On March 9, 2026, the UK Competition and Markets Authority published guidance titled โComplying with consumer law when using AI agentsโ โ the first document from a major consumer protection authority anywhere in the world to specifically address the legal obligations of businesses deploying autonomous AI agents in consumer-facing contexts.
The guidance is not aspirational. It is grounded in existing UK law โ the Consumer Rights Act 2015 and the Digital Markets, Competition and Consumers Act 2024 (DMCCA) โ and backed by enforcement authority that includes fines of up to 10% of global annual turnover for breaches.
For any organization that is deploying, or planning to deploy, AI agents to interact with consumers, process transactions, handle complaints, or make decisions that affect consumers, the CMAโs guidance establishes the compliance baseline they must meet.
What Agentic AI Is and Why It Creates New Legal Questions
An โAI agentโ in the regulatory sense is an AI system that can autonomously take actions โ browsing websites, placing orders, managing bookings, negotiating terms, executing transactions, handling customer service โ on behalf of a human user, without requiring explicit human approval for each individual action.
This is distinct from a conversational AI chatbot that answers questions or from an AI system that makes recommendations a human then acts on. An AI agent acts: it takes steps in the real world, often at speed and scale that no human supervisor can keep pace with, and those actions have legal consequences.
The legal questions this raises are significant:
- When an AI agent places an order on behalf of a consumer, who has contracted with the seller โ the consumer, the AI, or the business that deployed the AI?
- When an AI agent provides inaccurate pricing information and a consumer relies on it, who is liable for the misrepresentation?
- When an AI agent engages in an aggressive sales practice โ using personalization or behavioral data to exploit a consumerโs preferences โ does that constitute an unfair commercial practice under consumer protection law?
- If an AI agent creates a contractual term that would be unenforceable under the Consumer Rights Act, does the contract still bind the consumer?
These are not hypothetical questions. They are live legal issues that are arising as agentic AI systems are deployed in retail, financial services, travel booking, insurance, and other consumer markets.
The CMAโs March 2026 guidance addresses them directly.
The Four Principles
The CMAโs guidance is built on four principles that are presented as practical extensions of existing consumer protection law โ not new obligations, but existing obligations applied to a new operational context.
Principle 1: Transparency
Consumers must not be misled about whether they are dealing with an AI agent or about what that agent can and cannot do.
This principle has two dimensions.
Identity disclosure. If a consumer is interacting with an AI agent, they must know they are interacting with an AI agent. Presenting an AI agent as a human representative, allowing an AI agent to imply human qualities it does not have, or otherwise obscuring the AI nature of the interaction is a misleading commercial practice under the Consumer Protection from Unfair Trading Regulations โ now consolidated in the DMCCA โ and therefore an actionable breach.
Capability disclosure. Consumers must be accurately informed about what the AI agent can do, what it cannot do, and what limitations apply to its authority or knowledge. An AI agent deployed to handle refund requests must not represent that it has authority it lacks. An AI agent that draws on a training data cutoff must not represent current prices, availability, or terms that may have changed since that cutoff.
The transparency principle also applies to AI agents that operate on behalf of consumers rather than businesses. If a consumer uses an AI shopping agent to search for the best deal, that agent must not be configured โ by any party โ to steer the consumer toward particular outcomes through manipulation or misrepresentation.
Principle 2: Compliance by Design
Businesses deploying AI agents in consumer-facing contexts must train and configure those agents to comply with consumer protection law from the point of deployment. The CMAโs guidance makes clear that this is a design obligation, not a monitoring obligation alone.
What this means in practice:
Unfair contract terms. An AI agent operating in a negotiation or contracting context must not generate contract terms that would be unfair under the Consumer Rights Act 2015. This requires that the AI agentโs outputs are tested and constrained to avoid terms that lack transparency, create significant imbalances, or contradict the consumerโs reasonable expectations.
Misleading commercial practices. An AI agent must not make false statements, omit material information, or create misleading impressions about the nature of a product, its price, or the businessโs identity. This obligation extends to AI-generated marketing content, pricing displays, and product descriptions.
Aggressive commercial practices. An AI agent must not engage in aggressive commercial practices โ harassment, coercion, undue influence, or exploitation of a consumerโs specific vulnerability โ even if such practices emerge from the agentโs optimization toward conversion or engagement metrics. An AI agent that learns to exploit behavioral signals to pressure consumers into purchases is engaging in an aggressive commercial practice whether or not a human directed it to do so.
Accurate cancellation rights and complaint procedures. If consumers have cancellation rights or complaint procedures โ and they do, under the Consumer Rights Act โ an AI agent handling purchases or service agreements must provide accurate information about those rights, not minimize or obscure them.
Principle 3: Human Oversight
Deploying an AI agent is not a โset and forgetโ exercise. Businesses remain responsible for ongoing oversight of what their AI agents do.
The CMAโs guidance frames this as an operational governance obligation: businesses must be able to monitor their AI agentsโ interactions, detect problems, and intervene. An AI agent that is deployed and then operates unsupervised โ with no mechanism for the business to identify problematic behavior, no audit log of interactions, no escalation pathway for edge cases โ does not meet the human oversight standard.
This principle has particular relevance for AI agents that operate at scale. An AI agent handling thousands of consumer interactions simultaneously can propagate a systematic error or a misleading representation across thousands of transactions in the time it takes a human supervisor to notice a single anomaly. The oversight infrastructure must be commensurate with the operational scale.
The guidance also addresses the businessโs responsibility when AI agents are provided by third parties. A business that deploys a third-party AI agent in its consumer-facing operations is responsible for that agentโs compliance with consumer law โ the same way it would be responsible for the actions of a contracted human customer service team. The vendor relationship does not transfer the compliance obligation.
Principle 4: Swift Remediation
Given the scale at which AI agents can operate, the CMAโs guidance emphasizes the importance of rapid response when problems are identified. An AI agent that has been providing incorrect information or engaging in non-compliant practices may have affected thousands or millions of consumers by the time the problem is detected.
Swift remediation means: when a compliance problem is identified, it must be addressed immediately โ not at the next scheduled review cycle, not after internal sign-off processes that take weeks. The guidance implies that businesses deploying AI agents must have pre-authorized remediation playbooks that allow immediate intervention.
Swift remediation also means: affected consumers must be identified and, where possible, the harm must be corrected. An AI agent that placed orders on behalf of consumers based on incorrect pricing information has created contractual obligations that may need to be unwound. An AI agent that provided misleading information about product terms may have affected consumer decisions that need to be remediated.
Enforcement: DMCCA and CMA Powers
The CMAโs guidance derives enforcement authority from the Digital Markets, Competition and Consumers Act 2024, which came into force in stages through 2025 and 2026.
Under the DMCCA, the CMA has direct enforcement power to investigate breaches of consumer protection law and impose fines of up to 10% of a companyโs global annual turnover without needing to go to court. This is a significant expansion of the CMAโs previous enforcement authority, which required court proceedings for most consumer protection enforcement actions.
The 10% global turnover ceiling aligns the DMCCA consumer protection fines with GDPRโs maximum fine level. For a company with ยฃ1 billion in global revenue, a DMCCA breach carries a potential fine exposure of ยฃ100 million.
The CMAโs agentic AI guidance published March 9 is precisely the kind of guidance that precedes enforcement action. Regulators typically publish guidance before bringing enforcement cases on novel issues โ the guidance establishes that organizations have been put on notice of what compliance requires, removing the defense that the rules were unclear.
Implications Beyond the UK
The CMAโs agentic AI guidance is UK law โ it derives authority from UK statutes and is enforced by a UK regulator. But its implications extend beyond organizations incorporated in the UK.
Any business using AI agents to serve UK consumers โ including US technology companies, European retailers, and global SaaS platforms โ is subject to UK consumer protection law for those interactions. If your AI agent handles orders, complaints, or customer service for UK users, the CMAโs guidance applies.
EU parallel development. The European Commission has flagged agentic AI as a regulatory priority, and the EU AI Actโs provisions on general-purpose AI models and high-risk systems are being interpreted to apply to AI agents operating in high-stakes contexts. The CMAโs guidance is likely to inform how EU regulators approach the same issues as agentic AI becomes a more common deployment model.
US regulatory attention. The FTC has not yet issued guidance specifically on agentic AI and consumer protection, but FTC Section 5 deception analysis applies to AI agent interactions in the same way it applies to any consumer-facing representation. AI agents that make false or misleading statements are engaging in deceptive practices regardless of whether the FTC has specifically addressed the agent format.
What Compliance Programs Must Address
The CMA guidance creates a practical checklist for organizations deploying or planning to deploy AI agents in consumer-facing contexts:
Disclose AI identity. Every consumer-facing AI agent interaction must clearly indicate to the consumer that they are dealing with an AI โ before the interaction proceeds to any consequential action (order placement, contract formation, payment processing).
Audit AI agent outputs for consumer law compliance before deployment. Test the AI agentโs behavior across a representative range of consumer interactions, specifically checking for outputs that could constitute misleading commercial practices, unfair contract terms, or aggressive commercial practices. Compliance by design requires this testing to happen before deployment, not after problems arise.
Establish AI agent monitoring infrastructure. You must be able to see what your AI agents are doing at the interaction level. This means logging, sampling, anomaly detection, and human review mechanisms that are commensurate with the scale of deployment.
Build and pre-authorize remediation playbooks. Define in advance what actions will be taken when specific problems are identified. Who has authority to suspend an AI agent? What notification goes to consumers? How are affected transactions identified and unwound?
Review vendor contracts. If you deploy third-party AI agent technology, confirm that your vendor agreement addresses compliance obligations, incident reporting, and your right to audit and intervene. The CMAโs guidance makes clear that the deploying business owns the compliance obligation.
Apply the same standards globally, or manage jurisdictional risk explicitly. Consumer protection law in the EU, the UK, and several US states creates overlapping obligations. AI agents that are configured for compliance with one jurisdictionโs requirements may not meet anotherโs.
The CMAโs March 2026 guidance is the first document of its kind, but it will not be the last. As agentic AI deployment accelerates across industries, consumer protection regulators in every major jurisdiction will develop their own positions. The CMAโs framework โ transparency, compliance by design, human oversight, swift remediation โ is likely to influence the direction of that regulatory development globally.
Organizations that have already deployed or are planning to deploy AI agents in consumer markets should treat March 9, 2026 as the starting date of the compliance clock on this issue.
Sources: UK Competition and Markets Authority, โComplying with consumer law when using AI agentsโ (March 9, 2026); CMA, โAgentic AI and consumersโ research paper (March 9, 2026); GOV.UK publication (Complying with consumer law when using AI agents); Cooley (AI Agents and Consumer Law: What Businesses Need to Know); Ashurst (Free agent? Not quiteโฆ new UK guidance on agentic AI); Lewis Silkin (Agentic AI and consumer law: the CMAโs guidance for businesses); TLT LLP (Agentic AI: CMA publishes guidance on consumer law and DMCCA risks); Osborne Clarke, UK Regulatory Outlook March 2026. This article is provided for informational purposes only and does not constitute legal advice.
