Key legal changes in 2025: Consumer law, procurement and data reforms explained

2025 has brought significant legal changes that every business needs to navigate carefully. From strengthened consumer law enforcement and procurement reforms to new data and AI regulations, understanding the implications is critical to staying compliant and protecting your business.

Stronger consumer law enforcement: CMA powers under the DMCC Act 2024

What changed from April 2025?

From 6 April 2025, parts of the Digital Markets, Competition and Consumers Act 2024 (DMCC) kicked in, giving the CMA the power to fine businesses up to 10% of global turnover for consumer-law breaches without going to court. Priority areas include subscription traps, drip pricing and fake reviews. Think of it as consumer law with competition-law-level bite. 

What this means in practice for businesses

If your business model relies on sign-ups, renewal or add-ons, the risk has escalated from a potential ASA complaint to a board-level enforcement concern.

The CMA is now laser-focused on ensuring that businesses comply with the following key obligations:

• Sign-ups and renewals must have clear pre-contract information; reminders ahead of renewal and easy cancellation (one-click means one-click!).
• All unavoidable fees must be shown up front (no more “surprise” charges at checkout).
• No fake reviews: incentives must be transparent and reasonable steps taken against review-manipulation.

Quick compliance wins

1. Map your subscription journey: what does the customer see?
2. Add a prominent cancel CTA (call to action button) that works on mobile with poor reception.
3. Price pages: bring compulsory fees forward.
4. Review policy and moderation playbook; block obvious astroturfing.
5. Capture evidence of communication (emails/SMS reminders) as you’ll need it if the CMA knocks.

When to get legal advice

• Redesigning your sign-up and cancellation flows now carries potential legal risks under new consumer protection rules.
• When bundling services with variable fees, it’s important to verify which costs must be clearly disclosed, and where, to stay compliant.
• If you syndicate or moderate customer reviews, you must be able to demonstrate that you’ve taken reasonable steps to prevent misleading content and avoid “knew or ought to have known” liability.

Why is this important now? The enforcement regime is live, and administrative fines make investigations faster and costlier to fight. Don’t give the CMA a “dark pattern” screenshot to put in a press release.

Public procurement reforms under the Procurement Act 2023

The Procurement Act 2023 came into force on 24 February 2025. It replaces the old EU-derived regime with a single rulebook, more transparency, more flexible procedures and (for suppliers) more ways to differentiate beyond price. 

Key differences and opportunities for suppliers

• Flexible competitive procedure: buyers have room to negotiate; suppliers have room to tell a better story.
• Open frameworks and dynamic markets: longer-life access routes; SMEs can get on and stay on.
• Transparency by default: more notices, more KPIs, more data… and therefore more intel for smart bidders.

Practical steps for suppliers

• Build a capability pack: 2-page case studies, ESG, conflicts stance, cyber posture, prompt-payment posture.
• Track pipeline notices and KPI publications: treat them as a competitor-intelligence feed.
• Rehearse a negotiated procedure: who speaks to value? Who speaks to risk? Who answers the awkward questions?

When to get legal advice

• Before you submit a bid using a new procedure to pressure-test compliance promises and flow-downs to subs.
• If you’re considering a procurement challenge, remember that standstill periods are tight and that timing and evidence are critical.
• Structure your KPI and price-adjustment clauses carefully to avoid them becoming margin-eaters halfway through the contract.

Bottom line: The Act rewards suppliers who prepare and use transparency to their advantage. Treat it like a new market opening because it is.

The new data playbook: UK Data (Use and Access) Act 2025, EU Data Act and AI reforms

The UK Data (Use and Access) Act 2025 (DUAA)

The DUAA received Royal Assent on 19 June 2025. The Act enables digital verification services, expands Smart Data schemes (open banking-style data portability beyond finance) and tweaks aspects of UK privacy law. In simpler terms, identity, consent and data-sharing are being upgraded and some privacy notices and DPAs will need edits. 

The EU Data Act and what it means for businesses

The EU Data Act has been in force since 11 January 2024; applicable from 12 September 2025. It bites if you sell connected products/services in the EU or use EU cloud: mandates user access to device/service data, B2B data sharing on fair terms, cloud switching without lock-in and curbs vendor reuse of customer data. UK companies with EU customers are squarely in scope. 

UK AI and copyright policy update

The UK ran a consultation on text/data mining and training transparency between December 2024 and February 2025. The direction of travel affects both rights-holders and AI adopters (licensing, opt-outs, warranties). The politicians have been lively, with parliamentary back-and-forth on transparency obligations.

What business leaders should do this quarter

• Map your data: What product/telemetry data do you collect from connected devices or services? Where does it live? Who needs access (customers, partners under EU Data Act)?
• Update contracts:
• EU customers add Data Act clauses (access, sharing terms, liability, switching/migration plans).
• Vendors/cloud insist on switching assistance and egress plans (no “hostage data”).
• Smart Data/DUAA review consent, purpose and portability obligations; align with new verification flows.
• AI governance:
• Catalogue training/inputs and rights posture (are you relying on licences, exceptions or vendor warranties?).
• Add copyright and TDM warranties/indemnities to AI/tooling MSAs; plan for rights-reservation signals from creators.
• Privacy updates: Adjust privacy notices and RoPA for new sharing/portability pathways; re-check international transfers as you add platforms.

When to get legal advice

• If you sell or plan to sell connected products in the EU to avoid surprise Data Act obligations and contractual gaps.
• You are rolling out digital verification or joining a Smart Data scheme to align product and privacy bases with DUAA.
• You are signing AI vendor contracts to lock in IP/copyright warranties and avoid inheriting someone else’s training risk.

Why does it matter now? Because these regimes aren’t abstract, they convert directly into product requirements, RFP demands and contract negotiation points in 2025/26. The winners will be the teams that adjust early.

Keeping ahead of these legal developments isn’t optional, it’s essential for mitigating risk and seizing opportunities. Our Commercial team can help you review your processes, contracts and policies to ensure compliance and safeguard your business.

The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.

Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts.  If you need such advice please contact a member of our professional staff.

The information published across our Knowledge Base is correct at the time of going to press.