Agentic AI: CMA publishes guidance on consumer law and DMCC Act risks

The CMA is clear that consumers must not be misled about whether they are dealing with an AI agent, or about what that agent can and cannot do. If the use of AI might affect a consumer’s decision-making, businesses should be open about it. The CMA therefore warns against overstating an agent’s capabilities or disguising automated interactions as coming from a human.

Transparency also extends to outcomes. If AI agents generate recommendations, rankings or comparisons, businesses should ensure that material limitations are clearly disclosed. That could include, for example, how much of the market is covered, how results are ranked, or whether there are commercial relationships influencing outputs.

AI agents must be trained and configured to respect consumers’ statutory and contractual rights, which include rights around pricing, refunds, cancellation, and accurate product information. Consumer-facing businesses will be at risk if they deploy AI agents that makes it harder for consumers to exercise their rights, provides incomplete information, or applies policies inconsistently.

The CMA emphasises that errors at scale are particularly problematic, as an agent that systematically misstates cancellation rights or rejects valid refund requests can quickly lead to widespread consumer harm.

The policy paper highlights concerns around loss of consumer agency and the risk of manipulative or deceptive design (or ‘dark patterns’).

The CMA is likely to be concerned if an AI agent pressures, misleads or unduly influences consumers in a way that harms their economic interests, regardless of whether it emerges from code, prompts or optimisation logic.

In a sense, this is a natural evolution of the CMA’s long-standing focus on online choice architecture (OCA). The difference is that while the CMA’s work to date on OCA has tended to focus on the impact of static user interfaces on consumers, the challenges are different for dynamic AI-powered systems that are highly personalised and optimise constantly in response to user behaviour.

Businesses must remain in control of their AI agents and the CMA emphasises the need for appropriate human oversight, particularly where agents interact directly with consumers or take decisions with financial or contractual consequences.

Hallucinations, data errors and unexpected behaviour are well‑recognised risks in current AI systems. Without robust monitoring and escalation processes, these risks can quickly translate into consumer law breaches.

Compliance should start at the design stage, which means that businesses should be clear about what tasks an AI agent is allowed to perform, what data it can access, and what constraints apply.

Training data and prompts should reflect consumer law requirements, including statutory rights and consent requirements. Testing is also critical, as pre‑deployment testing such as scenario testing and review of edge cases can help identify misleading outputs, inconsistent decisions or gaps in disclosures before they reach customers.

Deployment is not a one-off exercise or the end of the compliance story. The CMA expects ongoing monitoring of how AI agents behave in practice, including reviewing outputs, customer interactions, complaints and feedback. Regular human review helps identify bias or unintended outcomes, and this is particularly important where agents interact with large numbers of consumers or vulnerable groups or where decisions have financial consequences.

Where issues are identified,particularly where there might be significant impacts, the CMA expects businessesto act promptly to refine prompts, workflows or guardrails.  As the CMA’s message is clear that speed ofresponse matters, businesses are advised to put in place processes to avoiddelays in remediation.

Using third‑party AI tools does not shift responsibility, so businesses should carry out vendor due diligence on suppliers, understand how LLM systems are trained and governed, and ensure contractual arrangements and warranties support compliance, audit and remediation.