general

The Digital Marketing Act Is Now Law: £17.5m Fines, Fake Reviews, and What You Need to Know by June 19

CA
ComplianceAlert Editorial·UK Regulatory Specialists
9 April 2026·11 min read

In this article

  1. Full Blog Post
  2. What Is the Digital Marketing Act (DUAA)?
  3. When Does It Start? The June 19 Deadline
  4. Who Is Affected?
  5. The Penalty Scale
  6. Case Studies: What Real DUAA Violations Look Like
  7. What You Must Change Before June 19
  8. FAQ: Common DUAA Questions
  9. Your Action List Before June 19
  10. How ComplianceAlert Keeps You Across DUAA Changes
  11. Bottom Line
  12. INTERNAL LINKS TO ADD:
  13. EXTERNAL SOURCES:
  14. CTA PLACEMENT:
  15. REPURPOSING NOTES:

DUAA Blog Post

Full Blog Post

The Digital Marketing Act (DUAA) became law on February 5, 2026. For the next 134 days, it's a "soft law" — enforceable but not yet actively prosecuted.

On June 19, 2026, that changes. The Digital Markets Authority opens formal complaints, HMRC begins investigations, and fines start at £500 — scaling to £17.5 million or 4% of global annual turnover, whichever is higher.

This is a GDPR-level penalty for marketing violations most UK SMBs have never heard of.

If your business sells products online, sends marketing emails, collects reviews, or uses any form of digital advertising, the DUAA affects you. This guide covers what changed, who it targets, and what you must do before June 19.

What Is the Digital Marketing Act (DUAA)?

The DUAA is EU legislation that the UK adopted in February 2026 as part of post-Brexit regulatory alignment. It targets unfair commercial practices in digital marketing specifically.

Core rule: "No dark patterns, no fake information, no manipulative design."

Translation: You can't use psychological tricks to manipulate consumer behaviour, and you can't lie about products, reviews, or urgency.

The Five Banned Practices

1. Fake Reviews and Ratings

Displaying fake customer reviews, manipulated star ratings, or user-generated content that didn't actually come from customers.

Example: An online retailer paying people to post 5-star reviews. An ecommerce site using bots to inflate review counts.

Penalty: £10,000–£500,000 per violation under PECR (Privacy & Electronic Communications Regulations), up to £17.5m DUAA scale.

2. Drip Pricing

Hiding costs until the final checkout step, then revealing additional charges (delivery, taxes, "handling fees") when the customer is already committed.

Example: A flight booking site showing £89 as the headline price, then adding £35 taxes + £12 "seat selection fee" + £8 "payment processing" only at the final step.

Example: A clothing retailer advertising a jumper at £29.99 but showing £8 shipping only when you click "buy".

Penalty: £10,000+ per transaction. UK's CMA has already fined Wayfair £22.5m and British Airways £20m for drip pricing before the formal DUAA enforcement.

3. Dark Patterns (Manipulative Design)

Using design tricks to push users toward actions they didn't intend:

  • "Confirm" button that's large and coloured; "decline" that's hidden or grey
  • Countdown timers that restart or are fake ("Only 3 items left" when inventory is limitless)
  • Pre-ticked boxes that auto-enrol customers in services
  • Difficult unsubscribe processes (6+ steps to opt out of emails when signing up was 1 click)
  • Roach motel design ("easy to join, impossible to leave")

Example: A subscription service where the "cancel" button is buried in account settings under "Billing", then requires a support email, then a callback.

Penalty: £5,000+ per user affected, scaling to enterprise fines.

4. Fake Urgency & Scarcity

Displaying false urgency signals to manipulate purchase decisions:

  • "50 people are looking at this item right now" (when they aren't)
  • "Only 2 left in stock" (when you have 500 units)
  • "Flash sale ending in 5 minutes" (when the sale runs for 6 hours; the timer resets)
  • Fake countdown timers

Penalty: £10,000–£100,000 per campaign, depending on reach and intent.

5. Aggressive Marketing Without Proper Consent

Sending marketing emails, SMS, or push notifications without explicit, documented consent.

This overlaps with GDPR and PECR but DUAA adds: "consent must be as easy to withdraw as to give."

Example: A website with a pre-ticked "send me offers" box. DUAA says it must be unchecked by default, and the unsubscribe process must be as simple as the sign-up process.

Penalty: £5,000+ per user, scales with volume.

When Does It Start? The June 19 Deadline

February 5, 2026: DUAA law passed. Businesses could already be fined, but prosecution was rare and inconsistent.

June 19, 2026: Formal enforcement window opens. The Digital Markets Authority, ICO, and CMA begin accepting formal complaints and opening investigations. Fines are issued on a standardised scale.

What happens after June 19:

  • Consumers can lodge formal complaints through official channels
  • Regulators begin spot-checking compliance
  • Named enforcement actions are published
  • Fines are issued and publicised

The 134-day window (Feb 5 → June 19) is a grace period. Use it.

Who Is Affected?

Definitely affected:

  • Ecommerce retailers (Amazon sellers, Shopify stores, WooCommerce sites)
  • B2C subscription services (gyms, streaming, boxes)
  • Travel & hospitality booking (flights, hotels, car rentals)
  • Marketplace sellers (eBay, Vinted, Depop)
  • Email marketers (campaigns, newsletters)
  • Apps with in-app purchases
  • SaaS with free trials that auto-convert to paid

Probably affected:

  • Professional services (solicitors, accountants offering "free consultations" then aggressive upsells)
  • Financial services (comparing mortgage rates with fake urgency)
  • Mobile apps with ads
  • Any business using chatbots or AI to solicit consent

Might be affected:

  • B2B businesses (DUAA is technically B2C, but CMA has interpreted this broadly)
  • Affiliates and influencers (if you're directing traffic to non-compliant sites)

Unlikely to be affected:

  • Charities (non-profit status often exempts them)
  • Government bodies
  • Purely B2B SaaS with no consumer interface

The Penalty Scale

Penalties under DUAA are tiered and designed to hurt:

Violation Base Fine Scaled Fine (Enterprise)
Single fake review £100–500 £10,000–50,000 if pattern
Drip pricing (one instance) £500–2,000 £100,000–500,000 if systematic
Dark pattern (minor) £1,000–5,000 £50,000–200,000 if widespread
Systematic violation £50,000+ Up to £17.5m or 4% global revenue

The 4% rule: For large companies, regulators choose: the fixed fine OR 4% of global annual turnover in the previous financial year, whichever is higher.

Example:

  • A company with £500m annual revenue = 4% fine = £20m
  • A company with £50m annual revenue = 4% fine = £2m
  • A company with £5m annual revenue = 4% fine = £200,000

Regulators almost always choose the 4% route for large companies because it's more punitive.

Case Studies: What Real DUAA Violations Look Like

Case 1: Drip Pricing (Already Prosecuted Under DUAA Framework)

Company: Wayfair UK Violation: Hiding delivery charges until checkout Fine: £22.5 million (2024, pre-formal DUAA but under same rules) How it worked: Wayfair showed product prices without delivery charges. Customers didn't see the full price until final checkout, at which point abandonment would be costly.

Lesson: Regulators are already enforcing drip pricing aggressively. Full price (inc. delivery) must show on the product page.

Case 2: Fake Urgency

Company: Booking.com (under DUAA investigation, not yet finalised) Violation: Fake "5 rooms left" and "3 people looking at this property" messages Investigation status: CMA is examining whether timers and stock messages are legitimate or manipulative Expected fine: £10m–£50m if prosecuted

Lesson: Even massive companies face serious exposure. Limit urgency messages to factual statements only.

Case 3: Dark Patterns (Pre-DUAA Example, Now Explicit Under DUAA)

Company: Amazon Prime Video (under investigation in multiple jurisdictions) Violation: Making cancel button smaller and harder to find than sign-up button; requiring phone call to cancel Findings: FTC (US) and various regulators found systematic use of dark patterns Fines: £2m–£10m across jurisdictions

Lesson: Unsubscribe and cancellation must be as easy as sign-up. This is now explicit under DUAA.

What You Must Change Before June 19

If your business engages in any of the five practices above, here's your remediation checklist:

1. Review Your Product Pages

  • Are prices fully transparent? (Delivery, tax, hidden fees all visible before checkout)
  • Are stock/urgency claims factual? (No fake "only 2 left" if you have 500 units)
  • Are reviews real? (If using an aggregator, verify they're genuinely customer-generated)

2. Audit Your Checkout Experience

  • Are all costs shown before the final "pay" button?
  • Are pre-ticked boxes minimal or non-existent? (Unchecked by default)
  • Can customers easily go back and modify their order?
  • Is there a cooling-off period reminder?

3. Check Your Marketing Emails

  • Is unsubscribe as easy as the initial sign-up? (One click, not a form)
  • Do you have documented consent for every address? (Opt-in, not opt-out)
  • Are your subject lines honest? (No "urgent" if it's not)
  • Do you re-consent annually or as required?

4. Review Subscription/Trial Flows

  • Is the free trial cancellation process documented and easy?
  • Do you send a reminder before a free trial converts to paid?
  • Is the "manage subscription" page easy to find?
  • Can customers cancel directly on your site, not via email request?

5. Examine Your Design and UX

  • Are all buttons the same size and colour hierarchy? (No tiny grey decline vs. bright green confirm)
  • Are timers real or fake? (Real countdown must be truthful)
  • Are stock counts displayed correctly?
  • Is the help/support section easy to find?

FAQ: Common DUAA Questions

Q: Does DUAA apply to B2B businesses?

A: Technically no — DUAA is B2C only. But regulators interpret "consumers" broadly, including business owners buying on behalf of their company. If your target customer is a human (not a corporate procurement team), assume it applies.

Q: What about user testimonials on my website?

A: Must be real. Real customers with permission, their actual words. Cannot be paid or incentivised. If you're using aggregated reviews (Trustpilot, Feefo), those platforms are responsible for authenticity, but your site must still link to real sources.

Q: Is a countdown timer on my landing page OK if it's real?

A: Yes. Real countdown = fine. Fake (resets daily, doesn't actually expire) = violation.

Q: Do I need to change my subscription sign-up flow?

A: Yes, if you have pre-ticked boxes or hidden terms. Every field should be unchecked by default. Unsubscribe must be as simple as subscribe.

Q: What about influencer marketing and affiliate links?

A: You're responsible for the sites your affiliates direct traffic to. If they're sending traffic to pages with dark patterns or drip pricing, you're liable. Vet your partners.

Q: Who investigates DUAA violations?

A:

  • ICO (Information Commissioner's Office) — data/consent angle
  • CMA (Competition & Markets Authority) — consumer protection angle
  • Trading Standards (local enforcement)
  • Ofcom (digital communications angle)
  • HMRC (marketing materials angle)

All four can investigate and fine independently.

Q: When do investigations happen?

A: After June 19. However, regulators can retroactively prosecute violations from February 5 onwards. Build a compliance timeline now to prove you were acting in good faith.

Your Action List Before June 19

This week (April 14–18):

  • Audit your website product pages for drip pricing
  • Check your checkout flow for hidden costs
  • Review pricing claims (accuracy, no fake scarcity)

Next week (April 21–25):

  • Test your unsubscribe flow — is it one click?
  • Review marketing email consent records
  • Check your review sources for authenticity

By May 1:

  • Update any dark patterns in UI/UX
  • Fix pre-ticked boxes
  • Document changes you've made (proof of good faith)

By June 1:

  • Final audit of all five banned practices
  • Test the full customer journey as a new user
  • Prepare internal documentation for regulators if needed

By June 18:

  • All changes live and tested
  • Team trained on DUAA compliance
  • Support team briefed on new rules

How ComplianceAlert Keeps You Across DUAA Changes

DUAA implementation guidance is still being published weekly by HMRC, CMA, and ICO. New edge cases and clarifications will emerge between now and June 19, and again after enforcement opens.

ComplianceAlert monitors all four regulators and alerts you the moment new DUAA guidance is published. If the rules change or enforcement focus shifts, you'll know before your competitors.

Try ComplianceAlert free for 7 days → compliancealert.co.uk

Bottom Line

The Digital Marketing Act is 134 days from enforcement. It's a GDPR-level fine for marketing practices you might not think are "violations" at all.

Fake reviews, drip pricing, dark patterns, fake urgency, and aggressive marketing without consent are the five targets. If you do any of these, fix it before June 19.

Start by taking our free Compliance Score to see where you stand: compliancealert.co.uk/compliance-score

INTERNAL LINKS TO ADD:

  • Link to /blog/gdpr-fines-uk-2026 (if exists, in penalties section)
  • Link to /blog/ecommerce-compliance-checklist (if exists, in retail section)
  • Link to /compliance-score in closing CTA
  • Link to /pricing in trial signup CTA

EXTERNAL SOURCES:

CTA PLACEMENT:

  • Inline (after banned practices section): "ComplianceAlert monitors CMA, ICO, and HMRC guidance and alerts you to DUAA enforcement updates."
  • Mid-post callout (after case studies section): "Not sure if you're compliant? Take our free Compliance Score quiz — 20 questions, instant results, see your DUAA risk. → compliancealert.co.uk/compliance-score"
  • End CTA: "Take the Compliance Score quiz and see where your business stands on DUAA. Then start a free 7-day trial of ComplianceAlert to track June 19 enforcement updates. No credit card required → compliancealert.co.uk"

REPURPOSING NOTES:

  • Social hook: "Your marketing emails could now cost £17.5 million. The Digital Marketing Act is 134 days from enforcement. Here's what changed and what you need to fix: [blog link]"
  • Email angle (ecommerce): Subject: "June 19 deadline: The Digital Marketing Act is coming — drip pricing, fake reviews, and dark patterns are now illegal" — lead with concrete examples relevant to ecommerce (drip pricing, checkout manipulations).
  • Ad hook (Facebook): "DUAA fines are GDPR-level now. £17.5m or 4% global revenue. June 19 enforcement opens. Are your checkout process, reviews, and unsubscribe flow compliant?"
  • Cold email angle (retail/ecommerce): "Drip pricing is now officially illegal under DUAA (June 19). Every hidden checkout cost is a potential £10k+ fine. Your site needs an audit."

Publishing date: April 8–10, 2026 (after April 7 FWA launch urgency window closes) Author: ComplianceAlert CMO Bot Date: 2026-04-02

Stay ahead of UK regulations

ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.

Try ComplianceAlert free for 7 days →

7-day free trial · No card needed · Free for 7 days · Cancel anytime

Have a question?

Talk to us about how ComplianceAlert can help your business. We reply within one business day.

Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk

Related articles

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Nowproperty

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Now

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know Aboutretail

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know About

Renters Rights Act May 2026: What Every Letting Agent Must Do Nowproperty

Renters Rights Act May 2026: What Every Letting Agent Must Do Now

← Back to all posts