What is the maximum DMCCA fine for a UK business?

Under the Digital Markets, Competition and Consumers Act 2024, the CMA can impose a financial penalty of up to 10% of the business's global annual turnover for an infringement of the unfair commercial practices provisions in Part 4. Daily penalties for continuing breaches can be up to 5% of daily global turnover. Individuals who are directly responsible for the infringement face penalties up to £300,000.

How does the CMA calculate DMCCA fines?

The CMA uses a penalty calculation methodology that considers the seriousness of the infringement, the duration of the breach, the turnover of the business affected by the breach (not just the overall business), whether the practice was intentional or negligent, any mitigating steps taken and the organisation's prior history of regulatory action. The 10% figure is a ceiling, not a starting point. Most enforcement outcomes for first-time breaches will be significantly below the maximum.

Has the CMA issued DMCCA fines yet?

DMCCA Part 4 commenced in stages from April 2025. As at mid-2026, the CMA's DMCCA enforcement register is developing. The CMA's pre-DMCCA investigations under CPUT 2008 and the Enterprise Act established enforcement patterns, but formal DMCCA penalty decisions are a new development. Check the CMA's published case pages at gov.uk/cma-cases for the current register.

Are DMCCA fines bigger than ICO data protection fines?

Structurally similar. UK GDPR's maximum is £17.5 million or 4% of global turnover, whichever is higher. DMCCA's maximum is 10% of global turnover. For a mid-sized business, the DMCCA ceiling is higher on a turnover basis. However, the ICO has issued higher absolute-pound fines to date (British Airways £20 million, Marriott £18.4 million), because the CMA's direct-fining power is newer and the largest fines under DMCCA have not yet been published as at the time of writing.

E-Commerce

DMCCA fines 2025: 10% of global turnover for UK firms

Steven | TrustYourWebsite · 5 May 2026 · Last updated: May 2026

DMCCA fines in 2025 carry a headline ceiling of 10% of global annual turnover under the Digital Markets, Competition and Consumers Act 2024. That number looks large by design. The reality for most SMBs facing a first CMA investigation is different. The 10% figure is a statutory ceiling, not a standard outcome. The CMA calibrates downward from that ceiling based on a structured set of factors.

To check which DMCCA-relevant practices your website currently uses, run a free scan at /uk/en/scan.

The DMCCA fines structure at a glance

Part 4 of the DMCCA 2024 sets out the unfair commercial practices regime and the associated penalty structure. Schedule 6 specifies the CMA's enforcement powers including financial penalties.

The four penalty types under DMCCA Part 4 are summarised below.

Penalty Type	Cap	Who It Applies To	Statutory Reference
One-off corporate fine	10% of global annual turnover	Businesses found in breach	DMCCA Schedule 6
One-off individual fine	£300,000	Officers or directors directly responsible	DMCCA Schedule 6
Continuing-breach daily penalty (business)	5% of daily global turnover	Businesses ignoring a CMA direction	DMCCA Schedule 6
Continuing-breach daily penalty (individual)	£15,000 per day	Individuals ignoring a CMA direction	DMCCA Schedule 6

A separate procedural penalty of up to £30,000 (or 1% of annual turnover) applies where a business fails to comply with a CMA information notice during an investigation. That sits alongside the substantive infringement penalty rather than replacing it.

The statutory fine framework

Where a business sits inside a wider group, the CMA has discretion to base the turnover calculation on the relevant part of the group rather than the whole. The relevant base is typically the UK turnover affected by the infringing practice.

Officers and directors of businesses can face personal penalties independently of the corporate penalty. The individual cap of £300,000 applies per person, not per breach.

The daily penalty for continuing breaches runs for each day an infringement continues after a CMA direction to cease. That is in addition to the one-off fine, not instead of it.

How the CMA calculates the fine

The CMA published penalty calculation guidance applicable to its DMCCA enforcement powers. The calculation follows a staged approach broadly similar to the ICO's UK GDPR penalty methodology.

The diagram below shows the four steps the CMA works through to reach a final penalty.

<div className="my-6 overflow-x-auto"> <svg viewBox="0 0 760 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-labelledby="dmcca-fine-flow-title" className="w-full max-w-full"> <title id="dmcca-fine-flow-title">CMA DMCCA penalty calculation flow from turnover assessment through aggravating and mitigating factors to the statutory cap</title> <defs> <marker id="dm-arrow" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto"> <path d="M0,0 L10,5 L0,10 z" fill="#475569" /> </marker> </defs> <g fontFamily="ui-sans-serif, system-ui, sans-serif" fontSize="12" fill="#1e293b"> <rect x="10" y="60" width="150" height="80" rx="6" fill="#f1f5f9" stroke="#475569" /> <text x="85" y="86" textAnchor="middle" fontWeight="600">Step 1</text> <text x="85" y="104" textAnchor="middle">Relevant turnover</text> <text x="85" y="120" textAnchor="middle">UK sales linked</text> <text x="85" y="134" textAnchor="middle">to the breach</text>

  <rect x="190" y="60" width="150" height="80" rx="6" fill="#f1f5f9" stroke="#475569" />
  <text x="265" y="86" textAnchor="middle" fontWeight="600">Step 2</text>
  <text x="265" y="104" textAnchor="middle">Seriousness +</text>
  <text x="265" y="120" textAnchor="middle">duration uplift</text>
  <text x="265" y="134" textAnchor="middle">Intent matters</text>

  <rect x="370" y="60" width="150" height="80" rx="6" fill="#fef3c7" stroke="#d97706" />
  <text x="445" y="86" textAnchor="middle" fontWeight="600">Step 3</text>
  <text x="445" y="104" textAnchor="middle">Aggravating /</text>
  <text x="445" y="120" textAnchor="middle">mitigating</text>
  <text x="445" y="134" textAnchor="middle">adjustments</text>

  <rect x="550" y="60" width="200" height="80" rx="6" fill="#dcfce7" stroke="#16a34a" />
  <text x="650" y="86" textAnchor="middle" fontWeight="600">Step 4</text>
  <text x="650" y="104" textAnchor="middle">Apply statutory cap</text>
  <text x="650" y="120" textAnchor="middle">10% global turnover</text>
  <text x="650" y="134" textAnchor="middle">or £300,000 individual</text>

  <line x1="160" y1="100" x2="188" y2="100" stroke="#475569" strokeWidth="1.5" markerEnd="url(#dm-arrow)" />
  <line x1="340" y1="100" x2="368" y2="100" stroke="#475569" strokeWidth="1.5" markerEnd="url(#dm-arrow)" />
  <line x1="520" y1="100" x2="548" y2="100" stroke="#475569" strokeWidth="1.5" markerEnd="url(#dm-arrow)" />

  <text x="380" y="190" textAnchor="middle" fontSize="11" fill="#64748b">The cap is the ceiling. Co-operation and remediation reduce the final figure.</text>
</g>

</svg> </div>

The CMA starts by identifying the value of sales directly or indirectly related to the infringement. This is not necessarily the full global turnover. A business that runs an e-commerce site with drip-pricing on one product category is not automatically assessed at 10% of its entire global turnover.

A starting percentage is then applied to that base, reflecting the seriousness of the infringement. Intentional practices designed to deceive consumers attract higher starting percentages than negligent failures to update price displays.

The duration of the infringement multiplies the base amount. A practice running for three years generates a higher penalty than the same practice running for three months.

Mitigating factors that the CMA recognises include voluntary cessation of the practice before the investigation concluded, co-operation with the investigation, remediation of the affected consumers, no prior regulatory record and financial capacity considerations that would make the calculated penalty disproportionate.

Aggravating factors include concealing evidence, previous CMA or Trading Standards action for similar practices and continuing the practice after becoming aware of the investigation.

Daily penalties and continuing breaches

The continuing-breach daily penalty mechanism is designed to prevent businesses from treating DMCCA enforcement as a cost of doing business. If the CMA issues a direction to cease an infringing practice and the business continues it, the 5% daily rate applies from the date of non-compliance.

A worked example shows the scale. For a business with £10 million annual turnover, daily global turnover is approximately £27,000. At 5%, the daily penalty is about £1,370. Over 30 days of non-compliance that adds £41,000 in daily penalties on top of the underlying infringement penalty. Sustained non-compliance after a CMA direction quickly becomes untenable even for smaller businesses.

The practical implication is that once the CMA issues a formal direction, compliance must occur immediately. Delay in remediation while seeking legal advice on appeal does not suspend the daily penalty.

UK businesses subject to both UK GDPR and DMCCA face two separate penalty regimes with different ceilings and different regulators.

Regime	Cap	Regulator
DMCCA Part 4	10% of global annual turnover	CMA
UK GDPR (higher tier)	£17.5 million or 4% of global turnover, whichever is higher	ICO
UK GDPR (lower tier)	£8.7 million or 2% of global turnover, whichever is higher	ICO
PECR	£500,000	ICO

On the turnover-percentage basis, DMCCA is stricter than UK GDPR. On an absolute-pound basis, the ICO has issued larger fines to date because UK GDPR enforcement is more mature.

The regimes can apply simultaneously to the same business for the same underlying facts. A checkout dark pattern that collects consent to marketing without valid GDPR consent is both a DMCCA unfair commercial practice and a potential UK GDPR violation. The ICO and CMA have coordination mechanisms to avoid double-counting harm. Double-exposure remains possible in principle.

Realistic exposure for SMBs

The 10% ceiling applies to the largest, most serious, intentional and sustained infringements. For a first-time investigation of an SMB that co-operates, ceases the infringing practice promptly and remedies affected consumers, the realistic outcome is significantly lower.

The CMA's approach, drawn from its pre-DMCCA enforcement record, suggests that outcomes for co-operating first-time SMB respondents are more likely to land in the range of low-to-mid single-digit percentages of the affected turnover. The global-turnover maximum is reserved for repeat offenders or deliberate large-scale harm.

Settlement before a formal decision is also an option the CMA uses. It provides less public precedent value for businesses seeking certainty about the law. It does achieve the desired outcome of behavioural change without a contested hearing.

The CMA's investigation procedure and your rights

A DMCCA investigation under Part 4 follows a structured procedure with defined rights for the business under investigation.

The CMA begins with information gathering. Under Schedule 6 paragraph 10 of the DMCCA, the CMA can issue information notices requiring the business to produce documents, provide information or attend interviews. Failure to comply with an information notice is a separate offence carrying penalties of up to £30,000.

After gathering evidence, the CMA issues a provisional decision if it concludes there is a case to answer. The provisional decision sets out the proposed finding of infringement and the proposed penalty. The business has the right to make representations within a specified period, typically 28 days.

After considering representations, the CMA issues a final decision. The final decision is appealable to the Competition Appeal Tribunal (CAT). An appeal to the CAT does not automatically suspend payment of the penalty. The CAT can review the CMA's decision on merits, not merely on judicial review grounds. That means it can substitute a different penalty amount or overturn the infringement finding entirely.

Further appeals from the CAT go to the Court of Appeal on points of law. The full litigation route is expensive. It is typically pursued where the penalty is large, the legal questions are genuinely novel or the finding would have significant precedent implications for the business's wider operations.

What businesses should do if the CMA contacts them

The CMA's initial contact is not always a formal investigation notice. The CMA often sends a preliminary letter or makes an informal approach before opening a formal investigation. That gives the business an opportunity to engage voluntarily.

At this stage, the most effective approach is to take the contact seriously, gather relevant documentation about the practice in question and seek legal advice before responding. Unlike ICO investigations, where the general advice is to respond promptly and fix the problem, DMCCA investigations may involve more complex questions about whether a practice was an infringement at all. DMCCA Part 4 is relatively new. The CMA's enforcement interpretations are still developing through early decisions.

Where an informal approach resolves the matter through voluntary change and no penalty is sought, the CMA typically issues no public decision. This outcome is preferable for the business from a reputational perspective and for precedent reasons.

If a formal investigation opens, co-operation is the most significant mitigating factor. Providing requested information promptly, ceasing any practice the CMA has identified as potentially infringing and remediating affected consumers all reduce the penalty that would otherwise be imposed. The CMA has explicitly recognised co-operation and remediation as mitigating factors in its penalty methodology documentation.

Interaction between DMCCA and Trading Standards

The CMA is not the only body enforcing consumer protection law. Local Trading Standards offices, operating through councils, have concurrent powers to enforce consumer protection legislation including aspects of DMCCA. The Chartered Trading Standards Institute represents local Trading Standards officers.

For SMBs, Trading Standards enforcement is often the first point of contact for consumer protection issues. Trading Standards does not have the same direct-fining powers as the CMA under DMCCA. It can refer cases to the CMA. It can take criminal enforcement action for certain offences. A Trading Standards investigation can precede or run alongside a CMA investigation.

For what specific DMCCA-prohibited practices look like in web design, see DMCCA 2024: CMA enforcement of dark patterns. For how UK GDPR penalties compare in the data-protection context, see UK GDPR fines under the ICO.

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on DMCCA compliance and CMA investigations.

Share this article

Check your website now

Scan your website for E-Commerce issues and 30+ other checks.

Start free check

UK Website Guides

Consumer Rights Act 2015: What UK Websites Must Disclose

Mandatory disclosures for UK e-commerce under the Consumer Rights Act 2015 and Consumer Contracts Regulations 2013, and what Trading Standards enforce.

DMCCA 2024: 10% Turnover Fines for Dark Patterns on UK Sites

DMCCA 2024 gives the CMA power to fine UK sites up to 10% of global turnover for drip pricing, fake reviews and subscription traps. What's prohibited and when.

CMA investigations under DMCCA 2024: UK guide 2026

DMCCA 2024 gave the CMA direct enforcement over UK online businesses. What triggers a CMA investigation, how the process runs and what you owe in 2026.

UK online cancellation: DMCCA 2024 and CCRs 2013

UK online cancellation 2026: CCRs 2013 14-day cooling-off, DMCCA 2024 subscriptions and CMA powers up to 10% turnover.