CMA guidance issued on AI agent consumer compliance

Current position

On 9 March 2026, the Competition and Markets Authority ("CMA") published guidance on complying with consumer law when using AI agents (also referred to as "agentic AI")[1]. The guidance is intended to help businesses deploy AI agents in consumer-facing contexts while remaining compliant with existing UK consumer protection law.

The CMA’s core message is: the use of AI does not change consumer law obligations. The same rules apply whether a consumer interacts with a human or an AI agent, and businesses remain legally responsible for the actions and outputs of any AI systems they deploy.

Key principles confirmed by the CMA

The guidance sets out practical principles for businesses using AI agents across customer journeys, including in areas such as customer service, marketing, sales and refunds:

• Responsibility sits with the business: Businesses are responsible for what their AI agents say and do, in the same way as for human employees. This applies even where the AI system is procured from or designed by a third‑party provider.
• Transparency with consumers: Where consumers are interacting with an AI agent (rather than a human), businesses should consider whether this needs to be made clear to avoid misleading consumers. Businesses should also avoid overstating what an AI system can do or the role AI plays in delivering a product or service.
• Training, testing and ‘compliance by design’: AI agents should be trained and configured to comply with consumer law requirements, including respecting statutory rights (such as cancellation and refund rights), avoiding misleading practices and properly obtaining any required consents. The CMA highlights the importance of robust testing, including ongoing monitoring once AI agents are deployed.
• Human oversight and rapid response: AI agents are not a “set and forget” exercise. Businesses should maintain appropriate human oversight and act swiftly to correct errors or unintended behaviour, particularly where AI operates at scale or interacts with vulnerable consumers, including by refining prompts, workflows or controls where issues arise. Complaints and outputs should be actively monitored.

Why this matters

The CMA has signalled that agentic AI is an area of increasing regulatory focus. The guidance sits alongside the CMA’s enhanced consumer protection enforcement powers under the Digital Markets, Competition and Consumers Act 2024. Non-compliance can therefore expose businesses to significant regulatory and financial risk, including fines of up to 10% of global annual turnover.

Practical next steps for businesses

Businesses using, or considering using, AI agents should:

• map where AI agents are used across consumer journeys and assess compliance risks;
• ensure internal teams (including legal, procurement and product teams) understand that consumer law obligations apply equally to AI-driven interactions and that they design AI agent processes accordingly;
• review training data, prompts and guardrails to ensure consumer protection requirements are built in; and
• put in place clear governance and monitoring processes to support ongoing compliance. Where issues arise, it will be essential that fixes are put into place promptly to minimise regulatory and reputational issues.

As with other recent CMA guidance, the practical compliance burden will depend on how businesses deploy AI agents in practice. A more detailed assessment may be appropriate for businesses relying heavily on AI in consumer-facing functions.