CMA Guidance: Businesses Liable for AI Agent Actions
Businesses are liable for consumer law violations committed by their AI agents, requiring immediate governance updates.
Agentic AI and consumer law: the CMA's guidance for businesses
The UK Competition and Markets Authority (CMA) has issued new guidance on how consumer protection law applies to AI agents that act autonomously on behalf of businesses. The guidance clarifies that businesses remain liable for misleading or deceptive actions performed by their AI agents, even if the actions were not explicitly programmed. This means companies must implement robust oversight mechanisms to ensure AI agents comply with consumer law, particularly in areas like pricing, product claims, and contract terms.
Why this matters today: As agentic AI moves from sandboxes to live deployments—such as Visa’s agent-initiated payments and Shopify’s merchant tools—regulatory scrutiny is intensifying. The CMA’s stance signals that “the agent did it” is not a valid defense. CEOs must now treat AI agent behavior as a direct extension of corporate responsibility, requiring updated governance, monitoring, and compliance workflows.
📊 How agentic AI triggers consumer law liability
flowchart TD
A[Business Deploys AI Agent] --> B[Agent Interacts with Consumer]
B --> C{Action Violates Consumer Law?}
C -->|Yes| D[Business Held Liable]
C -->|No| E[No Liability]
D --> F[Regulatory Enforcement]
F --> G[Fines, Redress, Reputational Harm]
📈 CMA enforcement focus areas for agentic AI (2026)
pie
title CMA Priority Areas for Agentic AI Oversight
"Misleading product claims" : 40
"Hidden fees & pricing" : 30
"Unfair contract terms" : 20
"Data privacy violations" : 10
📋 Key requirements from CMA guidance vs. EU AI Act
| Requirement | CMA Guidance (UK) | EU AI Act (Draft) |
|---|---|---|
| Liability for agent actions | Strict liability for consumer harm | Risk-based liability for high-risk AI |
| Monitoring obligation | Real-time oversight recommended | Post-market monitoring required |
| Transparency to consumers | Must disclose if agent is AI | Must disclose if AI interaction |
| Enforcement focus | Consumer protection & competition | Safety & fundamental rights |
🎯 CEO action plan: Treat AI agents as employees for compliance purposes. Implement agent activity logging, real-time alerting for prohibited behaviors, and regular audits of agent-consumer interactions. Update terms of service to clarify AI agent use and ensure consumer consent mechanisms are agent-aware.
Stay ahead of the AI shift
Daily enterprise AI intelligence — the decisions, risks, and opportunities that matter. Delivered free to your inbox.