CMA guidance on complying with consumer law when using AI agents

The question

What does the Competition and Markets Authority (CMA) guidance on complying with consumer laws when using AI agents mean for businesses using AI in consumer-facing journeys?

The key takeaway

The new guidance confirms that existing consumer law applies in the same way whether a consumer is engaging with a human or an AI agent. In this regard, businesses are responsible for the actions of their AI agents in the same way as they are for their human agents.  Although it is not legally binding, the guidance provides a useful starting point for understanding the CMA's expectations for businesses' compliance with consumer protection obligations in AI-consumer interactions, particularly when exercising its enforcement powers under the Digital Markets, Competition and Consumers Act 2024 (DMCCA). The core expectations set out in the guidance include: clear disclosure, proper training and testing, ongoing monitoring and prompt refinement where issues arise.

The background

On 9 March 2026, the CMA published guidance for complying with consumer law when using AI agents. It is aimed at businesses using agentic AI to interact with customers, including to provide services, handle queries, process refunds and manage marketing campaigns. Alongside the guidance, the CMA has also published a research paper exploring how agentic AI could affect consumers' lives, how the law applies, and what businesses should do to mitigate risk.

The development

The central message of the guidance is that the same consumer law obligations apply whether a consumer interacts with a human or AI agent. Businesses remain fully responsible for any breaches caused by their AI agents, just as they are responsible for the actions of their employees. This applies even where the AI agent has been designed, supplied or operated by a third-party provider. The guidance sets out the following expectations:

Disclosure: If the use of AI may affect a consumer’s decision-making, businesses should be transparent about it. This includes:

• clearly labelling when a consumer is interacting with an AI agent;
• not giving the misleading impression that a service is being provided by a person;
• not overstating the role, capabilities or limitations of the AI in the service being provided.

Training and testing: AI agents should be trained to comply with consumer law before they are used in live customer journeys. This includes:

• ensuring that the agent is trained on relevant, accurate and up-to-date materials;
• building in rules so that the agent respects consumers’ statutory and contractual rights, avoids misleading statements and obtains any necessary consents; and
• testing the agent across different scenarios, including through A/B testing and unit testing.

Monitoring: Businesses should regularly check whether AI agents are delivering the right results, behaving as intended and complying with consumer law. The guidance specifically flags the risk of hallucinated or inaccurate results and expects appropriate human oversight to check decisions and customer-facing outputs.

Refinement: Where an AI agent is producing non-compliant or potentially non-compliant outcomes, businesses should act quickly to address the issue. This is especially important where the AI agent interacts with large numbers of consumers or where vulnerable customers may be affected. The guidance provides examples of how these principles apply to AI agents used for marketing, refund processing, customer service and provision of services.

Why is this important?

This guidance is the CMA's clearest articulation to date of how consumer law applies to AI-consumer interactions. It sits within the strengthened regime introduced by DMCCA, under which the CMA can enforce consumer protection law directly and fine businesses up to £300,000 or 10% of global annual turnover (if higher), for breaches. To manage risk exposure, businesses are advised to engage meaningfully with the recommendations.

In practice, the guidance casts a wide net - any business using AI agents in consumer-facing contexts may be caught by it. Liability is not limited just to AI developers, as businesses remain responsible for the AI agents they deploy, even when the underlying system is procured from a third party.

Businesses most likely to be affected are those whose customer relationships are managed partly or largely online, especially where they involve chatbots, digital sales channels, personalised consumer journeys or automated decision-making processes. This may include retailers, online marketplaces, travel and leisure providers, subscription services, telecoms companies, utilities, financial services providers, insurers, healthcare and wellness platforms.

Any practical tips?

Businesses should consider the following:

• reviewing existing and future procurement arrangements, including their contracts, with AI agent suppliers to assess whether they adequately support consumer law compliance;
• ensuring that consumer touchpoints involving AI are clearly disclosed and labelled, and that the surrounding choice architecture and interaction designs are compliant and not misleading;
• embedding consumer law compliance at the design and development stage, including through training data, prompts, guardrails, scenario testing and edge-case review before deployment; and
• maintaining human oversight after launch, including by monitoring outputs, consumer interactions, complaints and feedback, and ensuring issues can be escalated and remediated quickly where they arise.

Summer 2026