United Kingdom Digital Markets Act Checklist for Tech Firms

Identifying Strategic Market Status for International Tech Operations

Strategic Market Status (SMS) is a legal designation applied by the Competition and Markets Authority (CMA) to firms with substantial and entrenched market power in a digital activity linked to the UK. To qualify, a firm must have a position of strategic importance and meet specific turnover thresholds that demonstrate its impact on the British economy.

The CMA evaluates SMS designation based on four key criteria. First, the firm must possess "substantial and entrenched" market power. Second, it must hold a position of strategic importance, meaning its activities have a significant impact on the ability of other entities to participate in the market. Third, the firm must meet the jurisdictional nexus, which requires that the digital activity is either provided to UK users or has a substantial effect on UK trade. Finally, the firm must meet the statutory turnover test.

Digital Markets Compliance Checklist

The following checklist outlines the mandatory steps global tech firms must take to align with the Digital Markets, Competition and Consumers Act. This list covers conduct requirements, merger reporting, and consumer protection standards necessary to avoid regulatory intervention.

• Conduct Requirement Audit: Review all digital activities to ensure they promote fair trading, open choices, and transparency for UK users.
• Data Silo Review: Ensure that user data is not being used to unfairly advantage the firm's own products over third-party competitors (self-preferencing).
• Merger Notification Protocol: Implement a system to notify the CMA of any acquisition where the transaction value is at least £25 million and the firm has an existing UK connection.
• Subscription Transparency: Update UK-facing interfaces to include "clear and prominent" information regarding auto-renewals and price increases before a consumer commits.
• Easy-Exit Implementation: Ensure consumers can terminate digital subscriptions as easily as they signed up, ideally through a single, visible online "cancel" mechanism.
• Default Setting Analysis: Audit software and platforms to ensure default settings do not unfairly nudge UK consumers away from competitor services.
• Compliance Officer Appointment: Designate a specific lead for UK regulatory affairs to act as the primary liaison with the CMA's Digital Markets Unit (DMU).

Timeline for Responding to CMA Inquiries

The CMA operates under strict statutory deadlines when investigating digital markets or designating a firm with SMS. Firms must be prepared to provide massive volumes of data within short windows, often ranging from two to four weeks for standard information requests.

A formal SMS investigation typically lasts nine months, during which the CMA gathers evidence and issues a "notice of proposal" if it intends to designate the firm. Once a designation is made, the firm has a limited window to appeal the decision to the Competition Appeal Tribunal (CAT). For ongoing conduct investigations, the timeline varies, but the CMA generally aims to conclude its findings and issue enforcement orders within 12 months of opening a formal probe.

1. Information Request (Section 5): Usually requires a response within 10 to 20 working days.
2. SMS Investigation Phase: Lasts up to 9 months from the date of the "initiation notice."
3. Draft Decision Consultation: Usually provides a 30-day window for the firm to submit counter-arguments.
4. Final Enforcement Order: Becomes effective immediately or on a date specified by the CMA, often requiring compliance within 60 to 90 days.

Mistakes in Cross-Border Data Processing and Consumer Subscription Terms

Global tech firms frequently err by applying a "one-size-fits-all" global Terms of Service that fails to meet the UK's heightened consumer protection standards. The DMCC Act introduces specific requirements for "subscription traps," making it illegal to hide the exit path for a service or fail to provide mandatory renewal reminders.

Common mistakes include using "dark patterns" that manipulate UK users into staying subscribed or failing to provide a clear cooling-off period. In cross-border data processing, firms often fail to segregate UK user data sufficiently to comply with specific CMA "interoperability" orders. This can lead to allegations of anti-competitive data bundling, where a firm uses its dominance in one sector to monopolize another by leveraging integrated data sets.

• The "Check-out" Trap: Requiring a phone call to cancel a service that was purchased online.
• Vague Renewal Notices: Sending renewal alerts that do not clearly state the upcoming price increase or the deadline for cancellation.
• Data Pooling: Combining data from different digital activities without providing consumers a genuine choice, which violates "fair trading" conduct requirements.

Regulatory Penalties and Pre-Litigation Compliance Plans

The CMA possesses the power to impose civil financial penalties for breaches of the DMCC Act. For the most serious violations, fines can reach 10% of a firm's global annual turnover, a figure designed to ensure that even the world's largest tech companies view compliance as a financial priority.

To mitigate these risks, firms must implement a pre-litigation compliance plan. This involves conducting an internal "mock audit" of current UK operations and establishing a "dawn raid" protocol. Because the UK regime allows for private actions, a CMA finding of infringement can serve as the basis for collective proceedings (class actions) by UK consumers or business users. A robust compliance plan acts as a primary defense by demonstrating a proactive commitment to the UK's fair trading principles.

• Daily Penalties: The CMA can charge up to 5% of daily global turnover for continued non-compliance with an information request.
• Personal Liability: In specific cases, senior managers can face fines if they knowingly or recklessly provide false information to the regulator.
• Document Retention: Maintain a rigorous log of all decisions related to "market power" activities to provide a defense against allegations of "entrenched" dominance.

Common Misconceptions About UK Digital Markets Law

The DMCC Act is the same as the EU Digital Markets Act (DMA)

While they share similar goals, the UK regime is more flexible and "participatory." The UK's CMA creates bespoke conduct requirements for each specific firm designated with SMS, whereas the EU DMA applies a uniform set of "dos and don'ts" to all designated gatekeepers.

Only the "Big Five" tech companies are at risk

While the largest firms are the immediate targets, the turnover thresholds (£1bn UK / £25bn global) and the "strategic importance" criteria can capture a wider range of international platforms, particularly in fintech, cloud computing, and digital advertising.

Complying with GDPR means you are compliant with the DMCC Act

Data protection (GDPR) and digital competition (DMCC) are separate legal frameworks. Even if you handle data privately and securely under GDPR, using that same data to freeze out competitors or self-preference your own services can still violate UK antitrust laws.

FAQ

What happens if my company is designated with SMS?

If designated, your company will be subject to "conduct requirements" tailored by the CMA. These may include requirements to provide interoperability with competitors, transparency in algorithms, or restrictions on how you use consumer data across different services.

Can I appeal a CMA decision under the DMCC Act?

Yes, decisions can be appealed to the Competition Appeal Tribunal (CAT). However, the standard of review is typically based on judicial review principles, meaning you must prove the CMA acted irrationally, illegally, or with procedural impropriety.

Is there a "grace period" for the new subscription rules?

The DMCC Act provides for phased implementation, but firms are expected to transition their UK interfaces quickly. Most experts recommend having new subscription and cancellation workflows in place before the end of 2025 to avoid being an early target for enforcement.

How does the CMA define a "digital activity"?

A digital activity is broadly defined as the provision of services by means of the internet or the provision of digital content. This includes search engines, social media platforms, online marketplaces, and mobile operating systems.

When to Hire a Lawyer

You should consult a UK-qualified antitrust specialist if your global turnover exceeds £25 billion and you provide any digital services to UK users. Legal counsel is essential when you receive a Section 5 formal information request from the CMA or if you are planning an acquisition of a UK-linked business valued over £25 million. Because the DMCC Act allows for significant discretionary power by the regulator, having a legal team to negotiate the "bespoke" conduct requirements is the only way to ensure your business model remains viable under the new UK standards.

Next Steps

1. Calculate Turnover: Confirm if your global and UK-specific revenues trigger the jurisdictional thresholds of the Digital Markets, Competition and Consumers Act 2024.
2. Review UK Interfaces: Audit your "sign-up" and "cancellation" flows for UK users to ensure they meet the new transparency and ease-of-exit requirements.
3. Internal Data Audit: Assess how data is shared between your different business units to identify potential "self-preferencing" risks.
4. Engage the CMA: If your firm is likely to be designated with SMS, consider proactive engagement with the Competition and Markets Authority to help shape the conduct requirements applied to your firm.