care."
• In reaching a conclusion, the ASA considered the average, reasonably well-informed, customer's interpretation of the ad. It also assessed the impact of using unsubstantiated, absolute claims, such as "all our standards are met".
• The following implications should be considered:
• Broad or absolute claims such as "sustainable" and "high environmental standards" are likely to be scrutinised and must be supported by robust evidence.
• Failure to substantiate such claims can result in ASA intervention, reputational risk, and the need to withdraw or amend marketing materials.

Big Tech sustainability marketing under scrutiny

• Last month, global research and advisory firm Forrester Research predicted that 2026 will mark a watershed for environmental sustainability, distinguishing between performative and authentic initiatives. Consequently, Computer Weekly's IT Sustainability Think Tank has identified red flags in Big Tech's sustainability marketing. The sentiment of the ASA RT ruling is echoed, with vague metrics, '100% renewable' claims by certificate alone, overreliance on metrics and broad, unsubstantiated language all being listed.

 Winter 2025

]]>Fri, 02 Jan 2026 14:18:00 ZAdvertising & marketingOliver BrayHouse of Commons Research Briefing: Fossil fuels, advertising and 'greenwashing'

• The House of Commons published a report on their briefing regarding fossil fuel advertising, climate misinformation, UK policy, regulatory responses, and stakeholder views.
• Debating whether the advertising of fossil fuels should be banned, MPs in favour of a ban argued that it would signal the UK taking its role in climate leadership seriously. Public health arguments were also made. For those in opposition, freedom of expression and commercial impacts on the UK's energy industry were key concerns.

Energy suppliers’ green claims under scrutiny as new rankings revealed

• The newly launched Matched Clean Power Index allows consumers to see how much of the energy they pay for is actually renewable. The platform provides insight into hourly renewable supply, debunking claims of 100% renewable energy from certain suppliers.

Twenty-one European airlines commit to change their practices regarding misleading environmental claims

• Following dialogue with the European Commission and the Consumer Protetion Cooperation (CPC) Network, the airlines, which includes EasyJet, Ryanair, Vueling, and Air France, have agreed to stop claiming that the CO2 emissions of a specific flight could be neutralised, offset, or directly reduced by consumer financial contributions to climate protection projects or by the use of alternative aviation fuels.
• The airlines have also agreed to stop using "vague green language or terminology" and implied environmental claims. A full list of the airlines involved and the commitments can be found here.

New UK legislation introduced to regulate ESG rating providers

• The UK government has finalised new legislation, The Financial Services and Markets Act 2000 (Regulated Activities) (ESG Ratings) Order 2025, granting the FCA powers to regulate the ESG rating providers to ensure that there are transparent, reliable and comparable ESG ratings.
• Alongside this new legislation, the FCA has also been developing its regime for ESG ratings which it intends to consult on before the end of the year.

 Series of ASA rulings against the fashion sector

• Nike, Superdry and Lacoste have all been found to have made misleading green claims in various paid-for Google ads. As we've seen before, the offending claims included terms such as "sustainable materials", "sustainable style", "sustainable clothing" and "sustainable & elegant clothing" etc.
• These are the first green claims rulings against brands in the fashion retail sector that we've seen in the UK since the CMA's sector-specific investigation and guidance in September last year. It's also interesting to see that the ASA has taken up the mantle as they have typically not enforced against companies in this sector (instead leaving this to the CMA). The ASA has said that these rulings are "part of a wider piece of work investigating environmental claims in the retail fashion sector" so we may see further enforcement work by them in this space. (Notably the CMA has gone very quiet on the green claims front). As is par for the course now, the ads were identified using the ASA's Active Ad Monitoring System.
• In response to the ASA, Nike, Superdry and Lacoste each highlighted lots of positive work they are doing to reduce the environmental impact of their products (including in line with external standards like the Textiles Exchange) and pointed out that further information about their sustainability efforts was available on their websites/ products listings. However, because the claims were broad, absolute and ambiguous, and none of the brands could show that their products had no detrimental impact on the environment across the full product lifecycle, they were found to be misleading.

ASA Ruling on Assured Food Standards t/a Red Tractor

• The ASA has ruled that a television advert for the Assured Food Standards' Red Tractor Scheme (RT) misleadingly implied that all products carrying the Red Tractor Logo meet certain environmental standards.
• RT assured quality standards apply primarily to farming standards, animal welfare and food traceability.
• The advert contained a poster with the RT logo and the text "CERTIFIED STANDARDS", as well as the following voice-over rhyme: "Farmed with care, that's the Red Tractor way. A label to trust, found on food every day. This promise is kept by the checks put in place, to care for our animals with the right food and space. Our cows have a health plan, and a personal vet, from field to store all our standards are met. When the Red Tractor's there, your food's farmed with care."
• In reaching a conclusion, the ASA considered the average, reasonably well-informed, customer's interpretation of the ad. It also assessed the impact of using unsubstantiated, absolute claims, such as "all our standards are met".
• The following implications should be considered:
• Broad or absolute claims such as "sustainable" and "high environmental standards" are likely to be scrutinised and must be supported by robust evidence.
• Failure to substantiate such claims can result in ASA intervention, reputational risk, and the need to withdraw or amend marketing materials.

Big Tech sustainability marketing under scrutiny

• Last month, global research and advisory firm Forrester Research predicted that 2026 will mark a watershed for environmental sustainability, distinguishing between performative and authentic initiatives. Consequently, Computer Weekly's IT Sustainability Think Tank has identified red flags in Big Tech's sustainability marketing. The sentiment of the ASA RT ruling is echoed, with vague metrics, '100% renewable' claims by certificate alone, overreliance on metrics and broad, unsubstantiated language all being listed.

 Winter 2025

]]>{BAE82DBC-A735-45A9-A97E-D17CF557F970}https://www.rpclegal.com/snapshots/consumer/winter-2025/cma-launches-first-dmcca-enforcement-cases-and-finalises-price-transparency-guidance/The question

What enforcement action has the CMA taken under the Digital Markets, Competition and Consumers Act (DMCCA), and what are the key updates in its finalised price transparency guidance?

The key takeaway

The CMA has opened its first enforcement cases under the DMCCA, targeting businesses suspected of misleading pricing practices such as drip pricing, hidden fees and misleading countdown timers. Alongside this, the CMA has published its final price transparency guidance, setting clearer expectations on how mandatory charges and time-limited offers must be presented. Businesses should urgently review their pricing practices: non-compliance may now trigger direct fines of up to 10% of global annual turnover.

The background

The DMCCA came into force on 6 April 2025, strengthening the UK’s consumer protection framework and expanding the CMA’s powers. Key changes include:

• modernising the unfair commercial practices rules;
• enabling the CMA to impose direct administrative penalties, rather than pursuing lengthy court action; and
• creating a new enforcement regime capable of issuing fines up to £300,000 or 10% of global turnover.

As part of its implementation work, the CMA reviewed the practices of more than 400 businesses across 19 sectors and identified concerns in 14, including high-risk issues such as drip pricing and artificially urgent countdown timers.

The development

On 18 November 2025, the CMA unveiled a “package of action” comprising both enforcement and updated guidance.

First DMCCA investigations launched

The CMA has opened formal investigations into eight businesses for suspected breaches of consumer protection law:

• StubHub, viagogo, AA Driving School and BSM Driving School - suspected drip pricing, specifically whether mandatory fees were excluded from headline prices;
• Gold’s Gym - whether joining fees were disclosed only late in the sign-up journey rather than in the advertised membership price;
• Wayfair - whether time-limited sales ended when advertised;
• Marks Electrical - whether customers were automatically opted into add-on services; and
• Appliances Direct - suspected misleading time-limited sales and automatic opt-ins for additional services.

These investigations represent the first formal enforcement actions under the DMCCA’s enhanced consumer protection powers.

In parallel, the CMA has issued 100 warning letters to businesses across sectors such as homeware, fashion, and food delivery, raising concerns about additional fees and online sales tactics. The CMA has emphasised that early action will target the most harmful practices, especially failures to disclose mandatory charges.

Finalised DMCCA price transparency guidance

The CMA has also issued its final price transparency guidance, clarifying how businesses must present prices and fees. Key updates include:

• Invitation to purchase - the definition is now broader: an invitation to purchase may arise at much earlier stages than previously understood, including search results and early-stage listings. This means pricing obligations may apply before consumers actively engage with a product page;
• Delivery charges: The guidance clarifies how mandatory, optional and variable fees must be displayed:
• mandatory delivery charges must be included in the total headline price;
• optional charges (e.g. paid delivery where free collection exists) must be presented clearly but may be separate from the headline price;
• where all delivery options are paid, the headline price must include the cheapest available option.
• variable mandatory delivery fees (e.g. location-based) must still be disclosed with sufficient prominence and detail for consumers to calculate the final price themselves.
• Periodic pricing: For subscription and minimum-term contracts:
• businesses may present either the total cumulative cost for the full minimum term or the total cost per period, provided minimum commitment periods and fees are stated prominently;
• any additional mandatory charges must be included in the total cumulative or periodic price;
• presenting monthly prices is still permitted, provided the total payable is clear and transparent.

Why is this important?

The CMA’s actions confirm that price transparency is an immediate enforcement priority. Businesses that have not updated their pricing displays, checkout journeys and promotional practices since April 2025 are exposed to significant regulatory and reputational risk. The finalised guidance sets clear standards for compliance, while the new DMCCA regime gives the CMA powerful tools to impose substantial penalties for misleading pricing practices.

Any practical tips?

Businesses should:

• review all pricing journeys - from search results through to checkout - to ensure mandatory charges are included at the earliest stage;
• avoid drip pricing, hidden fees and late-stage disclosures;
• audit time-limited promotions to ensure they end when advertised and do not create artificial urgency;
• check that optional extras are truly optional, and that no consumers are auto-opted into paid services;
• ensure third-party sellers and marketing intermediaries also comply, as brands remain accountable for pricing information provided on their behalf.

Conducting a proactive compliance review now will reduce the risk of enforcement action as the CMA continues to scale its DMCCA activity across the economy.

Winter 2025

How effective are current age-assurance measures, and should app-store operators face direct legal duties to protect children from harmful content?

The key takeaway

Ofcom has launched a call for evidence on the effectiveness, cost and privacy impact of age-assurance solutions, as well as the role of app stores in children’s access to harmful content. The consultation closed on 1 December 2025. Ofcom will now develop two statutory reports which could shape the next phase of Online Safety Act (OSA) regulation, including whether new duties should apply to app-store operators.

The background

The Online Safety Act 2023 (OSA) came into force on 26 October 2023, introducing a new regulatory framework for online services. Under the OSA, certain “user-to-user” and search services must assess whether children are likely to access their service and, if so, comply with obligations designed to protect them from harmful content.

Ofcom’s statutory codes of practice require services within scope to use “highly effective” age-assurance measures when restricting access to the highest-risk categories of content, including pornography and material relating to suicide or self-harm. These measures sit within more than 40 child-safety obligations set out in Ofcom’s codes. Ofcom has also published detailed Part 3 guidance on age-assurance expectations.

Under the OSA, Ofcom must produce statutory reports on (1) age-assurance technologies and (2) app-store safety. The call for evidence feeds into this obligation.

The development

Ofcom’s call for evidence invites views on:

• the practical deployment of age-verification and age-estimation tools;
• the real-world effectiveness of these techniques; and
• barriers to adoption, including cost, technical constraints and privacy risks.

Concurrently, Ofcom is examining the role of app stores in enabling or mitigating access to harmful content. Areas of interest include:

• the types of age-assurance controls currently used by app stores;
• the exposure risks associated with “regulated apps” (such as social-media, search and pornography services); and
• whether there is a case for stronger regulatory oversight of app-store operators under the OSA.

Ofcom will publish its statutory report on age-assurance technologies by mid-2026, and its separate report on app stores by January 2027. Depending on the evidence received, these reports may recommend extensions to the regulatory framework, including potentially bringing app-store operators within scope of certain OSA duties. However, no such extension has yet been proposed or adopted.

Recent enforcement development: First major OSA fine

In a clear signal that Ofcom is moving from supervision to active enforcement, on 4 December 2025, the regulator imposed a £1 million fine - plus a further £50,000 - on a pornography-site operator, AVS Group Ltd, for failing to apply “robust” age verification across its 18 adult websites. Ofcom determined that AVS’s existing age-checking measures failed to reach the high threshold required under the OSA. The company was given 72 hours to implement “highly effective” age assurance or face further daily penalties. According to Ofcom, this is the largest fine to date under the new OSA regime.

Why is this important?

The consultation signals a potentially significant shift in online-safety regulation. If app-store operators become subject to OSA obligations, regulatory responsibility could move upstream, requiring platform distributors—not just content-hosting services—to adopt age-assurance controls and risk-mitigation measures.

For existing platforms, the renewed focus on age verification underscores the need to evaluate whether current tools are:

• effective in practice;
• proportionate and privacy-preserving; and
• sufficiently documented to satisfy Ofcom’s evidential expectations.

If a service falls within the OSA’s scope and fails to comply with relevant duties, enforcement action can include fines of up to £18 million or 10% of global annual turnover. The consultation therefore provides an opportunity for stakeholders to influence how far such duties - and associated penalties - should extend across the online ecosystem.

In addition, Ofcom's recent OSA fine against AVS signals that non-compliance with age-assurance obligations will attract serious enforcement action. This underlines the need for urgency in adopting age-assurance and child-safety measures by all businesses caught by the Act.

Any practical tips?

Businesses should begin preparing by:

• reviewing the robustness of existing age-assurance measures, including accuracy rates, error margins and user experience;
• conducting a privacy impact assessment for any biometric or inference-based age-estimation technique;
• ensuring child-safety controls are aligned with Ofcom’s Part 3 guidance;
• mapping potential impacts if app stores become subject to OSA duties (particularly relevant for platforms dependent on distribution via Apple, Google and alternative stores); and
• monitoring Ofcom’s timetable for the 2026 and 2027 statutory reports, which will inform the next regulatory phase.

Now is a good time for stakeholders to engage - both to shape Ofcom’s approach and to ensure future compliance strategies are fit for purpose. The recent AVS fine adds some urgency to these considerations.

Winter 2025

What does new evidence on the accessibility and risks of skins gambling mean for the future regulation of gaming environments?

The key takeaway

Skins gambling - staking in-game digital items on chance-based games or esports outcomes - has become widespread and easily accessible to young players. The UK Government’s latest evidence review places this activity firmly on the regulatory agenda, reinforcing the likelihood of clearer legal boundaries between gaming and gambling and stronger age-control requirements for game developers and third-party platforms.

The background

“Skins” are in-game cosmetic items that allow players to customise characters, weapons or equipment. Although they do not affect gameplay, some become highly sought after due to rarity and community demand, creating an active secondary market. In certain games, including Counter-Strike 2, Dota 2 and Fortnite, valuable skins trade for significant sums, fuelling a multi-billion-dollar global economy.

Skins gambling occurs when players transfer skins to external websites and use them as stakes on casino-style games, chance mechanics or esports match predictions. Winnings are paid out in skins, which can then be sold - often via cryptocurrency - creating a gambling-like ecosystem operating outside regulated gaming environments.

The development

In September 2025, the Department for Digital, Culture, Media & Sport (DCMS) published a rapid evidence review assessing the scale, accessibility and risks of skins gambling. Key findings include:

• high accessibility and participation: Over 50 skins-gambling websites are accessible from the UK, with an estimated 6.9 million global visits in February 2025 alone;
• independent risk factor: Skins gambling may contribute to gambling-related harm in its own right, rather than merely being a pathway to traditional gambling;
• similarity to regulated gambling platforms: Many sites mirror high-risk design features such as rapid-play casino games, “near misses”, and variable reward cycles;
• significant child exposure: Most sites provide inadequate age verification, and participation among boys aged 11–14 is reported to be high;
• limited enforcement reach: Although certain UK laws may already apply, many operators circumvent oversight by hosting services outside UK jurisdiction.

DCMS makes two initial policy recommendations:

• international regulatory coordination: Governments should work together to classify skins gambling consistently and require robust age verification and harm-prevention measures;
• greater accountability for game developers: Developers should implement age-based safeguards for loot boxes and item-trading systems, limit opportunities for third-party misuse, and reconsider APIs or in-game mechanics that enable external gambling markets.

Why is this important?

The review signals expanding scrutiny of gambling-like features within gaming. It follows earlier UK attention in the Gambling Act Review White Paper, which highlighted concerns around loot boxes and similar mechanics. International bodies - including the European Parliament - are also calling for tighter restrictions on gambling-style features in games accessible to minors.

As policy momentum grows, the regulatory framework for digital gaming environments is likely to evolve. Developers, publishers and platform operators should anticipate greater expectations around age gating, transparency, and the design of in-game economies.

Any practical tips?

Game developers and publishers should:

• map gambling-adjacent features (e.g., loot boxes, item trading, or rarity-based reward systems) and assess whether they could facilitate external gambling activity;
• implement or strengthen age-verification and parental-control mechanisms, particularly where minors form a large share of the player base;
• review APIs and trading systems to identify and mitigate misuse by third-party gambling sites; and
• monitor regulatory developments, both in the UK and internationally, as stronger controls and classification requirements are likely.

Winter 2025

]]>Fri, 02 Jan 2026 11:27:00 ZConsumerOliver BrayThe question

What does new evidence on the accessibility and risks of skins gambling mean for the future regulation of gaming environments?

The key takeaway

Skins gambling - staking in-game digital items on chance-based games or esports outcomes - has become widespread and easily accessible to young players. The UK Government’s latest evidence review places this activity firmly on the regulatory agenda, reinforcing the likelihood of clearer legal boundaries between gaming and gambling and stronger age-control requirements for game developers and third-party platforms.

The background

“Skins” are in-game cosmetic items that allow players to customise characters, weapons or equipment. Although they do not affect gameplay, some become highly sought after due to rarity and community demand, creating an active secondary market. In certain games, including Counter-Strike 2, Dota 2 and Fortnite, valuable skins trade for significant sums, fuelling a multi-billion-dollar global economy.

Skins gambling occurs when players transfer skins to external websites and use them as stakes on casino-style games, chance mechanics or esports match predictions. Winnings are paid out in skins, which can then be sold - often via cryptocurrency - creating a gambling-like ecosystem operating outside regulated gaming environments.

The development

In September 2025, the Department for Digital, Culture, Media & Sport (DCMS) published a rapid evidence review assessing the scale, accessibility and risks of skins gambling. Key findings include:

• high accessibility and participation: Over 50 skins-gambling websites are accessible from the UK, with an estimated 6.9 million global visits in February 2025 alone;
• independent risk factor: Skins gambling may contribute to gambling-related harm in its own right, rather than merely being a pathway to traditional gambling;
• similarity to regulated gambling platforms: Many sites mirror high-risk design features such as rapid-play casino games, “near misses”, and variable reward cycles;
• significant child exposure: Most sites provide inadequate age verification, and participation among boys aged 11–14 is reported to be high;
• limited enforcement reach: Although certain UK laws may already apply, many operators circumvent oversight by hosting services outside UK jurisdiction.

DCMS makes two initial policy recommendations:

• international regulatory coordination: Governments should work together to classify skins gambling consistently and require robust age verification and harm-prevention measures;
• greater accountability for game developers: Developers should implement age-based safeguards for loot boxes and item-trading systems, limit opportunities for third-party misuse, and reconsider APIs or in-game mechanics that enable external gambling markets.

Why is this important?

The review signals expanding scrutiny of gambling-like features within gaming. It follows earlier UK attention in the Gambling Act Review White Paper, which highlighted concerns around loot boxes and similar mechanics. International bodies - including the European Parliament - are also calling for tighter restrictions on gambling-style features in games accessible to minors.

As policy momentum grows, the regulatory framework for digital gaming environments is likely to evolve. Developers, publishers and platform operators should anticipate greater expectations around age gating, transparency, and the design of in-game economies.

Any practical tips?

Game developers and publishers should:

• map gambling-adjacent features (e.g., loot boxes, item trading, or rarity-based reward systems) and assess whether they could facilitate external gambling activity;
• implement or strengthen age-verification and parental-control mechanisms, particularly where minors form a large share of the player base;
• review APIs and trading systems to identify and mitigate misuse by third-party gambling sites; and
• monitor regulatory developments, both in the UK and internationally, as stronger controls and classification requirements are likely.

Winter 2025

]]>{75CDDEC5-A1DE-4C10-BFDE-FB0187B5A069}https://www.rpclegal.com/snapshots/technology-digital/winter-2025/commission-presses-platforms-on-appeals-notice-and-action-and-transparency-under-dsa/The question

What mechanisms has the European Commission established under the Digital Services Act (DSA) to ensure users can appeal content moderation decisions?

The key takeaway

The Commission’s preliminary findings signal that under the DSA, accessible, manipulation‑free reporting and robust appeals are core obligations, so companies should simplify user journeys and strengthen transparency now to avoid facing fines up to 6% of global revenue for shortfalls.

The background

Under the DSA, online platforms operating within the European Union are legally required to establish accessible mechanisms enabling users to contest content moderation decisions, such as the removal of content or the deletion of accounts. This regulatory obligation is designed to promote greater transparency and safeguard users impacted by enforcement actions.

In connection with formal investigations initiated in 2024 into Meta and TikTok’s compliance with the DSA, the European Commission has issued preliminary findings indicating that both companies may have failed to meet the DSA’s standards for transparency and user protection. These findings underscore the critical importance of robust appeal mechanisms and reinforce the necessity for platforms to uphold their obligations under the DSA.

Additionally, the Commission has identified that Facebook, Instagram, and TikTok have imposed unduly burdensome processes for researchers seeking access to public data. These restrictions have resulted in researchers obtaining only partial or unreliable datasets, thereby hindering independent scrutiny and oversight.

Meta and TikTok now have the opportunity to review the Commission’s investigation files and respond in writing to the preliminary findings. They may also address any identified breaches during this process. The European Board for Digital Services will be consulted as part of the ongoing investigation.

It is important to emphasise that these preliminary findings are part of ongoing formal investigations into both companies, and the Commission continues to assess other potential breaches of the DSA. For further details on the DSA’s specific requirements, please see our winter 2024 Snapshots edition here.

The development

The Commission’s preliminary findings highlight concerns regarding the lack of an accessible ‘Notice and Action’ mechanism for users to report illegal content, including child sexual abuse material and terrorist content. The investigation revealed that the current reporting processes on major platforms impose unnecessary steps on users, which may discourage them from flagging harmful material. Additionally, the use of dark patterns and deceptive interface designs was found to confuse and dissuade users, rendering the existing ‘Notice and Action’ mechanisms largely ineffective.

Meta and TikTok’s response will be pivotal for understanding the exact standards platforms are required to provide under the DSA in relation to content moderation. Moreover, the Commission may issue a non-compliance decision resulting in significant penalties, including fines of up to 6% of the companies’ global annual revenue as well as ongoing penalty payments to enforce compliance.

Why is this important?

These preliminary findings matter because they provide an early indication of the Commission’s enforcement priorities under the DSA - namely that usable reporting and appeal pathways are substantive obligations, not design choices. By signalling potential non‑compliance decisions with fines up to 6% of global revenue and periodic penalties the Commission emphasises the cost of dark patterns, friction in reporting, and restricted researcher access. Clarity on these standards will drive product and governance changes across platforms, strengthen transparency and scrutiny, and accelerate accountable content moderation in the EU and beyond.

Any practical tips?

For online platforms, the near‑term priority is to streamline notice‑and‑action and appeals by mapping the user journey, removing unnecessary steps and manipulative design, using plain language, and setting clear timelines for receiving, reviewing, and resolving reports. They should also strengthen oversight and record‑keeping by assigning clear ownership of DSA compliance, keeping reliable moderation logs, regularly reassessing risks and mitigations, and training staff and partners to avoid manipulative design.

Finally, companies should enable transparency and researcher access by establishing a straightforward process for approved access to public data under the DSA, improving transparency reports with the required facts and figures, and maintaining secure, privacy‑respecting systems that can respond promptly to regulators.

Winter 2025

]]>Fri, 02 Jan 2026 10:51:00 ZTechnology/DigitalOliver BrayThe question

What mechanisms has the European Commission established under the Digital Services Act (DSA) to ensure users can appeal content moderation decisions?

The key takeaway

The Commission’s preliminary findings signal that under the DSA, accessible, manipulation‑free reporting and robust appeals are core obligations, so companies should simplify user journeys and strengthen transparency now to avoid facing fines up to 6% of global revenue for shortfalls.

The background

Under the DSA, online platforms operating within the European Union are legally required to establish accessible mechanisms enabling users to contest content moderation decisions, such as the removal of content or the deletion of accounts. This regulatory obligation is designed to promote greater transparency and safeguard users impacted by enforcement actions.

In connection with formal investigations initiated in 2024 into Meta and TikTok’s compliance with the DSA, the European Commission has issued preliminary findings indicating that both companies may have failed to meet the DSA’s standards for transparency and user protection. These findings underscore the critical importance of robust appeal mechanisms and reinforce the necessity for platforms to uphold their obligations under the DSA.

Additionally, the Commission has identified that Facebook, Instagram, and TikTok have imposed unduly burdensome processes for researchers seeking access to public data. These restrictions have resulted in researchers obtaining only partial or unreliable datasets, thereby hindering independent scrutiny and oversight.

Meta and TikTok now have the opportunity to review the Commission’s investigation files and respond in writing to the preliminary findings. They may also address any identified breaches during this process. The European Board for Digital Services will be consulted as part of the ongoing investigation.

It is important to emphasise that these preliminary findings are part of ongoing formal investigations into both companies, and the Commission continues to assess other potential breaches of the DSA. For further details on the DSA’s specific requirements, please see our winter 2024 Snapshots edition here.

The development

The Commission’s preliminary findings highlight concerns regarding the lack of an accessible ‘Notice and Action’ mechanism for users to report illegal content, including child sexual abuse material and terrorist content. The investigation revealed that the current reporting processes on major platforms impose unnecessary steps on users, which may discourage them from flagging harmful material. Additionally, the use of dark patterns and deceptive interface designs was found to confuse and dissuade users, rendering the existing ‘Notice and Action’ mechanisms largely ineffective.

Meta and TikTok’s response will be pivotal for understanding the exact standards platforms are required to provide under the DSA in relation to content moderation. Moreover, the Commission may issue a non-compliance decision resulting in significant penalties, including fines of up to 6% of the companies’ global annual revenue as well as ongoing penalty payments to enforce compliance.

Why is this important?

These preliminary findings matter because they provide an early indication of the Commission’s enforcement priorities under the DSA - namely that usable reporting and appeal pathways are substantive obligations, not design choices. By signalling potential non‑compliance decisions with fines up to 6% of global revenue and periodic penalties the Commission emphasises the cost of dark patterns, friction in reporting, and restricted researcher access. Clarity on these standards will drive product and governance changes across platforms, strengthen transparency and scrutiny, and accelerate accountable content moderation in the EU and beyond.

Any practical tips?

For online platforms, the near‑term priority is to streamline notice‑and‑action and appeals by mapping the user journey, removing unnecessary steps and manipulative design, using plain language, and setting clear timelines for receiving, reviewing, and resolving reports. They should also strengthen oversight and record‑keeping by assigning clear ownership of DSA compliance, keeping reliable moderation logs, regularly reassessing risks and mitigations, and training staff and partners to avoid manipulative design.

Finally, companies should enable transparency and researcher access by establishing a straightforward process for approved access to public data under the DSA, improving transparency reports with the required facts and figures, and maintaining secure, privacy‑respecting systems that can respond promptly to regulators.

Winter 2025

]]>{E1529F61-DE91-4338-9DEF-536D38174294}https://www.rpclegal.com/snapshots/technology-digital/winter-2025/cyberflashing-crackdown-under-the-uks-online-safety-act/The question

What obligations will tech firms face once cyberflashing becomes a “priority offence” under the Online Safety Act?

The key takeaway

The UK Government intends to classify cyberflashing as a priority offence under the Online Safety Act (OSA). This will require in-scope tech companies to take proactive and proportionate steps to reduce the risk of users encountering unsolicited sexual images. Failure to comply could result in enforcement by Ofcom, including fines of up to 10% of global annual turnover and, in extreme cases, service-blocking in the UK.

The background

Cyberflashing - sending unsolicited sexual images for the purpose of causing alarm, distress or sexual gratification - became a criminal offence in England and Wales in January 2024 following amendments introduced by the OSA.

In a press release on 29 September 2025, the Technology Secretary announced that the Government intends to designate cyberflashing as a priority offence. The move reflects growing concerns about online safety, supported by research indicating that around one in three girls under 18 have received unsolicited sexual images online.

A priority-offence designation under the OSA activates enhanced obligations for regulated services, including mandatory risk assessments, proactive mitigation measures, and ongoing safety-by-design practices.

The development

When cyberflashing becomes a priority offence:

• user-to-user and search services in scope of the OSA must assess the likelihood of users encountering unsolicited sexual images on their platform;
• platforms must implement proportionate, preventative measures to minimise that risk;
• Ofcom’s Codes of Practice (or alternative compliant measures) will guide what “proportionate” looks like in practice.

The Government has highlighted possible measures, including automated detection of harmful images, stronger moderation, clearer content policies, and restricting how images can be sent by new or unverified users. While these are examples, not mandatory tools, they signal regulatory expectations around effective and proactive design choices.

Ofcom will supervise compliance and may use its full enforcement toolkit where risks are not adequately addressed.

Why is this important?

The designation elevates cyberflashing to one of the OSA’s most serious categories of harm, meaning:

• platforms must shift from passive moderation to active prevention;
• Ofcom will expect demonstrable governance, testing, and monitoring of mitigation measures;
• enforcement risks increase significantly, including fines of up to 10% of global turnover and potential access restrictions.

Beyond regulatory exposure, there is a commercial upside: platforms that visibly protect users from harmful behaviour build trust, retention, and brand resilience.

Any practical tips?

There is no single prescribed solution, but tech businesses should begin preparing by:

• conducting a targeted risk assessment of where and how unsolicited images may be shared on their service;
• testing proportionate technical mitigations, such as opt-in image sharing for non-contacts, friction for new accounts, or automated detection tools (with strong privacy controls);
• reviewing user policies and enforcement pathways to ensure clear consequences for offenders;
• documenting governance, decisions, and safety measures, recognising that Ofcom may request evidence;
• monitoring Ofcom guidance and Government statements to understand what will qualify as “effective” mitigation.

Early action will help organisations demonstrate readiness ahead of formal designation and reduce future enforcement risk.

 Winter 2025

]]>Fri, 02 Jan 2026 10:51:00 ZTechnology/DigitalOliver BrayThe question

What obligations will tech firms face once cyberflashing becomes a “priority offence” under the Online Safety Act?

The key takeaway

The UK Government intends to classify cyberflashing as a priority offence under the Online Safety Act (OSA). This will require in-scope tech companies to take proactive and proportionate steps to reduce the risk of users encountering unsolicited sexual images. Failure to comply could result in enforcement by Ofcom, including fines of up to 10% of global annual turnover and, in extreme cases, service-blocking in the UK.

The background

Cyberflashing - sending unsolicited sexual images for the purpose of causing alarm, distress or sexual gratification - became a criminal offence in England and Wales in January 2024 following amendments introduced by the OSA.

In a press release on 29 September 2025, the Technology Secretary announced that the Government intends to designate cyberflashing as a priority offence. The move reflects growing concerns about online safety, supported by research indicating that around one in three girls under 18 have received unsolicited sexual images online.

A priority-offence designation under the OSA activates enhanced obligations for regulated services, including mandatory risk assessments, proactive mitigation measures, and ongoing safety-by-design practices.

The development

When cyberflashing becomes a priority offence:

• user-to-user and search services in scope of the OSA must assess the likelihood of users encountering unsolicited sexual images on their platform;
• platforms must implement proportionate, preventative measures to minimise that risk;
• Ofcom’s Codes of Practice (or alternative compliant measures) will guide what “proportionate” looks like in practice.

The Government has highlighted possible measures, including automated detection of harmful images, stronger moderation, clearer content policies, and restricting how images can be sent by new or unverified users. While these are examples, not mandatory tools, they signal regulatory expectations around effective and proactive design choices.

Ofcom will supervise compliance and may use its full enforcement toolkit where risks are not adequately addressed.

Why is this important?

The designation elevates cyberflashing to one of the OSA’s most serious categories of harm, meaning:

• platforms must shift from passive moderation to active prevention;
• Ofcom will expect demonstrable governance, testing, and monitoring of mitigation measures;
• enforcement risks increase significantly, including fines of up to 10% of global turnover and potential access restrictions.

Beyond regulatory exposure, there is a commercial upside: platforms that visibly protect users from harmful behaviour build trust, retention, and brand resilience.

Any practical tips?

There is no single prescribed solution, but tech businesses should begin preparing by:

• conducting a targeted risk assessment of where and how unsolicited images may be shared on their service;
• testing proportionate technical mitigations, such as opt-in image sharing for non-contacts, friction for new accounts, or automated detection tools (with strong privacy controls);
• reviewing user policies and enforcement pathways to ensure clear consequences for offenders;
• documenting governance, decisions, and safety measures, recognising that Ofcom may request evidence;
• monitoring Ofcom guidance and Government statements to understand what will qualify as “effective” mitigation.

Early action will help organisations demonstrate readiness ahead of formal designation and reduce future enforcement risk.

 Winter 2025

]]>{28C44BB7-FEA0-4A8D-830D-559FC210D1A4}https://www.rpclegal.com/snapshots/technology-digital/winter-2025/enhanced-access-to-platform-data-under-new-rules-in-the-digital-services-act/The question

How will new rules under the EU’s Digital Services Act (DSA) expand researchers’ access to platform data, and what are the implications for platforms, researchers and wider society?

The key takeaway

From 29 October 2025, qualified, vetted researchers can request access to data held by very large online platforms (VLOPs) and very large online search engines (VLOSEs) for the purpose of investigating systemic risks - including the dissemination of illegal content, impacts on mental health, risks to minors and other societal harms. This expanded access is enabled by a new Delegated Act on Data Access, which sets out detailed procedures, safeguards and technical conditions. It represents a major shift in transparency expectations for the largest online services operating in the EU.

The background

The DSA establishes a framework to increase accountability and transparency for online intermediaries, including platforms outside the EU that serve a substantial number of EU users - meaning UK-based organisations may be in scope.

Until now, independent researchers have faced significant barriers when seeking access to platform data, resulting in partial or inconsistent datasets and limiting scrutiny of platform systems.
The Delegated Act now in force addresses this by:

• obliging VLOPs/VLOSEs to provide data access where legally required;
• defining who qualifies as a vetted researcher;
• establishing the criteria, procedures and technical conditions for data sharing; and
• setting parameters to safeguard platform integrity, trade secrets and user privacy.

This is the first EU framework that creates a structured and enforceable mechanism for independent research into systemic risks in online environments.

The development

Under the new rules:

• vetted researchers may apply for access to platform data when their research directly relates to the systemic risks defined in the DSA (e.g., illegal content, public health misinformation, effects on minors, democratic harms);
• applications are reviewed by Digital Services Coordinators (DSCs) - the national authorities responsible for supervising DSA compliance;
• if a researcher satisfies the legal criteria, DSCs can require platforms to grant access to the requested data;
• DSCs must collaborate to ensure consistent and timely decisions across Member States;
• platforms must comply with approved requests and establish processes to manage data access securely and lawfully.

The Delegated Act also sets out technical standards for access environments, including secure processing spaces, privacy protection measures, and obligations to prevent data misuse.

Why is this important?

These rules dramatically expand the ability of independent researchers to analyse how platform systems shape online behaviour and societal outcomes. Enhanced data access may:

• improve public understanding of how recommendation systems, ranking, and advertising models influence user experience;
• reveal whether certain platform designs contribute to harms such as self-harm content exposure, polarisation, or discrimination;
• strengthen evidence-based policymaking and regulatory oversight; and
• increase pressure on platforms to demonstrate that their systems are safe by design and compliant with DSA risk-mitigation duties.

For platforms, this marks a shift from voluntary data-sharing to a mandatory, regulator-controlled regime with potential reputational, operational and compliance consequences.

Any practical tips?

For researchers:

• prepare detailed applications showing clear relevance to systemic risks, methodological robustness and capacity to handle data securely;
• engage early with DSC guidance to understand national expectations and timelines.

For platforms:

• review internal processes for receiving, assessing and fulfilling data-access requests;
• map where relevant data sits, including logs, recommender-system outputs, ad library data, ranking signals and safety-related metrics;
• implement or upgrade secure research environments and data-minimisation tooling;
• ensure governance teams are ready to liaise with DSCs and maintain audit-ready documentation.

For all organisations:

• monitor emerging guidance to understand how the rules will be applied in practice;
• expect increased scrutiny and potentially greater transparency demands as systemic-risk research expands.

Winter 2025

What should providers and deployers of generative AI systems expect from the EU’s forthcoming Code of Practice on AI transparency?

The key takeaway

The EU AI Office has launched a multi-stakeholder process to draft a voluntary Code of Practice to support compliance with Article 50 of the AI Act, which introduces new transparency obligations for AI-generated and AI-manipulated content. The Code is expected to be finalised ahead of the Article 50 requirements taking effect in mid-2026 and will offer practical guidance for providers and deployers preparing to meet these duties.

The background

Article 50 of the AI Act establishes explicit transparency duties for AI-generated content. These include:

• providers: ensuring that outputs of generative AI systems are identifiable as AI-generated;
• deployers: disclosing the use of AI to generate or manipulate content (e.g. deepfakes);
• public-facing use cases: adding clear disclosure where AI-generated content is used to inform the public on matters of public interest.

To help operationalise these requirements, the EU AI Office has convened independent experts, industry participants and civil society stakeholders to develop a voluntary Code of Practice to support consistent implementation across the EU.

See the Code of Practice on transparency of AI-generated content initiative for more details.

The development

The drafting process began with a kick-off plenary on 5 November 2025 and is expected to run until May-June 2026. Key features include:

• stakeholder participation - the drafting group includes generative AI providers, deployers, large online platforms, technical specialists, academics, and civil society organisations;
• two thematic workstreams:
  • provider workstream - developing approaches for marking and detecting AI-generated content across formats (audio, image, video, text). Discussions include interoperability, robustness, watermarking, metadata, and feasibility constraints;
  • deployer workstream - focusing on disclosure obligations for deepfakes, AI-generated publications, and content used in a public-information context (e.g., political, civic or news-related communications).
• drafting and consultation cycle - the Code will be shaped through plenaries, technical workshops, iterative drafting, and public consultation on draft versions before finalisation.

Complementary Commission guidance

The European Commission will publish non-binding guidelines in parallel, intended to clarify legal obligations under Article 50 and support consistent interpretation across Member States.

Why is this important?

Article 50 represents a major regulatory intervention aimed at addressing the risks of deception, misinformation and manipulation associated with AI-generated content.

The Code of Practice, although voluntary, is expected to:

• provide a practical roadmap for meeting transparency duties under the AI Act;
• influence the development of European and international technical standards;
• shape what regulators and platforms consider “appropriate measures” for marking and disclosing AI-generated content; and
• become a reference point in future enforcement activity, particularly where organisations rely on bespoke or non-standard transparency mechanisms.

For many organisations, early preparation will be essential: Article 50 obligations sit alongside other EU frameworks, including the Digital Services Act (DSA), the Copyright Directive, media regulation, and broader platform accountability initiatives.

Any practical tips?

Businesses developing or deploying generative AI should begin preparing now by:

• assessing readiness for Article 50 obligations, including labelling and disclosure workflows across all content types;
• evaluating technical options for watermarking, metadata tagging and detection, and understanding their limitations;
• engaging with standard-setting bodies (CEN/CENELEC, ISO/IEC, ETSI) as standards will likely underpin future conformity expectations;
• updating internal governance, editorial and content-moderation processes to ensure transparency measures are applied consistently across markets;
• monitoring the AI Office’s draft versions of the Code throughout 2026 and considering participation in consultations; and
• reviewing interaction with other EU obligations (e.g., deepfake labelling under the DSA) to ensure an integrated compliance approach.

Winter 2025

How will the EU’s new AI Act Single Information Platform support businesses developing or deploying AI systems in the EU?

The key takeaway

The European Commission has launched a beta version of the AI Act Single Information Platform - a central hub designed to help organisations understand whether and how the AI Act applies to their systems. While the tools do not replace legal advice, they offer a structured starting point for businesses assessing their obligations under the rapidly approaching compliance deadlines.

The background

The EU AI Act, which entered into force on 1 August 2024, establishes a harmonised framework for the trustworthy development and use of AI across the EU. Its obligations will be phased in until full applicability on 2 August 2027, with earlier deadlines for certain high-risk and prohibited uses.

To support implementation, the European AI Office must - under Article 62 of the Act - create a “single information platform” providing accessible resources for stakeholders. Although Article 62 is not due to take effect until August 2026, the Commission has released key components early, following earlier July 2025 guidance including the GPAI Code of Practice and compliance guidelines.

The development

In October 2025, the AI Office launched the AI Act Single Information Platform, forming part of a wider AI Act Service Desk. The platform consolidates practical tools and reference materials in one place, including:

• AI Act Compliance Checker - an interactive questionnaire guiding users through the Act’s scope and obligations. Based on responses, the tool provides indicative assessments of how an AI system may be classified under the Act (e.g., prohibited, high-risk, GPAI) and highlights relevant compliance steps. Each stage includes definitions and references for context;
• AI Act Service Desk - a channel for stakeholders to submit questions directly to the AI Office and receive written responses. As this service is in its early stages, its reliability and turnaround times remain to be tested;
• AI Act Explorer - a consolidated, searchable version of the AI Act, including annexes and recitals, designed to allow users to navigate the legislation more intuitively;
• implementation timeline and resource library - additional pages track key legislative deadlines and compile guidance from the Commission and Member States.

Why is this important?

Although still in beta, the platform arrives well ahead of the statutory deadline, reflecting the Commission’s push to accelerate readiness among both regulators and businesses. As compliance obligations begin to crystallise - particularly for providers, importers and deployers of high-risk AI systems - stakeholders should benefit from a single, authoritative point of reference.

However, businesses should treat the tools as indicative rather than determinative. The compliance checker cannot account for the nuances of a specific system or business model, and the Service Desk is not a substitute for formal guidance or legal advice. As enforcement ramps up towards 2027, organisations integrating AI into products and operations will need tailored assessments.

Any practical tips?

Businesses using, integrating, or developing AI systems should:

• use the Compliance Checker early to identify whether your AI systems are likely to fall within the Act’s scope and which obligations might apply;
• track updates to the Service Desk and platform, as functionality and content will evolve throughout 2026;
• review internal AI governance frameworks against upcoming deadlines, particularly for high-risk AI;
• seek tailored legal advice on classification and compliance requirements - particularly for borderline or multi-use systems where the Act’s risk-based obligations are complex.

 Winter 2025

What has the European Commission proposed under its emerging ‘Digital Omnibus’ initiative, and how might these changes affect businesses operating in the EU digital and technology sectors?

The key takeaway

The European Commission has signalled a major simplification drive across EU digital regulation as part of its 2025-2029 programme. A package informally referred to as the ‘Digital Omnibus’ sets out early proposals to streamline and clarify aspects of the AI Act, the GDPR and wider data-governance rules. While the proposals are not yet legislative texts, they indicate the Commission’s direction of travel and the areas where businesses can expect future regulatory adjustments.

The background

In her 2024-2029 political guidelines, Commission President Ursula von der Leyen emphasised the need to simplify and harmonise the EU’s regulatory landscape, reduce administrative burdens and strengthen Europe’s competitiveness. The European Council reinforced this direction in its October 2025 conclusions, calling for clearer, more coherent rules for the digital sector.

The Commission has therefore begun outlining a set of simplification measures across key digital regulations. These proposals aim to support growth in the EU technology ecosystem - valued at €791 billion in 2022 - while maintaining high standards of safety, fundamental rights and data protection.

The development

As part of this agenda, the Commission has introduced an early-stage package of measures commonly referred to as the Digital Omnibus. This is not yet a formal legislative proposal, but a policy framework highlighting areas for future legislative amendments. The package will require full negotiation and adoption by the Council and European Parliament. Below is a summary of the proposed areas of reform.

AI Act: Proposed adjustments

• Revised implementation timelines: The Commission has indicated that the application dates for high-risk AI system requirements may be aligned with the availability of harmonised standards and detailed guidance. This could extend compliance deadlines beyond their current 2026 timings.
• Enhanced role for the AI Office: The AI Office would take a more central role in supervising general-purpose AI (GPAI) models and certain high-impact uses - particularly where the same provider develops both model and system. While national authorities would remain responsible for imposing penalties, the AI Office may receive additional investigatory or coordination powers.
• AI literacy obligations: The requirement for all deployers to promote AI literacy may be scaled back, with literacy initiatives instead coordinated by the Commission and Member States. High-risk AI deployers would retain more stringent obligations.
• Bias detection and special category data: A new, narrowly framed legal basis may allow processing of special category data for the specific purpose of detecting and correcting bias in AI systems, subject to safeguards.
• EU-level AI sandboxes: A single EU regulatory sandbox could be introduced from 2028 to support innovation and cross-border experimentation.

GDPR: Areas identified for clarification or amendment

• Pseudonymised data: Clarifications are being considered on how pseudonymised data should be treated, particularly when shared across entities within a group or with third-party partners.
• Legitimate interests and AI: The Commission is examining whether further guidance is needed to clarify when legitimate interests can be relied on for AI training and operation, subject to the usual balancing test.
• Residual special category data: A potential new legal basis may apply where a controller has taken reasonable steps to remove special category data from training sets, but small amounts remain that would require disproportionate effort to eliminate - again, subject to strict safeguards.
• Data subject access request (DSAR) refinements: The Commission may seek to clarify the circumstances in which controllers can refuse manifestly unfounded or abusive DSARs, particularly where requests appear to pursue objectives unrelated to data-protection rights.
• Breach notification: Amendments under discussion would require notification only where a breach is likely to present a high risk to individuals and could extend the deadline from 72 to 96 hours.
• Machine-readable consent signals: New standards for automated, machine-readable consent signals may be developed to improve cookie and tracking-consent management, while maintaining alignment with ePrivacy rules.

Data Act and wider data governance: potential future reforms

• Alignment with existing data governance laws: The Commission may explore closer alignment between the Data Act, the Data Governance Act, and the Open Data Directive, though not consolidation or replacement.
• Stronger transfer safeguards: Additional protections may be introduced for trade secrets and transfers of non-personal or mixed data to third countries.
• Incident-reporting pathways: Future reforms may streamline cybersecurity and data-incident reporting, coordinated at national level under NIS2, with ENISA supporting guidance rather than acting as a central reporting gateway.
• European Business Wallets: Expansion of secure cross-border digital identity tools to help businesses verify identities, sign documents and exchange information.
• Platform-to-Business Regulation review: The Commission may revisit the P2B Regulation, given its partial overlap with the Digital Markets Act (DMA) and Digital Services Act (DSA), although no repeal has yet been formally proposed.

Why is this important?

The Digital Omnibus represents an early step towards simplifying the EU’s complex digital regulatory framework. For businesses, especially those deploying AI systems or handling large volumes of data, the proposals could lead to clearer rules, reduced administrative burdens and more predictable compliance timelines.

The proposals will also be watched closely by the UK’s Information Commissioner’s Office (ICO), which may consider similar measures as it continues modernising UK data protection law without jeopardising EU adequacy.

Any practical tips?

Although these proposals remain at an early stage, organisations - particularly digital platforms, AI developers, cloud providers and data-driven businesses - should:

• follow legislative developments closely as the Council and Parliament begin their discussions and trilogue negotiations;
• track any adjustments to AI Act timelines, which may affect internal deployment and product-development roadmaps;
• review how they rely on legitimate interests and pseudonymisation, as these areas are likely to receive further clarification;
• assess how future consent-signal standards or DSAR refinements could change user-interface and privacy-management design; and
• prepare for a transitional period once the final text is adopted.

If the Digital Omnibus achieves its stated goals, businesses may see a reduction in compliance complexity. Early awareness and planning will remain essential.

Winter 2025

What does the UK’s proposed AI Growth Lab mean for AI developers?

The key takeaway

The UK Government has opened a call for evidence on the AI Growth Lab, a proposed large-scale regulatory sandbox that would allow supervised, real-world testing of AI systems under temporary, targeted regulatory modifications. The initiative aims to accelerate responsible AI innovation while generating evidence to inform long-term regulatory reform.

The background

As the UK continues to favour a sector-led approach to AI oversight - rather than adopting an EU-style horizontal framework - many developers report that outdated or rigid rules in areas such as healthcare, transport, planning, financial services, and autonomous systems are slowing deployment. While sectoral regulators have trialled advisory or experimental sandboxes, these initiatives often cannot override statutory requirements, limiting their usefulness for testing higher-risk or regulated AI applications.

With business adoption of AI still relatively low, the Government is exploring whether supervised, temporary easing of regulatory constraints could unlock innovation and productivity growth. International peers are pursuing similar models, including the EU’s mandated AI sandboxes under the AI Act and proposed US federal sandbox legislation.

The development

The Government’s proposal would establish an AI Growth Lab to enable real-world testing of AI systems within time-limited “sandbox pilots”. These pilots would be jointly overseen by sector regulators and the Government, and would operate under bespoke licences setting out what is permitted and under what conditions.

Key features include:

• targeted statutory modifications - participating organisations could test AI systems under temporary adjustments or exemptions to selected legal requirements, where justified and safe to do so;
• strong safeguards and continuous oversight - every participant would operate under a licence defining permitted activities, risk thresholds, reporting duties, monitoring obligations, and audit requirements. The Lab would have powers to suspend or terminate a pilot immediately if risks emerge or conditions are breached;
• non-modifiable “red-line” protections - certain legal requirements would remain off-limits for modification, including consumer protection, health and safety, fundamental rights, intellectual property, and worker protections;
• a pathway to permanent reform - if sandbox pilots show that a modified rule is safe, proportionate and innovation-enabling, the Lab may recommend integrating the change into the wider regulatory framework through streamlined legislation or regulatory updates.

Operating model options

Two models are being considered:

• a centralised, cross-sector Lab operated by Government; or
• regulator-led Labs tailored to specific sectors or cross-cutting use cases.

Why is this important?

For AI developers - especially in highly regulated sectors - the AI Growth Lab could create new opportunities to deploy and refine technologies that existing rules currently restrict.

Equally important, participants would have a structured channel to shape the future regulatory landscape. Successful pilots could feed directly into revised legislation, regulatory guidance, or new statutory exemptions. If implemented effectively, the Growth Lab could become a significant driver of responsible AI adoption across the UK economy.

Any practical tips?

The AI Growth Lab remains at the proposal stage. The Government’s call for evidence is open until 2 January 2026.

Organisations should consider:

• responding to the consultation, particularly if regulatory constraints materially impede deployment of your AI system;
• identifying specific legal barriers facing your technology and whether temporary modification could enable meaningful testing;
• assessing which operating model - centralised or regulator-led - would best support your sector;
• preparing case studies or evidence demonstrating how real-world testing could accelerate safe innovation.

To submit a response, visit:

https://www.gov.uk/government/calls-for-evidence/ai-growth-lab/ai-growth-lab#why-we-are-issuing-this-call-for-evidence

 Winter 2025

How is the European Data Protection Board (EDPB) seeking to support organisations with GDPR compliance, and what is the purpose of its new consultation on ready-to-use templates?

The key takeaway

The EDPB has launched a public consultation on a set of draft, ready-to-use templates intended to help organisations implement key GDPR obligations more easily and consistently. The initiative is designed to reduce complexity - particularly for smaller organisations - and promote standardised, practical approaches to core compliance activities.

The background

The GDPR requires organisations to document and demonstrate compliance across a wide range of operational, legal and governance processes. For many, particularly SMEs or organisations with limited in-house expertise, translating these requirements into workable documentation can be challenging.

The EDPB has previously issued substantial guidance to support controllers and processors. Its latest initiative builds on this work by proposing template documentation for several foundational GDPR tasks. This sits alongside efforts by individual supervisory authorities (across the EEA and the UK) to produce their own standardised compliance tools.

The development

On 5 November 2025, the EDPB opened a consultation on a suite of practical templates designed to streamline GDPR compliance. These include draft templates for:

• records of processing activities (ROPAs);
• data protection impact assessments (DPIAs);
• data breach response and notification procedures.

The consultation invites feedback on whether the templates are clear, usable and aligned with the operational realities of compliance. Responses closed on 3 December 2025. The EDPB will now assess submissions and consider amendments before publishing the final templates.

Why is this important?

The templates are intended to ease the administrative burden of GDPR compliance - an objective reinforced by the Helsinki Statement (July 2025), which called for simpler, more accessible compliance tools for micro, small and medium-sized organisations.

If adopted, the templates could help organisations:

• reduce uncertainty about what compliant documentation should look like;
• adopt consistent, risk-based approaches across operational areas;
• avoid omissions in core processes such as DPIAs or incident response; and
• demonstrate accountability more effectively in the event of regulatory scrutiny.

The initiative also reflects a broader push by EU regulators to improve practical compliance outcomes while maintaining strong protection for individuals’ data rights.

Any practical tips?

Organisations should consider:

• reviewing the draft templates published on the EDPB website and assessing how they align with existing GDPR documentation;
• assessing the EDPB's feedback, particularly on sector-specific processes or risks;
• monitoring updates after the consultation and evaluating whether to incorporate the finalised templates into internal compliance toolkits - either to replace or supplement existing records.

Winter 2025

Did the European Data Protection Board (EDPB) identify any inconsistencies between Brazil’s personal data protection regime and the GDPR in its assessment for a potential EU adequacy decision?

The key takeaway

The EDPB’s opinion broadly endorses Brazil’s data protection framework as consistent with the GDPR, particularly in relation to core principles, data subject rights, and oversight structures. However, it has asked the European Commission to clarify several areas before finalising an adequacy decision, including the scope of data protection impact assessments, transparency limitations, onward transfer rules, and safeguards governing public-authority access to data.

The background

In September 2025, the European Commission published a draft adequacy decision concluding that Brazil’s data protection law - the Lei Geral de Proteção de Dados (LGPD) - provides a level of protection for personal data that is essentially equivalent to that under the GDPR.

The draft decision must undergo a three-stage approval process involving:

• review by the EDPB;
• approval by Member State representatives; and
• formal adoption by the Commission, after scrutiny by the European Parliament and Council.

Once adopted, EU–Brazil data transfers would no longer require additional safeguards (e.g. SCCs) or reliance on specific derogations.

On 4 November 2025, the EDPB issued its positive opinion, concluding the second stage of this process.

The development

In its opinion, the EDPB assessed:

• the LGPD’s substantive and procedural safeguards;
• the functioning and independence of Brazil’s supervisory authority (ANPD); and
• the framework governing access to personal data by public authorities, including for law-enforcement and national-security purposes.

The EDPB found strong alignment between the LGPD and the GDPR regarding:

• accountability principles;
• data subject rights;
• rules for international data transfers; and
• oversight and redress mechanisms.

However, the EDPB asked the Commission to provide further clarification and to monitor Brazil’s legal framework in several areas:

• Data Protection Impact Assessments (DPIAs) - the LGPD’s DPIA requirements are less precisely defined than the GDPR’s;
• transparency limitations - the EDPB queried the breadth of exceptions that allow organisations to withhold information from data subjects, including where commercial or industrial secrets are invoked;
• onward transfers - further clarity is needed on when onward transfers outside Brazil may rely on derogations, and what information must be given to individuals;
• public-authority access to data - the EDPB asked the Commission to examine safeguards governing access by law-enforcement and national-security agencies to ensure they meet GDPR-equivalent standards.

Why is this important?

A final adequacy decision would significantly streamline EU-Brazil data flows and reduce the compliance burden for organisations engaging Brazilian processors or partners. It would also represent another step toward international convergence in data protection standards, reinforcing global expectations for rights-based and accountability-driven processing.

However, organisations should not assume full regulatory equivalence. Differences will remain between the GDPR and LGPD frameworks, and businesses must continue to assess their obligations carefully - particularly in areas highlighted by the EDPB for further clarification.

Any practical tips?

Organisations should:

• map existing and future data flows involving Brazil to determine where an adequacy decision could simplify compliance;
• monitor the Commission’s response to the EDPB’s clarifications, as these may shape final adequacy conditions;
• stay updated on the approval timeline, especially if relying on SCCs or derogations for ongoing transfers.

Winter 2025

When can affiliated entities be deemed joint controllers under the GDPR in cookie and advertising contexts?

The key takeaway

The CNIL prioritises real‑world control over contractual labels, staying consistent with prior decisions and EU case law. For cross‑border groups, the priority should be to design governance structures, responsibilities and technical ownership with clearly stated roles or risk a finding of joint‑controllership which brings with it increased complexity.

The background

As part of its ongoing cookies enforcement programme, CNIL has recently imposed fines on both Google and Shein for breaches relating to cookies and consent. The investigations form part of the CNIL’s cookies compliance strategy launched over five years ago, which has focused especially on operators of high‑traffic websites and services. In its decisions, the CNIL stressed that cookies consent must be genuinely informed, meaning users receive clear, complete information about what accepting or refusing entails, including the downstream consequences for data use and advertising.

Against this backdrop, CNIL’s decision against Google provides particularly notable guidance on controllership. CNIL fined Google LLC €200 million and Google Ireland Limited €125 million for unsolicited Gmail ads and cookies set without valid consent, affecting over 74 million users in France. It ordered Google to stop these practices and obtain informed consent within six months or face further penalties.

The separate fine against Shein for cookie infringements underscores CNIL’s broader, continuing focus on compliant cookie practices and manipulation‑free consent mechanisms.

The development

Importantly, in Deliberation SAN‑2025‑004, CNIL also found Google Ireland Limited (GIL) and Google LLC (GL) to be joint controllers for Gmail ad processing under Articles 4(7) and 26(1) GDPR, based on factual control over the purposes and means: GL designs, manages and owns core systems and policies, while GIL co‑designs and implements EEA features. Google argued that only GIL was responsible and that GL was merely a third‑party developer under data processing agreements, but the CNIL rejected this, emphasising that contractual labels cannot override the reality of joint decision‑making.

The CNIL’s key considerations in finding GIL and GL to be joint controllers were as follows:

• entities are joint controllers when they jointly determine purposes and essential means of processing;
• contractual labels (e.g. “processor”) are not determinative - actual control and influence prevail;
• joint controllership does not require identical roles. In line with previous CJEU’s rulings, control may be uneven and is assessed on concrete facts;
• internal governance structures revealed a shared influence over data processing activities and approvals of both entities on new product rollout;
• when one entity is the architect and technical owner of the core systems (including cookies and related infrastructure) which the other entity could not unilaterally modify, they are likely to be joint controllers.

CNIL also considered that it had found GL to be a joint controller in respect of Google services in previous decisions, due to the role it played in designing and building Google product technology, and this analysis had not been challenged previously. The subcontract between the parties had not changed since the previous decision and therefore CNIL considered that that analysis still stands.

Why is this important?

CNIL’s restricted committee decisions are legally binding in France and, in cookie/ePrivacy matters, apply directly to processing affecting users in France, even for companies headquartered elsewhere in the EU. They therefore set concrete, enforceable expectations for design, consent, and controllership, with immediate compliance implications and the risk of significant fines and periodic penalty payments.

More broadly, CNIL is an influential regulator and, as a result, these decisions provide practical guidance that complements CJEU case law and clarify how to assess joint controllership based on factual influence rather than contractual labels. As many multinational providers align implementations EU‑wide, CNIL decisions often have persuasive effect beyond France and signal enforcement approaches across the Union.

Any practical tips?

For cross‑border groups, it is important to map who actually decides on purposes and essential means, align contracts and privacy notices and, where control is shared, put in place an Article 26 joint‑controller arrangement with clear allocation and external transparency.

Organisations should consider:

• keeping auditable records of governance (e.g. design reviews and privacy approvals);
• ensuring consent flows and cookie/ad configurations are owned by the entity or entities exercising real control with EEA‑specific defaults; and
• refreshing DPIAs and accountability documentation as roles and systems evolve.

Winter 2025

How is the European Data Protection Board (EDPB) using its coordinated enforcement powers to ensure compliance with transparency and information obligations under the General Data Protection Regulation (GDPR)?

The key takeaway

Organisations subject to the GDPR should expect increased scrutiny of how they communicate privacy information to individuals. The EDPB’s fifth coordinated enforcement action, focusing on transparency and information obligations and launching over the course of 2026, signals that this aspect of compliance will be a particular priority for supervisory authorities in the coming year. This will likely translate into closer examination of privacy notices, consent flows, in-product messaging and user interfaces.

The background

The EDPB is an independent European body that helps ensure EU data protection laws are applied consistently across member states and promotes cooperation between national Data Protection Authorities (DPAs). It issues guidelines, recommendations and best practices designed to clarify legal requirements and support effective enforcement.

In October 2020, the EDPB adopted the Coordinated Enforcement Framework (CEF) to provide a structure for DPAs to work together on recurring, coordinated enforcement actions on a pre-defined topic and using a common methodology. Through the CEF, DPAs carry out national investigations on the chosen topic. The results are then aggregated and analysed at EDPB level, typically leading to a public report summarising key findings and recommendations and informing follow-up actions at both national and EU level.

Although EDPB guidance is no longer formally binding in the UK following Brexit, the topics selected for coordinated enforcement are strong indicators of regulatory priorities across Europe. Given the continued similarity between the EU GDPR and the UK GDPR, and the UK’s ongoing adequacy relationship with the EU, EDPB guidance and enforcement trends remain highly relevant for organisations subject to UK data protection laws as well as those operating across the EU.

The development

At its October 2025 plenary, the EDPB selected compliance with transparency and information obligations under the GDPR as the topic of its fifth coordinated enforcement action. This includes organisations’ obligations under Articles 12, 13 and 14 GDPR to provide individuals with clear, concise and accessible information about how their personal data is processed.

Participating national DPAs will join this action on a voluntary basis, and the coordinated work will be rolled out over the course of 2026. The outcomes of the national investigations will be analysed both at national level and across the European Economic Area, and the EDPB is expected to publish a report pooling these findings and highlighting common issues, good practices and areas for further enforcement.

Why is this important?

The initiative reinforces the central role of transparency in EU data protection law and continues the trend towards a more harmonised supervisory approach across the EU and EEA.

For digital platforms and technology companies, transparency obligations are not limited to static privacy policies. Regulators are increasingly interested in:

• how privacy information is presented in user journeys (for example, sign-up flows, cookie banners, app permissions and consent prompts);
• whether layered notices and UI design choices genuinely support user understanding or risk being considered misleading or “dark patterns”; and
• how organisations explain profiling, personalisation, online tracking and data sharing with third parties and partners.

A coordinated focus on transparency means that organisations with cross-border operations could see parallel or aligned supervisory activity from multiple DPAs on these issues.

Any practical tips?

In anticipation of heightened scrutiny in 2026, organisations - particularly those operating digital platforms, apps and online services - should:

• review and update privacy notices so they are tailored to their audiences, written in clear, user-friendly language and accurately reflect current data processing activities;
• check transparency across channels (web, mobile, app stores, in-product notices, connected devices) to ensure information is consistent and easy to access wherever users interact with the service;
• map key user journeys (e.g. registration, cookie choices, account settings, ad personalisation, uninstall/account deletion) and ensure that individuals receive timely, layered information at relevant touchpoints;
• engage legal, product and UX teams together so that privacy information is embedded into product design rather than bolted on at the end;
• keep transparency documentation under regular review, particularly when launching new features, integrating third-party tools (such as analytics, adtech or AI services) or expanding into new jurisdictions.

Failure to meet transparency and information obligations can lead to regulatory investigations, substantial fines, claims from individuals and reputational harm. Taking early steps now will put you in a stronger position as the EDPB’s coordinated enforcement action unfolds during 2026.

 Winter 2025

]]>Fri, 02 Jan 2026 10:40:00 ZData protectionThe question

How is the European Data Protection Board (EDPB) using its coordinated enforcement powers to ensure compliance with transparency and information obligations under the General Data Protection Regulation (GDPR)?

The key takeaway

Organisations subject to the GDPR should expect increased scrutiny of how they communicate privacy information to individuals. The EDPB’s fifth coordinated enforcement action, focusing on transparency and information obligations and launching over the course of 2026, signals that this aspect of compliance will be a particular priority for supervisory authorities in the coming year. This will likely translate into closer examination of privacy notices, consent flows, in-product messaging and user interfaces.

The background

The EDPB is an independent European body that helps ensure EU data protection laws are applied consistently across member states and promotes cooperation between national Data Protection Authorities (DPAs). It issues guidelines, recommendations and best practices designed to clarify legal requirements and support effective enforcement.

In October 2020, the EDPB adopted the Coordinated Enforcement Framework (CEF) to provide a structure for DPAs to work together on recurring, coordinated enforcement actions on a pre-defined topic and using a common methodology. Through the CEF, DPAs carry out national investigations on the chosen topic. The results are then aggregated and analysed at EDPB level, typically leading to a public report summarising key findings and recommendations and informing follow-up actions at both national and EU level.

Although EDPB guidance is no longer formally binding in the UK following Brexit, the topics selected for coordinated enforcement are strong indicators of regulatory priorities across Europe. Given the continued similarity between the EU GDPR and the UK GDPR, and the UK’s ongoing adequacy relationship with the EU, EDPB guidance and enforcement trends remain highly relevant for organisations subject to UK data protection laws as well as those operating across the EU.

The development

At its October 2025 plenary, the EDPB selected compliance with transparency and information obligations under the GDPR as the topic of its fifth coordinated enforcement action. This includes organisations’ obligations under Articles 12, 13 and 14 GDPR to provide individuals with clear, concise and accessible information about how their personal data is processed.

Participating national DPAs will join this action on a voluntary basis, and the coordinated work will be rolled out over the course of 2026. The outcomes of the national investigations will be analysed both at national level and across the European Economic Area, and the EDPB is expected to publish a report pooling these findings and highlighting common issues, good practices and areas for further enforcement.

Why is this important?

The initiative reinforces the central role of transparency in EU data protection law and continues the trend towards a more harmonised supervisory approach across the EU and EEA.

For digital platforms and technology companies, transparency obligations are not limited to static privacy policies. Regulators are increasingly interested in:

• how privacy information is presented in user journeys (for example, sign-up flows, cookie banners, app permissions and consent prompts);
• whether layered notices and UI design choices genuinely support user understanding or risk being considered misleading or “dark patterns”; and
• how organisations explain profiling, personalisation, online tracking and data sharing with third parties and partners.

A coordinated focus on transparency means that organisations with cross-border operations could see parallel or aligned supervisory activity from multiple DPAs on these issues.

Any practical tips?

In anticipation of heightened scrutiny in 2026, organisations - particularly those operating digital platforms, apps and online services - should:

• review and update privacy notices so they are tailored to their audiences, written in clear, user-friendly language and accurately reflect current data processing activities;
• check transparency across channels (web, mobile, app stores, in-product notices, connected devices) to ensure information is consistent and easy to access wherever users interact with the service;
• map key user journeys (e.g. registration, cookie choices, account settings, ad personalisation, uninstall/account deletion) and ensure that individuals receive timely, layered information at relevant touchpoints;
• engage legal, product and UX teams together so that privacy information is embedded into product design rather than bolted on at the end;
• keep transparency documentation under regular review, particularly when launching new features, integrating third-party tools (such as analytics, adtech or AI services) or expanding into new jurisdictions.

Failure to meet transparency and information obligations can lead to regulatory investigations, substantial fines, claims from individuals and reputational harm. Taking early steps now will put you in a stronger position as the EDPB’s coordinated enforcement action unfolds during 2026.

 Winter 2025

]]>{9DD1CBDE-1F44-49BE-8469-A5A97333F3DF}https://www.rpclegal.com/snapshots/data-protection/winter-2025/ico-consults-on-revised-data-protection-enforcement-procedural-guidance/The question

What does the ICO’s draft enforcement guidance tell us about how future investigations will proceed?

The key takeaway

The ICO’s new draft guidance provides a clearer, end-to-end explanation of its investigation and enforcement processes, including its available regulatory powers, expected procedural steps, organisations’ rights to make representations, and its proposed settlement discount framework.

The background

As part of its ongoing drive to increase transparency and predictability for regulated organisations, the ICO has published draft guidance describing how it conducts investigations from start to finish. The ICO continues to position itself as a pragmatic and proportionate regulator, noting that fines are only one of several enforcement tools available. Other outcomes, such as warnings, reprimands, practice recommendations, and enforcement notices, remain key features of its regulatory approach.

The development

The draft guidance sets out the legal and procedural framework governing ICO investigations and enforcement. It explains the ICO’s powers to issue:

• information notices, including its powers of entry and inspection;
• assessment notices, which allow the ICO to assess compliance directly;
• warnings (where a breach is likely) and reprimands (where a breach has occurred);
• enforcement notices, requiring steps to bring processing into compliance;
• penalty notices, which may be issued for breaches of data protection law or for failing to comply with an information or assessment notice; and
• how the ICO handles legally privileged material.

The guidance also outlines:

• how and when the ICO decides to open an investigation, including threshold considerations;
• what organisations can expect throughout the inquiry process;
• the right to make written representations following a notice of intent, and oral representations where the ICO invites them;
• the settlement process, which remains voluntary but can be engaged once a notice of intent proposing a penalty is issued; and
• the right of appeal against information, assessment, enforcement or penalty notices (including penalty variations).

Settlement discounts

For the first time, the ICO sets out defined settlement discount ranges when organisations agree to resolve cases early:

• up to 40% if settlement occurs before written representations are submitted;
• up to 30% if settlement occurs after written representations but before the final penalty notice is issued;
• up to 20% if settlement occurs after the final penalty notice.

This reflects the kinds of reductions the ICO has made in recent enforcement matters, where early cooperation and mitigation significantly affected penalty levels.

Why is this important?

The guidance offers organisations a clearer view of how ICO investigations are likely to unfold - including how decisions are made, when engagement opportunities arise, and how settlement may influence penalty outcomes. The potential consolidation of enforcement guidance across regimes could further streamline compliance planning, particularly for organisations subject to overlapping data protection and PECR obligations.

Any practical tips?

The consultation is open until Friday 23 January 2026, and responses can be submitted online, by email or by post. Organisations should consider reviewing the draft guidance and responding where helpful, particularly if:

• you frequently interact with the ICO;
• you want clarity on settlement opportunities or investigative expectations; or
• you have concerns about terminology or practical application of the powers.

 Winter 2025

]]>Fri, 02 Jan 2026 10:40:00 ZData protectionThe question

What does the ICO’s draft enforcement guidance tell us about how future investigations will proceed?

The key takeaway

The ICO’s new draft guidance provides a clearer, end-to-end explanation of its investigation and enforcement processes, including its available regulatory powers, expected procedural steps, organisations’ rights to make representations, and its proposed settlement discount framework.

The background

As part of its ongoing drive to increase transparency and predictability for regulated organisations, the ICO has published draft guidance describing how it conducts investigations from start to finish. The ICO continues to position itself as a pragmatic and proportionate regulator, noting that fines are only one of several enforcement tools available. Other outcomes, such as warnings, reprimands, practice recommendations, and enforcement notices, remain key features of its regulatory approach.

The development

The draft guidance sets out the legal and procedural framework governing ICO investigations and enforcement. It explains the ICO’s powers to issue:

• information notices, including its powers of entry and inspection;
• assessment notices, which allow the ICO to assess compliance directly;
• warnings (where a breach is likely) and reprimands (where a breach has occurred);
• enforcement notices, requiring steps to bring processing into compliance;
• penalty notices, which may be issued for breaches of data protection law or for failing to comply with an information or assessment notice; and
• how the ICO handles legally privileged material.

The guidance also outlines:

• how and when the ICO decides to open an investigation, including threshold considerations;
• what organisations can expect throughout the inquiry process;
• the right to make written representations following a notice of intent, and oral representations where the ICO invites them;
• the settlement process, which remains voluntary but can be engaged once a notice of intent proposing a penalty is issued; and
• the right of appeal against information, assessment, enforcement or penalty notices (including penalty variations).

Settlement discounts

For the first time, the ICO sets out defined settlement discount ranges when organisations agree to resolve cases early:

• up to 40% if settlement occurs before written representations are submitted;
• up to 30% if settlement occurs after written representations but before the final penalty notice is issued;
• up to 20% if settlement occurs after the final penalty notice.

This reflects the kinds of reductions the ICO has made in recent enforcement matters, where early cooperation and mitigation significantly affected penalty levels.

Why is this important?

The guidance offers organisations a clearer view of how ICO investigations are likely to unfold - including how decisions are made, when engagement opportunities arise, and how settlement may influence penalty outcomes. The potential consolidation of enforcement guidance across regimes could further streamline compliance planning, particularly for organisations subject to overlapping data protection and PECR obligations.

Any practical tips?

The consultation is open until Friday 23 January 2026, and responses can be submitted online, by email or by post. Organisations should consider reviewing the draft guidance and responding where helpful, particularly if:

• you frequently interact with the ICO;
• you want clarity on settlement opportunities or investigative expectations; or
• you have concerns about terminology or practical application of the powers.

 Winter 2025

]]>{C088F0EB-67CA-4DFC-A0F4-68F436EF26D2}https://www.rpclegal.com/snapshots/data-protection/winter-2025/capita-fined-14m-after-cyber-attack-triggered-by-compromised-employee-device/The question

What can businesses learn from Capita’s recent fine about the steps needed to protect personal data?

The key takeaway

A single compromised device can have a major impact across any organisation. In Capita’s case, it led to months of disruption and a significant ICO fine. The ICO’s findings are a useful reminder that effective data security relies on people, processes and technology working together - from helping staff spot suspicious activity, to monitoring systems properly, to carrying out meaningful penetration testing (in Capita's case at a group wide level).

The background

On 22 March 2023, an employee at Capita accidentally downloaded a malicious file onto their work device. Although an alert was triggered quickly, the device was not quarantined for another 58 hours. During this time, attackers gained access to Capita’s systems and extracted almost one terabyte of data (more than 6.6 million records). A few days later, ransomware was deployed, allowing the attackers to reset passwords and block staff from accessing parts of the network. Full restoration of systems took until mid-June 2023.

The development

In April 2025, the ICO informed Capita that it intended to issue fines totalling £45 million for failing to put in place adequate security measures, in breach of Articles 5(1)(f), 32(1) and 32(2) of the UK GDPR. After considering Capita’s representations and the improvements made since the incident, the ICO agreed a reduced penalty of £14 million. Capita accepted the findings, with the fine split between Capita plc (£8 million) and Capita Pensions Solutions Limited (£6 million). The ICO took into account Capita’s steps to support affected individuals, including offering credit monitoring, setting up a dedicated call centre and commissioning dark-web monitoring, as well as its cooperation with regulators and the National Cyber Security Centre.

The ICO concluded that Capita had not implemented appropriate technical and organisational measures, including:

• insufficient safeguards for personal data, particularly special category data;
• poor controls to prevent attackers moving across the network;
• delays in responding to security alerts; and
• a lack of robust penetration testing and risk assessments.

Why is this important?

This case demonstrates that ICO penalties for security failings can be substantial. But beyond the fine, the operational and reputational impacts of a cyber incident can be even more damaging. The ICO’s findings highlight the importance of clear security processes, fast response times and good communication across an organisation.

Any practical tips?

Based on the ICO’s comments, areas to focus on include:

• following NCSC guidance to help identify potential intrusions early;
• monitoring systems closely and acting promptly on alerts;
• sharing penetration-testing results across the business, rather than keeping them within individual teams;
• prioritising investment in essential security controls; and
• reviewing contracts to ensure responsibilities between controllers and processors are clear and up to date. 

Winter 2025

How did the processing activities of Clearview AI (Clearview), a US-based company, come to be caught by the UK GDPR?

The key takeaway

The Upper Tribunal (UT) has held that Clearview’s processing of UK residents’ data falls within the scope of the UK GDPR (and, where relevant, the EU GDPR). It overturned the earlier finding of the First-tier Tribunal (FTT) that Clearview’s activities were outside the material scope of UK data protection law. The UT also confirmed that the ICO had jurisdiction to issue its enforcement notice and monetary penalty. However, the UT did not decide whether the findings or the £7.5 million fine should ultimately stand; instead, it remitted the substantive appeal back to the FTT for reconsideration on the basis that the ICO does have jurisdiction.

The background

Clearview is a US company that collects publicly available images from across the internet to build a large-scale facial recognition database. It provides services to US law-enforcement bodies and to US private-sector clients, some of whom support law-enforcement activities.

In May 2022, following an investigation into Clearview’s handling of UK residents’ personal data, the ICO issued an enforcement notice and a monetary penalty of approximately £7.5 million for breaches of the EU GDPR (pre-Brexit) and the UK GDPR. Clearview appealed the decision to the FTT.

The FTT accepted that Clearview’s activities related to individuals in the UK but held that the GDPRs did not apply because Clearview’s clients were foreign law-enforcement or national-security bodies. It treated the processing as falling within the material-scope exclusion in Article 2(2)(a), significantly limiting the ICO’s ability to act against Clearview.

The development

The ICO appealed the FTT’s jurisdiction decision to the Upper Tribunal. Clearview resisted that appeal and advanced additional arguments to try to uphold the FTT’s approach. The UT overturned key elements of the FTT’s reasoning. In particular, it found that:

• Clearview’s processing falls within the material scope of the UK GDPR, and the FTT had not provided adequate justification for finding otherwise;
• the material-scope exclusion in Article 2(2)(a) GDPR (and the UK equivalent) must be construed narrowly. It concerns the division of responsibilities between the EU and its Member States - not a general exemption for private companies providing services to foreign law-enforcement or national-security bodies;
• while processing by Clearview’s foreign state clients for criminal-law enforcement or national-security purposes would fall outside the scope of the GDPR, the FTT had insufficient evidence to conclude the same for Clearview’s private-sector clients, or for Clearview’s own processing activities;
• Clearview’s own processing amounts to “behavioural monitoring” of UK residents under Article 3(2)(b) UK GDPR. The concept of behavioural monitoring is broad and can cover passive scraping, indexing, sorting and storing of data for potential profiling, even where monitoring is ultimately carried out by others;
• the ICO therefore does have jurisdiction to issue its enforcement notice and monetary penalty.

The UT did not determine whether the ICO’s findings of breach or the level of the fine should stand. It remitted the substantive appeal - covering both liability and penalty - back to the FTT for reconsideration.

Why is this important?

The ruling confirms that overseas companies cannot assume immunity from the UK GDPR merely because their services relate to criminal-law enforcement or national-security organisations abroad. Private-sector providers supporting such organisations must still assess their own exposure under UK GDPR. The judgment also provides important clarification on the narrow reading of Article 2(2)(a) and the broad interpretation of “behavioural monitoring” under Article 3(2)(b) - an area where there was previously no direct UK authority.

At the same time, the ruling highlights the complexities of applying UK data protection law to foreign companies. Even with jurisdiction confirmed, enforcement remains challenging, and the final outcome for Clearview will depend on the FTT’s fresh determination of the ICO’s enforcement action.

For digital platforms and AI businesses in particular, this decision underscores that scraping or aggregating publicly available data about UK users can trigger UK GDPR obligations, even where a business is based entirely overseas and markets its services to non-UK clients. AI and platform companies that collect, classify, embed or profile public data at scale should expect regulators to treat such processing as behavioural monitoring - and therefore within jurisdiction. If your business model involves large datasets, identity tools, computer-vision systems or user-profiling outputs supplied to third parties, this ruling makes the need for territorial-scope assessments more important than ever.

Finally, and topically, recent media reports have suggested that the UK government is considering plans to expand use of facial-recognition technology by UK police forces. If this does come to fruition, demand for service-provider tools (such as scanning, matching, database-hosting, indexing of images) may well rise - likely provided by firms such as Clearview. This ruling makes it clear that these third-party providers cannot assume immunity from UK data protection law.

Any practical tips?

Overseas organisations - particularly those in AI, data analytics, digital platforms or social-media ecosystems - should:

• assess whether their processing of UK residents’ data brings them within the scope of the UK GDPR, even without any UK establishment;
• recognise that private-sector providers do not share the limited immunity available to foreign state authorities;
• ensure that, if they intend to rely on any exclusion linked to law-enforcement or national-security purposes, they can produce sufficient evidence demonstrating the nature of their activities;
• evaluate activities such as scraping, large-scale data aggregation, model training and API-based identity services, all of which may trigger territorial scope and behavioural-monitoring provisions. 

Winter 2025

Explore sections:

Explore sections:

The question

In what circumstances will an exchange consisting of emails and WhatsApp messages and calls between parties be sufficient to create a binding contract, where a formal agreement is anticipated but not yet signed?

The key takeaway

A binding contract can be formed through email and other informal communications if the parties have agreed all essential terms at a high level and intend to be immediately legally bound, regardless of whether a formal contract containing the majority of the details is contemplated but is yet to be drafted or signed. The absence of “subject to contract” language and the parties’ conduct following the communications will be key indicators of their intention.

The background

DAZN, a global sports streaming service, acquired a licence from FIFA to broadcast the FIFA Club World Cup 2025 (CWC). Under the licence, DAZN was authorised to sublicense the broadcasting rights in different territories, subject to certain conditions. Streaming service operator, Coupang, sought co-exclusive live and video on demand broadcasting rights in South Korea for the CWC.

DAZN and Coupang entered into negotiations and representatives of the parties exchanged email, WhatsApp and telephone communications between December 2024 and March 2025. The main issue in the case was whether the parties had entered into a binding contract by way of these communications.

At first instance, the Commercial Court held that a binding contract had been concluded by emails sent on 27 February 2025 and 3 March 2025, as set out below, and granted injunctions to protect Coupang’s position. DAZN appealed.

27 February 2025 email from Coupang to DAZN:

“… the proposal below … captures our intention for acquiring the upcoming FIFA Club World Cup media rights this year.
- Competition: FIFA Club World Cup 2025
- Rights: Live Broadcast rights and VOD rights
- Territory: South Korea
- Exclusivity: Co-exclusive with DAZN
- Financial consideration: USD 1,700,000
We are very excited to land this new deal with you, and eager to move on to the contractual phase, so that we can start planning on content utilisation. We look forward to hearing back from you soon.”

3 March 2025 email from DAZN to Coupang:

“I am pleased to inform you that we will accept Coupang Play’s offer for the FIFA Club World Cup 2025 we will start contract drafting and hope to share the draft for your agreement soon.”

The first ground of appeal by DAZN was that the 27 February email does not amount to a contractual offer because it does not objectively demonstrate an immediate willingness to be legally bound upon acceptance (Ground 1). The second ground is that the 3 March email was not an unqualified acceptance (Ground 2). The third ground is that there was no intention to create legal relations by the exchange of emails because any agreement was subject to contract with the parties anticipating a formal agreement to be drafted and signed (Ground 3). Grounds 4 and 5 sought to challenge the terms of the injunctive relief granted.

The decision

The Court of Appeal dismissed DAZN’s appeal and held that the parties had reached an agreement by which they intended to be immediately and legally bound. In reaching this judgment, the court looked at the parties’ communications as a whole and applied the following legal principles:

• Whether an agreement is legally binding before a formal contract is signed or whether it is “subject to contract” depends on whether the parties have already agreed on all essential terms.
• When interpreting communications between parties, especially in informal or pre-contractual contexts, the focus should be on the overall meaning and intent behind the words, rather than a technical or legalistic analysis of language. The court recognised that business people conducting commercial negotiations will often not use the precision of language of transaction lawyers.
• When parties negotiate in a context of urgency it increases the likelihood that they intend to be legally bound immediately, even if some details are still to be finalised or a formal contract is yet to be signed.

The court focused on the following evidence:

• By 27 February 2025 the parties had reached an agreement in principle on the key terms of the deal, with only the price still to be finalised.
• The 27 February email summarised the deal terms, formalising the parties’ prior informal discussions - an approach Coupang confirmed to the court was standard industry practice. The language used in the email (“proposal… which captures our intention”) was understood to represent Coupang’s offer.
• By 3 March, DAZN had by voice calls and email clearly and formally accepted Coupang’s offer, confirming a binding agreement.
• The subsequent communications between the parties show that both sides thought they had reached a binding agreement.
• Coupang’s conduct following 3 March, particularly their internal communications about commencing marketing before finalising a long-form agreement, supported the view that a binding contract was already in place.

In respect of Ground 1, the court held that the 27 February email was a contractual offer as, despite Coupang’s use of imperfect English, the email clearly conveyed a contractual offer and was treated as one by the recipient. The court found, regarding the use of the term “contractual phase” in the email, that this did not indicate a future stage of negotiation but the phase following the parties’ acceptance of the agreement.

Regarding Ground 2, the court held that the 3 March email was an unqualified acceptance as the words we “will accept Coupang Play’s offer” were unequivocal.

Similarly, in respect of Ground 3 the court held that the drafting of the formal contract was not a necessary prerequisite to being bound by the agreed terms as set out in the 27 February email. This is due to the conduct of the parties and the absence of “subject to contract” language, or an equivalent, in the communications.

Why is this important?

This decision is significant because it highlights the legal risks inherent in commercial negotiations conducted by email and messaging platforms. Parties may inadvertently create binding agreements before a formal contract is signed and with only limited high level terms agreed, particularly where urgency drives negotiations and essential terms are agreed. The case reinforces that courts will look at the substance and context of communications, not just the form, and will give effect to the parties’ intentions as objectively demonstrated. For commercial teams, this underlines the importance of clarity in pre-contractual communications and the need to expressly state when negotiations are “subject to contract” if no binding agreement is intended at that stage.

Any practical tips?

Using WhatsApp is a part of how everyone now operates. Much of the negotiation in this deal was done by WhatsApp messaging and calls – of the 53 key communications listed by the court, 50 were calls or WhatsApp messages including: “Just sent you an email to formalise our acceptance of your proposal for FCWC.” When using informal communications, consider the parties’ communications as a whole, treating WhatsApp as you would emails and formal exchanges ie serving as potential evidence of contract formation. If there is no intention to be bound until a formal contract is signed, consider using “subject to contract” across all communications including in WhatsApp messages.

Conduct informal deal communications with the following in mind: the parties can evidence that they have agreed the “essential terms” by showing that they believe the deal is done and the essential terms agreed. This was said to apply here even though none of the terms around the distribution / technical delivery of the content/rights had been outlined in the written communications. The fact that the WhatsApp messages and calls discussed how the “deal is done”, the commitment to the deal, and the fact that DAZN had previously used short form “binding” heads of terms pending long form contracts, all factored into the court’s reasoning.

Review internal processes to ensure that teams involved in negotiations understand the legal significance of their communications and seek legal input where there is any doubt.

Autumn 2025

The question

In a contract that did not specify the price for a portion of the total volume of goods, how would the court determine whether the contract was a mere unenforceable agreement to agree or whether a term could be implied that, in the absence of agreement, the parties intended for the price to be set by reference to a reasonable or market price?

The key takeaway

In a contract for the sale of goods which stipulated that the price for a portion of the contract volume was an “open price to be fixed”, the courts may be willing to imply a term that, in the absence of agreement, the parties intended for the price to be set by reference to a reasonable or market price where there is supporting evidence that the parties intended to reach a binding agreement on the total volume of product.

The background

KSY Juice Blends UK Limited (KSY) supplies juice products internationally. Citrosuco GMBH (Citrosuco) produces natural orange juice.

KSY entered into a contract with Citrosuco in 2018 to sell orange pulp wash (wesos) that is produced when residue orange pulp is subject to a water extraction process. The parties agreed that a total quantity of 3,600MT of wesos would be delivered across a period of three years, at a notional rate of 1,200MT per year. KSY delivered 400 Metric Tonnes (MT) of wesos to Citrosuco in 2019 which Citrosuco paid for. Citrosuco then declined to take delivery of a further 800 MT by not giving instructions for the delivery of the product. In 2020, KSY delivered 126 MT of wesos – Citrosuco paid for 84 MT but not 42 MT. In September 2020, by letter, KSY terminated the contract alleging that Citrosuco was in repudiatory breach of contract. Citrosuco’s case was that the letter from KSY constituted a repudiatory breach which it accepted on 26 October 2020.

The 2018 contract provided:

“3. Price
Invoicing price is 1.600euro/mt for 60 brix. Price adjustable according to Brix value +- 5 Brix. Free trucks will be offered from the seller according to the agreed volume & price of each year. Calculation basis for the 1.200mt fixed is 1.350 euro/mt which corresponds to the 400mt/year 2019-2020-2021.
…
5. Delivery period:
1.200MT per each year. Deliveries to start January to December with the following split
400mt fixed at 1.350euro/mt - invoicing price is 1600euro/mt. Difference of price in free trucks. 800mt at open price to be fixed latest by December of the previous year. Difference of price in free trucks.”

The contract terms contain two concepts key to calculating price. “Brix” refers to the amount of dissolved solids in a liquid via its specific gravity. It is commonly used in this industry and fixes the price based on an assumption as to the Brix level with an adjustment to reflect the actual level. The concept of “free trucks” is a mechanism used to adjust the price in response to market price fluctuations by providing free product on top of the contracted volume to align the price of goods with current market conditions.

As the contract did not specify the price (an essential element of the contract) for wesos beyond 400 MT per year, the main issue was whether the contract for the sale of wesos beyond 400 MT per year was enforceable or unenforceable as a mere agreement to agree.

The High Court dismissed KSY’s claim (see here) finding that the contract for the balance of 800 MT of wesos per year, which was to be fixed by agreement between the parties, was simply an agreement to agree on the issue of price, which was not enforceable. KSY appealed.

The decision

In its appeal, KSY asserted that the judge had failed to find that, on a true construction of the 2018 contract or by way of an implied term (implied by section 8(2) of the Sale of Goods Act 1979, or otherwise) the parties had agreed that a reasonable, or a market, price was to be paid in relation to 800 MT per year.

The Court of Appeal agreed with KSY, overturning the High Court’s finding. The court rejected Citrosuco’s argument that the contract precluded the application of section 8(2) of the Sale of Goods Act 1979 or to a term being implied at common law, because a true construction of clause 5 of the 2018 contract (“800mt at open price to be fixed…”) meant that the price for the notional 800MT of wesos in each year was to be left to the subsequent agreement of the parties.

Implication of term as to reasonable or market price

The court’s starting point was to consider what the 2018 contract said on the price for 800 MT of Wesos each year. Clause 5 stated merely that it was “open” and was “to be fixed” at the latest by December each year. The contract did not say how this price was to be fixed. This was a volatile market where there was an incentive for the parties to leave some flexibility as to pricing in what was a long-term contract. It was obvious that the parties had been fixing the price by agreement, but that did not prevent the implication of a term that in the absence of reaching agreement the price would be a reasonable or market price.

Whether a term should be implied would be based on whether the parties intended to reach a binding agreement as to the full quantity of Wesos contemplated by the 2018 contract. There were various aspects of the contract that supported this including a fixed term, an agreement to invoice for the full amount and the amount to be supplied being “fixed” at 3600MT, split into 1200MT for each year.

The court found that Citrosuco’s submissions, given in the High Court case, as to the inherent difficulties in identifying a reasonable or market price for wesos had been significantly overstated. In fact, wesos tracked the price of frozen concentrated orange juice (FCOJ) for which there was a functioning market in which the prices at which FCOJ was bought and sold were readily available, and wesos traded at around 70% of the price of FCOJ. In light of this evidence, the difficulties identified did not preclude the parties from having intended to conclude a binding contract on the basis that the price would be fixed by reference to an objectively reasonable price, if necessary by a court, in the absence of agreement. The absence of an arbitration clause was also found not to be particularly significant because the court could itself provide the dispute resolution machinery in the absence of such a clause.

The Court of Appeal concluded that this is a case where a term is to be implied to the effect that the price of wesos, for the balance of 800 MT of wesos per year, was to be fixed in the absence of agreement as a reasonable or market price.

Citrosuco has appealed to the Supreme Court.

Why is this important?

Where a contract expressly states the price for an initial quantity of goods but allows the price for a further portion of goods to be at an “open price to be fixed,” the failure of the contract to specify the price of the further portion creates uncertainty as to whether the contract for the sale of that portion is unenforceable as a mere agreement to agree. This case shows that the contract for the further portion may be held to be enforceable – with the price to be fixed at a reasonable or market price in the absence of an agreement. This is likely to apply only in certain circumstances such as in commercial dealings between parties who are familiar with the trade in question, and particularly where the parties have acted in the belief that they had a binding contract.

Any practical tips?

While a court may, on the particular facts, find a clause on an essential term such as price which is stated to be “fixed by agreement of the parties” to be enforceable, for certainty essential terms such as price should be set out expressly and precisely for all contracted goods and services in the absence of a pricing mechanism elsewhere within the contract.

When flexible pricing mechanisms are in play, consider providing dispute resolution clauses such as an arbitration clause – the presence of an arbitration clause may assist the courts to hold a contract to be sufficiently certain, indicating a commercial and contractual mechanism, which can be operated with the assistance of experts in the field, by which the parties, in the absence of agreement, may resolve their dispute.

Autumn 2025

The question

How will a court determine whether a communication under a contract must comply with a notice clause?

The key takeaway

To ensure specific notification requirements apply, parties should explicitly use the word “notice” and refer to the notice clause contained in the contract. Any exceptions should be agreed upon in advance and clearly carved out in the contract.

The background

Mr Crombie sold his shares in My Online Schooling Ltd (MOS), to Inspired Education Online (Inspired). One of the issues considered by the court concerned the mechanisms under the SPA for determining Mr Crombie’s total consideration, and specifically whether he was deemed to have agreed the completion accounts in accordance with the requirements of the share purchase agreement (SPA).

The SPA contained a completion accounts schedule which enabled the parties to adjust the purchase price after completion of sale of MOS. Under Schedule 7 of the SPA, Inspired was required to prepare and deliver draft completion accounts to Mr Crombie following completion and Mr Crombie was required to “within 20 Business Days... notify ...in writing” [emphasis added] whether he agreed with the draft accounts. If he failed to make “any written notification” [emphasis added] within that time period, the completion accounts would be deemed to have been agreed.

The SPA also contained a notice clause (clause 27.1) which stated that:

“Any notice given to a party under or in connection with this Agreement (unless otherwise expressly provided for in this Agreement) shall be in writing in English and sent to the Party, by a method set out in clause 27.3, at the address or the email address, and for the attention of the contact as set out in the following table.” [emphasis added]

The table referred to set out the contact details for the CEO of Inspired Group. Following completion, Mr Crombie received an email from Ms Stewart (the Vice President of Acquisitions and Business Development) of Inspired attaching a letter enclosing the draft completion account and stating that the accounts were provided pursuant to the relevant clauses of the SPA. Mr Crombie objected to the draft accounts within the agreed timeframe by responding to Ms Stewart by email.

Responding in a letter before action, Inspired alleged that the objection, although within the time period specified by the SPA, was not valid as it was not raised in accordance with the notice clause ie the email should have been sent to Inspired Group’s CEO rather than Ms Stewart. Therefore, the draft completion accounts and purchase price were deemed agreed between the parties.

The key issue on construction in relation to Schedule 7 for the court was whether, objectively construed, the requirement for “notification” was a requirement for notification in accordance with the provisions of clause 27.1 of the SPA, or not.

The decision

The court found that Mr Crombie had validly contested the completion accounts.

By using the words “notify” and “notification”, Schedule 7 envisaged a less formal process than serving “a notice” pursuant to the clause 27.1. If the parties had intended the objection to fall within the strict provisions under the notice clause, they would have used the words “notice” instead and/or expressly referred to the notice clause. The reference to “any written notification” also suggested the parties intended flexibility in how objections could be communicated by Mr Crombie. The addition of the word “any” plainly signalled an intention that there could be a number of ways in which the notification could be given and that it would only be in the event of a failure to make “any” written notification that the deeming provisions would kick in.

The court concluded that, when interpreting Schedule 7, it should use “all the tools of linguistic, contextual, purposive and common sense analysis to discern what it really means”. This included the commercial purpose of the clause ie for the seller to express their objection within a specific time period. It was impractical for either party to require that the objection be communicated to the CEO instead of Ms Stewart, a representative of Inspired who was clearly involved in the acquisition and was the person dealing with the completion accounts.

Why is this important?

The court found, on the construction of this contract and the relevant facts, that this was not a notice provision, but something else. It took a reasonable construction of a widely drafted provision based on the commercial purpose of the clause and what businessmen in the position of the parties would treat as reasonable. It saw no commercial purpose in requiring notification of this type to be provided to the individual identified in clause 27.1 when it could be provided to the buyer’s representative who was obviously involved in the process.

Any practical tips?

Keep in mind the court’s willingness to interpret contractual clauses to align with the commercial objectives and intentions of the contracting parties. Where the parties are looking for specific contractual notification requirements to apply to a particular obligation to notify, use the more formal word “notice” and expressly refer to the notice clause. If not, clear and unambiguous drafting should be used to explicitly carve out less formal communications from the notice clause. Avoid using notice, notify and notification interchangeably.

Autumn 2025

The question

How did the court approach its determination of the scope and extent of express obligations of good faith in the context of a collaboration arrangement?

The key takeaway

When construing the contractual scope of an express good faith obligation, the court will look for contractual constraints that limit the obligation. When considering the requirements of the duty of good faith, the courts will take into account not only whether the parties have acted honestly but also any conduct which would be regarded as commercially unacceptable to reasonable and honest people. It may also take into consideration an obligation to fulfil the bargain made between the parties or to adhere to the spirit of the agreement where the common purpose of the parties is clear from the express or implied terms of the contract.

The background

The dispute arose between two engineering companies, the claimant, Matière SAS (Matière), and the defendant, ABM Precast Solutions Ltd (ABM). The parties sought to bid together for work as a joint venture subcontractor to manufacture, supply and install three “cut and cover” tunnels for the HS2 rail project known as the “Green Tunnels Project”. As part of the joint venture, Matière was tasked with designing the tunnels and co-ordinating their installation and AMB was responsible for manufacturing the tunnels. The main contractor for the Green Tunnels Project was EKJV.

The joint bid to EKJV failed. ABM blamed Matière for this and its position was that Matière acted in breach of good faith during the lengthy and complicated bid process. ABM claimed Matiere undermined ABM’s proposals to EKJV because Matiere hoped to cut out ABM. Its principal claim was for the loss of the chance in winning the bid. Matière’s claim was for unpaid sums due under a Consortium Agreement, the key agreement to the parties’ claims. A second more sophisticated agreement, the Collaboration Agreement, was also relevant. Both agreements contained good faith clauses. Shortly after entering into the Consortium Agreement, EKJV engaged Matière and ABM jointly as “the Consultant” to provide professional services to EKJV. Various provisions of the Consortium Agreement refer to a Professional Services Contract (PSC).

Clause 3.1 of the Consortium Agreement required ABM and Matière to:

“co-operate and collaborate with one another in accordance with the terms of this Agreement and in the course of their performance of their obligations pursuant to any associated PSC each of ABM and Matière shall act in good faith toward the other and use reasonable endeavours to forward the interests of the co-operative enterprise.”

Clause 3.3 of the Collaboration Agreement required ABM and Matière, in the course of their performance of their obligations under the agreement, to:

“act in good faith toward the other and use reasonable endeavours to forward the interests of the Consortium including in relation to bids for Other Projects where the Consortium has agreed to make a bid”.

ABM alleged that Matière breached the good faith clauses through various acts that undermined ABM’s plan to construct a factory at Scunthorpe to manufacture concrete as part of the joint venture bid. ABM also alleged that Matière had given a slide presentation on the Green Tunnels Project to its key competitor, which it claimed was also in breach of clause 3.1 of the Consortium Agreement.

The key issue for the High Court was whether Matière had breached the good faith clauses and, if there was breach, whether Matière’s breach resulted in the failure of the HS2 bid.

The decision

The court confirmed that the core meaning of a duty of good faith is to act honestly and not in a way that would be regarded as “commercially unacceptable” to reasonable and honest people.

The court considered the principles in Re Compound Photonics Group Ltd [2022] EWCA Civ 1371:

• The interpretation of an express good faith clause should be done by reference to the relevant commercial context and the terms of the contract in which the duty is to be found.
• Using cases from other areas of law and commerce that turn on their own particular facts may be of limited value only.
• The obligation of good faith will include the duty to act honestly and may, on the facts, extend to an obligation to fulfil the bargain made between the parties (the concept of “fidelity to the bargain”) or to adhere to the spirit of the agreement where the common purpose of the parties (here the requirement to submit an agreed, joint bid to EKJV) is clear from the express or implied terms of the contract(s).
• In such cases, this extended obligation may include prohibiting cynical reliance on the black letter of the contract or conduct that undermines that bargain.

In light of these principles, the court found that Matière, in undermining the Scunthorpe factory, had breached its good faith obligations under the agreements – on occasion its conduct was either dishonest or commercially unacceptable to reasonable and honest people. Such conduct included Matière going to EKJV without ABM to criticise ABM’s plan to build the Scunthorpe factory and suggesting alternative methods, which it deemed more cost effective. While Matière was not prevented under the agreement from raising concerns about the factory to EKJV, the duty of good faith required Matière not to directly criticise the factory without speaking jointly on behalf of ABM/Matière and to discuss its concerns or criticisms with ABM and not EKJV.

The court was also satisfied that it was evident that the agreements contained an obligation to fulfil the “bargain” made between the parties which was to submit a joint bid (ie one that ABM and Matière were agreed on) to EKJV which complied with the terms of the PSC.

The court commented that Matière had “offended the co-operative enterprise” by engaging in talks with EKJV about reducing ABM’s scope and excluding ABM from the joint venture entirely.

Despite a finding that Matière was in breach of its good faith obligations, the court concluded that Matière’s actions could not be said to have been the effective or dominant cause of the failure of the bid. This was because Matière’s actions in undermining the factory were done in “response to or at the behest of, EKJV and with its encouragement”. Ultimately EKJV had its own concerns with the factory. EKJV was found to be the master in the failure of the factory proposal, while Matière was merely its “servant”.

Why is this important?

The case shows that the courts will not just take honesty into account when construing good faith obligations but may also consider dishonesty, behaviour regarded as commercially unacceptable to reasonable and honest people and any obligation to fulfil the bargain made between the parties or to adhere to the spirit of the agreement where the common purpose of the parties is clear from the terms of the contract.

Any practical tips?

Ensure good faith obligations are clearly defined in the context of the entire contract and the commercial relationship between the parties. Consider whether the duty of good faith will attach to the performance of obligations under the contract or whether it extends to any wider collaboration.

Consider whether the intention is to limit the scope of the obligation to acting with honesty or whether the scope of the obligation is intended to be wider to include co-operation, consultation or not acting in a way that is detrimental to the other.

Autumn 2025

ASA guidance on environmental claims in relation to beauty and cosmetics products

The ASA has published Environmental/Animal Welfare Claims Guidance to marketers, reminding them to ensure that environmental claims, eg “eco-friendly” or “kind to the planet” must be based on the complete life cycle of the product, including manufacture and disposal of the product and its packaging. There was no specific example given in the ASA’s reminder, though they noted that limited claims about a product’s “specific aspects or ingredients” may be acceptable.

CAP News – advice for cruise companies

The ASA/CAP have issued guidance on sustainable cruising to ensure advertising doesn’t come under scrutiny for greenwashing. This follows the recent four ASA rulings against cruise holiday ads which were found to have breached the CAP Code (we set out two of these rulings below). At a high level, they advise using sufficient substantiation, considering the full life cycle of product claims and making the basis of environmental claims clear.

Capgemini report

Capgemini’s Research Institute have released the fourth edition of their “A world in balance“ series. In the report, research found that 62% of consumers believe organisations are engaging in greenwashing which is an increase from the previous 52% in 2024, highlighting the growing distrust amongst consumers. Amongst other interesting insights, their research also found that in 2025, only 59% of the interviewed businesses agreed with the statement that “we follow external guidelines on responsible communication and advertising to avoid greenwashing”. Whilst this figure is up from 54% in 2024, it highlights the potential non-compliance of numerous businesses.

ASA rulings

TravelCircle Ltd t/a Cruise Circle and Sunshine Cruise Holidays Ltd t/a cruise 1st

On 3 September, the ASA upheld two complaints against travel agents Cruise Circle and cruise 1st about claims made related to cruise operator MSC Cruise. Both agents made claims suggesting that choosing MSC’s cruise services offered a “green alternative” for holidaymakers concerned about the environmental impact they cause. Cruise 1st claimed that the cruises were “Powered by LNG, the world’s cleanest marine fuel”, and Cruise Circle claimed that the cruises used “Eco-Friendly LNG Technology” and used “LNG, the world’s cleanest marine fuel”. In both complaints, the agents argued that they had taken the content from third party sources, with cruise 1st pointing to MSC’s official sources.

In Cruise Circle, MSC responded that they had no control over the form of wording travel agents used, and although they had provided a press release to Cruise Circle, the wording used in the agent’s promotion had not come from them. In cruise 1st, MSC also clarified that they did not supply the wording to the agent, which had never appeared in materials MSC used to promote the cruises.

The ASA concluded in both claims that the ads were likely to mislead, as they did not state the basis for the eco-friendly and green claims. The ASA noted in Cruise Circle that LNG was still a fossil fuel, which emitted greenhouse gases when burned so “it was, therefore, unacceptable to make an absolute claim, such as “Eco-friendly” on the basis of its use.” This was echoed in cruise 1st, where the ASA said that the agent “had not provided enough information to contextualise” claims that MSC’s cruises offered a “green alternative”.

Shell Energy UK

The ASA has ruled that a paid-for LinkedIn ad by Shell did not mislead consumers. The LinkedIn ad was a video which included the statements “What connects the Italian sun with bright engineering ideas? Our work with Baker Hughes to help meet their energy needs and decarbonise operations. Discover more at shell.com/progresstogether. Progress together.” The caption of the video stated “Discover the progress we’re making together with Baker Hughes to help reduce their emissions and decarbonise their operations in Italy. Progress happens together.”

The ASA received a complaint alleging that the ad gave a misleading impression of the overall environmental impact of Shell’s business activities.

Shell argued that the services they provide are B2B services and that the ad subject to the complaint was highlighting the support given to a corporate client. Shell emphasised that the ad was also published on LinkedIn, a professional platform and used tags and interest-based targeting tools to ensure the ad was aimed at a relevant subset of people such that the audience was a sophisticated B2B audience with relevant knowledge and experience to understand the wider context of the ad.

Although the ASA found that the targeted audience remained relatively wide and was seen by a general consumer and business audience, they broadly agreed with Shell. In particular, they found that the content of the ad was focused on business solutions which were not available to general consumers and considered the ad to be a B2B marketing communication and therefore likely to be understood as such by its audience. The ASA also found that the audience were unlikely to interpret the message as representative of Shell’s wider consumer facing activity or commentary on its own carbon transition plans. In that sense, the ad made clear that the claims were related to how they were supporting Baker Hughes, the business client, to decarbonise their operations.

Sector-specific updates

Food and drink

Leaft Foods, a New Zealand-based company specialising in plant-based protein solutions, has partnered with Lacto Japan to expand into the Asia Pacific region. Leaft extracts a protein called rubisco from leafy greens and processes into a tasteless protein powder. Per FoodNavigator Asia, Leaft CEO Ross Milne claimed that producing plant-based proteins using their method allows the company to “produce four times more protein per hectare with a 97% reduction in greenhouse gas emissions compared to dairy systems.” The company brought its first consumer product to market this year, and hopes that using rubisco in bakery, dairy alternatives and in nutritional products will build a more “climate-friendly” protein system.

Retail and consumer brands

On 9 September, the European Parliament adopted new measures to reduce waste from food and textiles in the EU. As described in the European Parliament’s press release, the new legislation includes targets to reduce waste by 10% from food processing and manufacturing, and 30% per capita from “retail, restaurants, food services and households”. The targets are to be met on a national level, compared to the waste generated per year on average between 2021 and 2023. Member states will have 20 months to transpose the directive into national legislation after it enters into force and are free to choose how to meet the targets.

Autumn 2025

The question

Can a long-term agreement with no express limit on duration and a unilateral termination clause in favour of one party, be terminable on reasonable notice by the other party?

The key takeaway

While the courts have previously been prepared to imply a right to terminate on reasonable notice, in this case the court relied on construction of terms by looking at the language of the agreement and its context to determine the issue.  Despite the fact that the agreement was one sided, there was no real doubt that the licence agreement would continue unless the licensor chose to terminate it and the licensee did not have a right to terminate on notice.

The background

Dame Zaha Hadid and then on her death, the Zaha Hadid Foundation (the Foundation), licensed various trade marks to Zaha Hadid Limited (the Company).  The Foundation's purpose was to preserve Dame Zaha's work as a renowned architect and the Company was set up to carry out architectural projects.

The trade mark licence, which was of indefinite length, contained a duration and termination clause providing for termination rights solely in favour of the Foundation as licensor.

"12. DURATION AND TERMINATION

12.1 This agreement shall commence on the Effective Date and shall continue indefinitely, unless terminated earlier in accordance with this clause 12.

12.2 The Licensor shall have the right to terminate this agreement on giving the Licensee not less than 3 months' written notice of termination.

[12.3: a termination for breach clause, solely in favour of the Licensor]

The Company sought declarations entitling it to bring the trade mark licence to an end by giving reasonable notice (of 12 months). The Foundation denied that the Company was entitled to serve a termination notice.

The key issues for the court to consider were whether: (1) clause 12.1 should be construed as including a right by either party to terminate the licence on reasonable notice, in addition to the express rights of termination conferred on the Foundation (as licensor) under Clauses 12.2 and 12.3; and (2) whether the agreement as a whole was unlawful as it operated in restraint of trade.

The decision

In considering whether the contract should be construed as being subject to a right to terminate on reasonable notice, the court considered the "modern approach" taken in Virgin Aviation TM Ltd v. Alaska Airlines Inc.[2024] EWCA Civ 622. This was, at least in the first instance, "to seek to read all provisions of the licence together, so as to understand the overall meaning and effect of the contract."

Applying this, the court considered the language of the licence as a whole and then clause 12.  It then moved to take into account the commercial context (as per Wood v Capita Insurance Services Ltd [2017] AC 1173). It was key to construction that the trade marks were a valuable asset to Dame Zaha which she intended to exercise close control over. The language of clause 12 supported the view that it was the parties' intention that the licensor would have wide powers of termination and the licensee would have none. The other clauses in the contact, which the Company criticised as being one-sided, were also found to support the view that it was the intention of the parties for clause 12.1 to confer wide powers exercisable by the Foundation only.

The words of clause 12 reinforced this conclusion – it expressly stated that it would continue indefinitely. While this was one-sided there was no real doubt as to its meaning. The Company's suggestion that the first part of clause 12.1 should be construed as conferring on both parties a right to terminate on reasonable notice was rejected by the court because the licensor did not need such a right. The parties meant the licence to continue unless the licensor chose to terminate it.

The court also looked at the wider commercial context of the agreement and found that, because over time she intended to relinquish control of the Company, it made good sense for Dame Zaha to retain other mechanisms of control over the trade marks (which embodied her life's work) through the agreement. It was natural to conclude that such mechanisms included a unilateral right to terminate the Company's entitlement to the trade marks.

The Company's claim of termination on reasonable notice was dismissed. The court also disagreed with the Company's claim that the licence operated in restraint of trade.

In practical terms, there was no actionable restraint. The one sided nature of the agreement, the indefinite period, an obligation for the Company to "use their best endeavours to promote and expand the supply of Licensed Services throughout the Territory [i.e., the World] on the maximum possible scale," and the Foundation's ability to terminate the licence on 3 months' notice were part of the bargain struck. The various obligations were rationally and commercially defensible and the Company had achieved success regardless. The company wished the terms were more generous, but this did not allow the court to identify a legally relevant restraint.

Why is this important?

This case shows the English courts' reluctance to construe contractual terms to include a right of termination where the language of the agreement indicates that none was intended. Taking a more modern approach, the court focused on the language of the agreement as a whole, then the duration and termination clause. These were considered within the wider commercial context at the time the agreement was entered into.

Any practical tips?

Explicitly incorporate provisions that give effect to the parties' intentions on rights to terminate and the term of the contract. If it is intended that both parties should have a termination right, the contract should expressly say so.

Parties should examine in detail the obligations they are signing up to and consider whether these are appropriate and manageable for the duration of the agreement – a bad bargain struck in an arms' length commercial agreement is unlikely to later successfully engage the doctrine of restraint of trade. 

The question

Following a mapping error that misrepresented the prize won by an online player, how did the court determine the priority, incorporation and enforceability of an online game operator's contract terms to determine the game's correct payout?

The key takeaway

Game operators seeking to rely on their terms and conditions, including clauses that seek to exclude or limit liability, in the event of a game mapping error will need to provide easy navigation of the relevant terms and conditions and game rules and clear signposting of onerous and unusual terms.

The background

Corrine Pearl Durber (the Customer) placed a bet in an online slots game owned and operated by PPB Entertainment Limited (Paddy Power). On spinning the wheel as part of the game play, the game's on-screen animation lit up and informed the Customer that she had won the game's "Monster Jackpot" of £1,097,132.71. Paddy Power, however, only paid out the "Daily Jackpot" of £20,265.14.

The Customer complained about the shortfall. Paddy Power explained that the computer system which ran the game on the site had made an error which resulted in the wrong Jackpot prize being shown on her display. The computer system should have pointed to the Daily Jackpot (which was the correct prize according to the Random Number Generator Software (RNGS) behind the game) but, because it had been mal-programmed, it pointed to the Monster Jackpot instead.

Relying on what she was shown on screen when she won (under the game rules), she brought a claim against Paddy Power, claiming for the difference between the Daily Jackpot, which was credited to her account, and the Monster Jackpot. Paddy Power defended the claim based on the terms and conditions entered into and agreed to by the Customer when registering an account with them in 2011 (the Conditions). Specifically, Paddy Power relied on clauses one and two of Part B of the Conditions (referred to as clauses B1 and B2):

"Random Number Generator

1: You fully accept and agree that random number generator ("RNG") software will determine all outcomes of Games on the Games Website. In the event of a discrepancy between the results displayed on your computer and a Game's records on our server, our records shall be regarded as definitive. [clause B1]

Errors

2: In the event of systems or communications errors relating to the generation of any result, bet settlement or any other element of a Game, we will not be liable to you as a result of any such errors and we reserve the right to void all related bets and plays on the Game in question." [clause B2]

Under clause B1, Paddy Power argued that the results held on the game's server, dictated by the RNGS, prevailed over the prize shown on the Customer's display. They said that the Customer had been the victim of a "mapping error" affecting the animations which misrepresented the prize shown to her on screen. Alternatively, under clause B2, Paddy Power submitted that it was not liable for payment relating to the result displayed on screen in error.

The Customer's position was that the contract arose on the day when she accessed the game; that it included the game rules and that her win was in accordance with the game rules which had priority over clause B1 of the Conditions due to the preamble to Part B which stated: "In the event of any inconsistency between these Conditions, the Terms and Conditions or the Rules, unless otherwise stated, to the extent of the inconsistency, the Rules shall prevail…". She also argued that the contract between the parties included the Conditions but any effect of clauses B1 and B2 was subject to them having been validly incorporated into the contract and being enforceable under the Consumer Rights Act 2015 (the CRA).

In the course of arguments, the Customer highlighted that the Conditions ran to 44 pages of closely typed small print with numerous hyperlinks to other pages. The terms purported to unilaterally place draconian limitations on the relationship and no reasonable consumer could be expected to read and understand the terms, especially the terms relied upon by Paddy Power. The Customer argued that those terms should have been expressly highlighted to the Customer both prior to opening the account and on each subsequent occasion that the Customer utilised the services.

The decision

The court found in favour of the Customer, ordering Paddy Power to pay her the difference between the Daily Jackpot and the Monster Jackpot. The court's approach to construing the contract terms between the Customer and Paddy Power was as follows:

• It looked at the contract in the context of the type of transaction, online gaming, where the only communication between Paddy Power and the Customer was through her computer screen.
• It started with the game rules – having considered the natural meaning of the words in the game rules it then construed them by applying prospective commercial common sense. The court found that an objectively reasonable player with the background knowledge available to the parties at the time of entering the contract would construe the games rules as providing that what determined a win for a player was based on a "what you see is what you get" approach after a spin of the wheel.
• The court did not believe that players would understand that the normal approach is that there would be a secret determination, not shown on screen, which undermined or contradicted what was shown on screen.
• The game rules did not set out any caveat for validation of a player's win after the spin was over nor did they tie winning to any unseen RNGS output, server records or official winnings list to be consulted or checked before a win was determined.
• In addressing the Conditions, the court found clause B1 to be irreconcilable with the game rules. At no point did the game rules state that they were subject to the Conditions and, although clause B1 sought to address discrepancies between on-screen winnings and behind-the-scenes programming, this was not sufficient to supersede the terms of victory as prescribed by the game rules. The court relied on the priority clause in the preamble to Part B of the Conditions which held that the game rules would take precedence where there was inconsistency between the two.
• The court construed the words "systems or communications error" in the exclusion clause, B2, as not covering human error (when human error was found to be the cause of the mal-programming in Paddy Power's software).

The court did not need to go any further on the issues as it had found in favour of the Customer, however it went on to address whether clauses B1 and B2 were incorporated into the contract and were enforceable under the CRA.

On incorporation, it considered whether the clauses were "unusual and onerous" and as such had to be fairly brought to the notice of the consumer. Both clause B1 and B2 were found to be unusual and onerous:

• B1 because the game rules did not state that the displayed jackpot could be inaccurate or was only indicative, nor that the computer records took precedence.
• B2 because it purported to allow Paddy Power to avoid liability: where errors in what was displayed on screen were caused by its own recklessness, or negligence; for several different types of breach of the CRA such as providing digital content which is "fit for its purpose": and for payment of the Monster Jackpot which contradicted the Customer's reasonable expectations under the game rules.

There were a number of reasons given as to how Paddy Power had failed to fairly bring these terms to the notice of the consumer: the clauses were not clearly listed in the index; they were not bold, capitalised or highlighted; clause B2 was not clearly defined as an exclusion clause; both clauses sat in the middle of 45 pages of small text; and neither were referred to on screen at any time the Customer was playing the game.

On enforceability, clause B2 created "a very wide exclusion" entitling Paddy Power to avoid all liability. The court also held that the clauses were contrary to the requirement of good faith under section 62 of the CRA, on the basis they had caused a significant imbalance in the parties' rights and obligations under the contract to the detriment of the consumer.

Why is this important?

While the court confirmed that there is nothing inherently unfair in a clause excluding liability for the excess sums caused by displayed wins which are actually losses under the games rules/wider contract due to a specified no fault error, the case shows that game operators seeking to rely on often complicated contractual setups that make it difficult to signpost key terms, can face significant challenges in avoiding liability for game errors.

Any practical tips?

When seeking to rely on unusual or onerous clauses, ensure that they are clearly brought to the consumer's attention. Think highlighting, capitalisation and front and centre. Consider whether the clauses are transparent and fair, as those considerations increasingly take front of stage in a growing body of consumer-focused legislation and case law.

Where a contract is complex and contains clauses detrimental to the consumer (e.g. potentially depriving them of a large cash prize) ensure consistency within the document and across multiple documents and clarity in drafting key terms such as here, the error clause.

For long term contracts such as this one, involving game play over many years, periodically check the customer's journey through (inevitably) multiple hyperlinking documents. Check that the customer can navigate easily to key documents and terms and that the website's setup allows them to understand the full scope of the terms which govern the contract. When terms of use are materially amended consider how best this can be communicated to the customer such by use of pop-up messages at login requiring customers to click their agreement.

The question

Will the courts limit their interpretation of s.1(1)(a) of the Contracts (Rights of Third Parties) Act 1999 (C(RTP)A) only to the enforcement of a term purporting to benefit that third party?

The key takeaway

A third party may enforce the terms of a contract pursuant to s.1(1)(a) of C(RTP)A if it is expressly provided that the third party may so enforce, even in circumstances where no benefit is conferred on the third party.

The background

HNW Lending (HNW), an FCA authorised peer-to-peer lender, acted as a security agent to facilitate a loan of £1.52m from various undisclosed lenders to Ms Lawrence, a property developer. The loan was secured by charges against properties owned by Lawrence, including a first charge registered against a property in Epsom (the Property).

On expiry of the term of the loan, HNW sought possession of the Property and claimed for payment of outstanding sums due under the loan agreement. Lawrence sought to strike out HNW's claim, alleging that HNW lacked standing to bring a claim as it was neither a party to the agreement, nor did the agreement confer any benefit to HNW as required by the Contracts (Rights of Third Parties) Act 1999 (C(RTP)A).

The agreement stated that it was made between Lawrence and “the Lender (acting by HNW Lending Limited (as Security Agent)”. The lender was not named in the agreement but was identified in the schedule by the number “1” and was described as “a person … who lends money through HNW Lending Limited who has granted permission for ‘HNW Lending Limited to act as their Security Agent in entering into and administering this loan to the Borrower.”

On the key issue of whether HNW had standing to bring the claim under the loan agreement, the court considered clause 26.7 of the agreement:

"the Borrower and Lender agree that, while HNW Lending Limited is not a party to this Loan Agreement, HNW Lending Limited may take the benefit of and specifically enforce each express term of this Loan Agreement and any term implied under it pursuant to the Contracts (Rights of Third Parties) Act 1999." [emphasis added]

The decision

The critical issue for the court concerned the interpretation of C(RTP)A, s.1(1)(a):

“1. Right of third party to enforce contractual term

(1) Subject to the provisions of this Act, a person who is not a party to a contract (a 'third party') may in his own right enforce a term of the contract if

(a) the contract expressly provides that he may, or

(b) subject to subsection (2), the term purports to confer a benefit on him.”

The court noted that:

• clause 26.7 appears to have been drafted with C(RTP)A in mind and with the intention of conferring on HNW equivalent rights to those of the lender, enabling HNW to enforce obligations owed to and benefitting the lender;
• there is little case law on the scope of C(RTP)A, s.1(1);
• the example given in Chitty on Contracts (35th Edition) on s.1(1)(a), of one contracting party (A) promising to the other (B) to pay £1,000 to a third party (C) and the contract going on to provide that C is to be entitled to enforce the term containing this promise, was materially different from what the parties appear to have had in mind in the present case which on its facts contained no promise made by Lawrence to the lender to pay anything to, or otherwise benefit, HNW.

In its judgment, the court concluded that s.1(1)(a) was not limited to the enforcement by a third party of a term purporting to benefit them – this was specifically addressed by section 1(1)(b). Therefore, it was sufficient that the agreement expressly provided that a third party may enforce the term, which in this case was satisfied by clause 26.7 of the loan agreement. Alternatively, clause 26.7 was effective pursuant to section 1(1)(b) to effectively confer the lender's benefit of all the express and implied terms of the agreement on HNW because it expressly provided that “HNW Lending Limited may take the benefit of and specifically enforce each expressed term of this loan agreement and any term implied under it”.

The court added that its construction of clause 26.7 gave effect to the parties’ contractual provisions, whereas Lawrence's position would have rendered part of them "otiose".

Note that permission to appeal (and a stay of the enforcement of HNW's claim) was granted as the court acknowledged it had reached a different conclusion to a previous county court decision relied on by Lawrence. In that case, the judge held that the terms of a different loan agreement on materially the same terms could not be enforced by HNW.

Why is this important?

This decision provides a rare authority on the scope of C(RTP)A, s.1(1), giving a broader interpretation of the section than in the example provided in Chitty on Contracts, a resource often relied on by transactional lawyers in the absence of legal authority. The decision reaffirms the court’s willingness to, whenever possible, give effect to the express terms agreed to by the parties.

Any practical tips?

Take into account that where there is express wording permitting it to do so, a third party may be able to enforce the contract in circumstances where they do not receive a direct benefit from it. Consider expressly providing that some terms or all of them are unenforceable by a non-party, negating the contractual intention necessary to create an enforceable right under C(RTP)A.

Ensure that all parties to the contract, and any relevant third parties, are clearly defined, to avoid confusion – particularly in arrangements where agents / intermediaries are involved.

The question

Did the language of a clause dealing with "delays due to contractor default" have the effect of making it a condition precedent to recovering delay payments that the customer promptly issue a non-conformance report?

The key takeaway

The case shows how important it is to ensure that a condition precedent contains clear and precise wording designed to show it is meant to have a conditional effect.

The background

The Disclosure and Barring Service (DBS), and tech company Tata Consultancy Services Ltd (TCS) entered into an agreement for TCS to take over the manually intensive business-as-usual Disclosure and Barring processes, while building a new system to modernise and replace the previous regime with a digital one.  The project did not go to plan and each party blamed the other for significant delays. In addition, DBS alleged that, upon going live, the project suffered from serious defects.

TCS brought a claim against DBS for just under £125m for their losses said to be caused by DBS’s breaches of the agreement. DBS brought a counterclaim of over £100m. The High Court concluded that a net sum of just under £5m was payable by DBS to TCS (see our 2024 Summer Snapshots edition for the High Court judgment). 

DBS sought permission to appeal on two grounds. The first concerned clause 6.1 of the agreement and whether this created a condition precedent, breach of which prevented DBS from being able to recover £1.592m in delay payments (pursuant to clause 6.2.3). The High Court found that DBS's right to claim delay payments pursuant to clause 6.2.3 was conditional on DBS's compliance with clause 6.1. DBS's claim was rejected by the High Court because DBS had not complied with clause 6.1 by failing to serve any non-conformance reports (NCRs).

The second ground was concerned with the calculation of the Volume Based Service Charges (“VBSC”), however the judge concluded that DBS had no real prospect of success on this issue.

The appeal was concerned solely with the proper construction of clause 6.1 of the agreement, which states:

“If a Deliverable does not satisfy the Acceptance Test Success Criteria and/or a Milestone is not Achieved due to the CONTRACTOR’s Default, the AUTHORITY shall promptly issue a Non-conformance Report to the CONTRACTOR categorising the Test Issues as described in the Testing Procedures or setting out in detail the non-conformities of the Deliverable where no Testing has taken place, including any other reasons for the relevant Milestone not being Achieved and the consequential impact on any other Milestones. The AUTHORITY will then have the options set out in clause 6.2."

The decision

The Court of Appeal first identified the following key general principles from the main authorities on conditions precedent:

• whether or not a party must comply with one or more stated requirements before being entitled to relief will turn on the precise words used, set within their contractual context;
• to be framed as a condition precedent, a clause needs something that makes the relief conditional upon the requirement;
• a condition precedent must be expressed clearly, but it is not necessary for the clause to state “this is a condition precedent”;
• in addition to conditionality, the link between the two steps should be expressed as an obligation (ie shall) but that will not on its own be sufficient to amount to a condition precedent;
• it is not necessary for the step one condition to be expressed as a number of days or weeks. More flexible periods such as “timely” and “within a reasonable time” are sufficient.

The Court of Appeal then applied the words of clause 6.1 in their context, finding that the words of clause 6.1:

• when seen in their context, were clear: on the occurrence of one or both of two different events ("if"), DBS "shall promptly issue" an NCR;
• made plain that the NCR was not just a procedural box-ticking exercise. It required categorisation of test issues, or the setting out of the non-conformities of the deliverable including reasons for the relevant milestone not being achieved and the consequential impact on any other milestone. It went on to state that DBS would then have the options set out in clause 6.2, one of which (clause 6.2.3) was to require delay payments;

The words in clause 6.1 therefore meant that, on the happening of one or both of events specified, a detailed NCR must be provided promptly by DBS and only then could the clause 6.2 options, including the imposition of delay payments, be exercised.

The clause was therefore a condition precedent, and DBS's failure to comply, by failing to provide any NCRs at all, meant that they were not entitled to exercise the option at clause 6.2.3.

Why is this important?

This case confirms that clear language in the clause itself (use of the words "if" and "then" in the clause in question created conditionality) and the need to consider the relevant clause in relation to the contract as a whole are key to court's interpretation of whether a clause is a condition precedent.

Any practical tips?

Consider utilising the Court of Appeal's key principles as a mini checklist when drafting a condition precedent clause: use clear words to indicate this is a condition precedent (though no need to use the actual words "this is a condition precedent"), clarify through precise words what requirements a party must comply with before being entitled to relief, make sure the clause contains something that makes the relief conditional upon the requirement, use the word "shall" or similar (avoiding the word "may") to express the link between the two steps as an "obligation", and consider providing a deadline for completion of the step one condition (though "within a reasonable time", or in this clause "promptly" is also likely to be sufficient).

Explore sections:

The question

Is the use of a “thumbs up” 👍 emoji sufficient to convey acceptance when forming general commercial contracts?

The key takeaway

A Canadian court found that a party can he held to have approved a contract using a thumbs up emoji where, in the context of the complete factual matrix of the surrounding circumstances, the parties had displayed an objective intention to enter into a contract.

The background

Achter Land & Cattle Ltd (ALC) and South West Terminal Ltd (SWT) were in dispute as to whether they were parties to an enforceable agreement relating to the sale of grain. The putative contract was said by SWT to have been formed out of an exchange of two text messages. In the first, an employee of SWT sent to Chris Achter, of ALC, a picture of the front page of a proposed agreement with the accompanying words “Please confirm flax contract”. Mr Achter replied to that message with a thumbs up emoji but with no other accompanying words or symbols.

SWT brought proceedings to enforce the contract it says was formed by this exchange (which we previously reported on here). ALC’s position was that there was no agreement but, if one existed, it was unenforceable because of the Canadian Sale of Goods Act (CSGA) which provides that a contract for the sale of goods of the value of $50 or more “shall not be enforceable by action” unless there is part performance of it or “unless some note or memorandum in writing of the contract is made and signed by the party to be charged or his agent in that behalf”.

The decision

The critical issues for the Canadian Court of Appeal were whether:

• the parties had entered into a contract
• the exchanged text messages met the requirement for there to be “some note or memorandum in writing of the contract” within the meaning of the CSGA
• the text message with the thumbs up emoji met the requirement that a contract be “signed by the party to be charged or his agent” within the meaning of the CSGA
• This analysis focuses on point 1: had the parties entered into a contract?

Intent to contract

The Canadian Court of Appeal considered the lower court’s reasoning. The lower court had identified the test for agreement to contract under Canadian law, as “whether the parties have indicated to the outside world, in the form of the objective reasonable bystander, their intention to contract and the terms of such contract”. It had examined the history of the parties’ dealings with each other, the circumstances surrounding their communications including the other instances where the contracts for the sale of grain had been entered into by them through the exchange of text messages and informal words (“looks good”, “ok” and “yup”), and their conduct after the date of the thumbs up emoji exchange.

The Court of Appeal did not agree with ALC’s arguments that Mr Achter had by use of the emoji only intended to communicate receipt of the agreement, or that there is inherent ambiguity in a thumbs up emoji. It reasoned that there was quite a difference between saying that a communication – whether it be by word, gesture or symbol – does not bear a universal meaning and, asserting that it is incapable of having a particular meaning ascribed to it in a specific circumstance. In this case the judge had been careful to consider only how an objective observer, who was aware of the relevant circumstances in this case, would interpret the text message and, in particular, if that observer would conclude that an agreement was intended and reached.

The Court of Appeal emphasised that it was important not just to focus on the words themselves but to consider the factual matrix and the surrounding circumstances to determine the meaning of the non-verbal, electronic communication of the kind at issue in the case. It concluded that the judge did not err in finding that ALC and SWT intended to enter into a contract when Mr. Achter replied to Mr. SWT employee’s texts with a thumbs up emoji.

Agreement on the essential terms of the contract

ALC argued that, even if a mutual intent to enter a binding agreement existed, the parties had failed to agree on the essential terms of the contract. An example was that the parties had stipulated delivery dates using the month “Nov” and not the year. Another was that the text message contained a photograph of only the face page of the two-sided contract form and not its reverse. These arguments were also unsuccessful.

The Court of Appeal determined the parties’ intentions based on the words they used in the context of the relevant circumstances surrounding the making of the contract. The parties’ previous dealings would lead them to understand that “Nov” referred to “Nov 2021” and previous contracts had repeatedly set out the same standard terms and conditions. The Court of Appeal found there had been agreement on the essential terms of the contract.

Another UK case of interest

In the UK, in Southeaster Maritime Ltd v Trafigura [2024] an issue was highlighted as to the effect of a message sent by WhatsApp. More widely, the case concerned whether or not the parties had concluded a charterparty agreement during negotiations. The judge in that case reasoned that just because a message came via WhatsApp it did not mean it should be disregarded or treated as less significant than a message sent by email.

Why is this important?

This Canadian case, non-binding in the UK of course, has attracted international attention and serves to show the considerations a UK court may take into account when considering whether use of a thumbs up emoji could amount to valid acceptance of a contract. These two cases also demonstrate the progression of the courts to accept more informal communications as being capable of forming binding contracts.

Any practical tips?

When conducting contract negotiations via text or WhatsApp ensure that in light of the circumstances surrounding the agreement, such as prior discussions and conduct relating to past contracts, informal language or an emoji is not being used in such a way as to inadvertently bind the parties to a contract.

Use of emojis (thumbs up, fist bump and handshake) have the potential to bring ambiguity to commercial contracts and communications. Where emojis are being used, it is important to ensure that the meaning of an emoji and its purpose is clearly understood by all parties.

Spring 2025

The question

How did the Court of Appeal approach the construction of an exclusion clause to determine whether the Claimant’s financial claim for breach of an exclusivity provision was properly described as a claim for “anticipated profits” and as such was excluded by that clause?

The key takeaway

In line with the ruling in the High Court and a number of recent cases, the Court of Appeal decision shows that parties cannot avoid express wording contained in exclusion clauses to recover losses expressly excluded. The language of the contract and the context are key for the construction. A party wishing to narrow the meaning of an exclusion clause should do so explicitly.

The background

Virgin Mobile Telecoms (Virgin Mobile) contracted with EE to use, exclusively, the EE network to provide Virgin Mobile’s customers with 2G 3G and 4G mobile services. Other than in certain limited circumstances, the liability clauses in the contract expressly excluded liability for “anticipated profits”.

The initial arrangement did not make provision for 5G services, but it was added subsequently, and the contract was amended. The amendment provided for potential agreement between EE and Virgin Mobile for provision of 5G services using EE networks. In the absence of an agreement regarding 5G services, Virgin Mobile would be entitled to provide 5G services to its customers sourced from an alternative supplier, and could also then switch that customer’s 2G, 3G, and 4G services to that alternative operator.

Following the absence of an agreement for 5G services with EE (ie only the potential to agree), Virgin Mobile entered into an agreement with Vodafone for the supply of 5G services. It then migrated non-5G customers (ie with only 2G, 3G and 4G/LTE services) over. EE considered that by doing so Virgin Mobile had breached the exclusivity clause and issued proceedings, claiming damages representing the revenue that EE would otherwise have received from Virgin Mobile for the 2G-4G services that each of Virgin Mobile’s customers would have consumed had they remained or been added to the EE network rather than migrated or added to the Vodafone network.

Virgin Mobile subsequently applied for strike out and/or reverse summary judgment of EE’s claim in the High Court (which we previously reported on here). Their main argument was that, regardless of whether a breach occurred (which Virgin Mobile denied), the claimed losses fell within the clear and natural meaning of the words “anticipated profits” in the exclusion clause:

34.4 Neither Party shall be liable to the other for any loss which is not directly foreseeable or which does not arise directly from the performance of this Agreement and thus neither Party shall be liable for any indirect or consequential or special or incidental loss whatsoever.

34.5 Except for any damages claims by VM pursuant to Clause 34.2(c), to which Clause 34.3 applies (which EE acknowledges may include claims of damages for loss of profits), and for no other damage claims whatsoever, neither Party shall have liability to the other in respect of:
(a) anticipated profits, or

(b) anticipated savings.

The High Court decided that given the clear and unambiguous language, EE’s damages claim for the unlawful diversion of its customers to alternative networks fell within the exclusion clause. The meaning of “anticipated profits” operated to exclude damages claims for loss of profits of any kind which it was foreseeable would be made by either party. There was no difference between “anticipated profits” and “lost profits” – reinforced by the fact that clause 34.5 used the phrases interchangeably, in carving out claims by Virgin Mobile brought under clause 34.2(c).

The judge had looked at the natural meaning of the words and based her reasoning on the fact that: the agreement was a bespoke, lengthy and detailed contract; detailed consideration had gone into the risks and rewards of each party; clause 34 itself was a detailed regime including a liability cap and various exclusions of liability, clearly intended to form part of the risk allocation exercise between the parties; and the clause applied equally to both parties, except for specific carve-outs in relation to the specific claims by VM identified within clause 34.

On appeal, EE asked the court to reverse the High Court decision, claiming that the judge had mischaracterised the claim as one for lost profits. Instead, the clause was one for diminution in price and in any event the judge had wrongly construed the clause so as to exclude EE’s claim.

The decision

The key issue for the Court of Appeal was whether a claim for loss of anticipated profits meant, under the exclusion clause, a claim for something other than expectation loss ie a claim for profits earned outside the contract.

The court stated that there was no general legal principle limiting the exclusion of liability for loss of anticipated profits to losses other than expectation loss or diminution in price. While some case law found that such claims were excluded, others did not. Therefore, the court held that existing case law provided little assistance and each exclusion clause should be constructed on its own terms and context.

On its construction of the clause, the court found that:

• the wording of the exclusion in this case was clear and unequivocal; the phrase “anticipated profits” was used interchangeably with loss of profits, and the clause was part of a lengthy contract drafted with the assistance of legal advice on both sides, involving a careful allocation of risk for both parties
• clauses 34.4 and 34.5 were intended to be read cumulatively, with the result that liability for anticipated profits was intended to mean something wider than loss that did not arise directly from the performance of the agreement. If the parties had intended “anticipated profits” to cover only direct loss of profit claims that did not fall within the ambit of expectation loss, they would have stated this specifically
• clause 34.5 had to be read with regards to the range of its possible applications at the time the agreement was made. Other potential remedies were not excluded, including injunctive relief, though they might not be available based on these particular facts/claim, and any claim EE might have had for wasted expenditure was not excluded.

The Court of Appeal dismissed the appeal on the basis that EE’s claim fell within the exclusion clause.

Why is this important?

The Court approached the interpretation of the contract by taking a relatively forensic approach to the exclusion clause wording decided on by the parties in the context of the wider agreement. This shows the importance of using precise words and consistent terminology when drafting exclusion clauses.

Any practical tips?

In light of the courts’ continuing willingness to construe the words of an exclusion clause so as to recognise that commercial parties are free to make their own bargains and allocate risks as they think fit, ensure clear wording and consistent terminology is used in drafting exclusions, taking into account the context of the wider agreement and background facts.

Consider using explicit wording to reflect whether the exclusion clause excludes liability for losses that go to the heart of the contract.

In this case the court decided that “anticipated profits” was used within clause 34.5 interchangeably with “loss of profits.” Aim for consistency across the contract when using these, or similar, phrases.

If it is intended that certain losses should not be excluded, the inclusion of a non-exhaustive list of recoverable losses could provide guidance and avoid uncertainty.

Spring 2025