ASA issues first rulings following UK ban on ‘junk food’ advertising

Contributors: Ellen Huison. 

On 5 January 2026, new rules came into force under the Advertising (Less Healthy Food and Drink) (Brand Advertising Exemption) Regulations 2025 (‘Regulations’) affecting the advertising of ‘Less Healthy Foods’ (‘LHFs’), including products that are high in fat, salt or sugar (‘HFSS’). The Regulations significantly restrict advertisements for ‘identifiable’ less healthy food and drink products on television and online. They include a television watershed for LHF adverts between 5.30am and 9.00pm (after 9.00pm, certain rules still apply), and a total ban on paid-for online advertising (which includes social media adverts and influencer marketing).

The Advertising Standards Agency (ASA) recently issued its first rulings under the new Regulations, providing useful guidance on what is deemed to fall in, and out, of the scope of the Regulations, including how the ‘identifiability test’ will be interpreted (with the ASA stating that the ‘the devil is in the detail’ when it comes to determining whether rules have been broken). The rulings emphasise that both the content and the context of the advertisements are relevant to the determination.

How could the changes affect your business? 

Two of the rulings, published on 15 April 2026, looked at Instagram posts by influencers in relation to HFSS foods. One focused on an Instagram post by influencer ‘Big John’ promoting a range of new menu items by German Donner Kebab. In deciding not to uphold the ruling, the ASA concluded that the advertisement was not caught by the new Regulations, as none of the foods shown met the nutritional requirements to be classed as LHFs. German Donner Kebab was quick to highlight that, when offering Big John a choice of menu items to be included within the advertisement, it only selected those which would not be considered LHFs – and therefore would not be subject to the new advertising restrictions.

Lidl, however, was not so lucky. A post by influencer Emma Kearney featuring two bakery products was found to be in breach of the rules. Both items were shown prominently within the advertisement, and mentioned in the voiceover by the influencer. Although Lidl sought to argue that the advertisement was not intended to feature those two products specifically, the prominence of one of the bakery products (which was classified as an LHF, even though the other product was not) was considered to breach the Regulations. On the other hand, a third bakery product which was not mentioned in the voiceover, but appeared briefly in the periphery of the advertisement, was considered ‘incidental and fleeting’, and the advertisement was therefore not considered to be promoting this product – providing vital clarification of how ‘promotion’ may be interpreted in practice.

The ASA further clarified this point in its assessment of a television advert by travel company On The Beach, which depicted a boy taking a doughnut from a buffet in an airport lounge. Although the doughnut may be identifiable as an LHF and HFSS product, the ASA did not find a breach because the food was only incidental to the advert – viewers are expected to see it as a generic representation of the benefits of airport lounge access, rather than the doughnut as a focus of the advertising.

What steps should you take?

If your business has 250 or more employees and you manufacture, sell or promote less healthy food or drink products, you should confirm which of your products are in-scope and review your advertising and marketing plans in light of this assessment. While the ASA guidance states that ‘advertisements solely by or on behalf of businesses not involved directly in the supply of food or drink are highly unlikely to be subject to the rules’, the On The Beach ruling demonstrates that businesses outside the food sector should still take care if their adverts feature LHF products.

To determine whether your product is deemed ‘less healthy’, you will need to apply the ‘Nutrient Profiling Model’ and consider whether your product falls within one of the 13 categories listed in Schedule 1 of the Less Healthy Food Definitions Regulations. This schedule also sets out which products are exempt from these advertising restrictions – which could include food for special medical purposes, diet replacement products, or products for infants and young children (such as infant formula and baby food), for example.

It is also advisable to keep an eye out for any future rulings, as these will supplement the information and guidance already available – particularly in light of the ASA’s statement that, ‘By publishing rulings, we aim to give advertisers an even clearer sense of what’s allowed, supplementing our detailed guidance and advice already available to them’.

CMA issues first multi-million pound fine for ‘unfair commercial practice’  in first flex of new enforcement powers 

Contributors: Ethan Cartwright and Ellen Huison.

On 15 April 2026, the Competition and Markets Authority (‘CMA’) fined Automobile Association Developments Limited £4.2 million for illegal drip pricing and ordered two of its driving schools (AA and British School of Motoring (‘BSM’)) to refund thousands of consumers for booking fees not included in the upfront price. This is the first time the CMA has used its new powers under the Digital Markets, Competition and Consumers Act 2024 (‘DMCCA’) to order repayments to consumers.

In 2023, the Department for Business and Trade found that almost half of online businesses (46%) use hidden or dripped fees, with consumers estimated to spend up to £3.5 billion extra online each year as a result. Following the introduction of the consumer provisions of the DMCCA, the CMA launched investigations in November 2025 into unlawful ‘drip pricing’ and other ‘unfair commercial practices’ (mainly in the arena of online pricing) allegedly undertaken by eight businesses. The investigation into the AA was the first of these to be concluded and demonstrates the pace at which the CMA is prepared to act.

The CMA found that learner drivers who booked lessons on the AA and BSM websites between April and December 2025 were shown a lower initial price that did not include a £3.00 mandatory booking fee, which was only revealed at the checkout stage. The practice of adding charges partway through, or at the end of the purchase process (also referred to as ‘drip pricing’) is a banned practice under the DMCCA. The AA co-operated with the CMA and admitted that it had breached consumer law, before taking immediate steps to update its website to address the issue. Their co-operation helped to secure a 40% discount on the fine levied by the CMA (reducing it from £7 million to £4.2 million) and the AA agreed to pay £760,000 in redress to 80,000 affected customers. Despite the AA settling the investigation with the CMA, its total penalty was still close to £5 million, not including legal and administrative fees.

How could the changes affect your business? 

This decision demonstrates the robust approach that the CMA is taking to its new powers. Following a cross-market review of online pricing practices, it published price transparency guidance at the end of 2025 which affected businesses are expected to follow immediately. The guidance is aimed at anyone who advertises, markets, sells, or otherwise promotes products or services to consumers and provides that:

• consumers should be given the information they need to make informed decisions, shop around, and compare the prices of competing products;

• prices should not be misleading and, whenever possible, consumers should be presented with the total price of the product at the outset; and

• practices such as the ‘drip pricing’ seen in the AA decision and ‘partitioned pricing’, where a business provides component parts of a price without giving the overall total, are prohibited as they risk misleading consumers as to the true price and reduce the possibility to compare prices on a like-for-like basis.

A statement from the CMA’s Chief Executive following the AA decision illustrates the importance that the CMA attributes to ensuring compliance with consumer law:

“If a fee is mandatory, the law is clear: it must be included in the price from the very start, not added at checkout, so consumers always know what they need to pay…With our new powers, it will never pay to break the law or treat consumers unfairly. Where the rules are ignored, we'll step in to put things right.”

What steps should you take?

If your business is in a consumer-facing sector, you should consider an immediate internal audit of your pricing and sales practices including a review of every stage of your purchase process and experience for customers.

Be particularly mindful of ensuring that this process does not, directly or indirectly:

• present pricing information at the outset which does not include mandatory fees or charges (including delivery and booking fees) which are subsequently added to the price at a later stage;

• break pricing information down into component parts without being clear about the overall total price;

• involve time limited offers which do not end when advertised;

• opt-in customers automatically for additional services; or

• provide unclear and insufficient information about upfront fees for an annual subscription or membership.

The CMA’s other investigations into drip pricing and other unfair commercial practices, including those outlined above, are still ongoing. We will keep you updated on the outcome of these investigations and any future developments in an area where the CMA clearly means business.

Key takeaways

1. Undertake an audit of the purchase process followed by your customers;

2. Ensure your pricing practices are in line with the CMA’s 2025 pricing transparency guidance; and

3. Monitor the outcome of the CMA’s ongoing investigations into unfair commercial practices and consumer-facing business practices.

CMA publishes guidance on the use of agentic AI in consumer-facing businesses 

Contributors: Ethan Cartwright and Ellen Huison.

On 9 March 2026, the Competition and Markets Authority (‘CMA’) published guidance for businesses on how to use agentic AI when engaging with customers whilst ensuring compliance with consumer law. At the same time, the CMA also published research reviewing current and anticipated use of agentic AI and the associated risks and benefits. These publications make it clear that consumer protection laws, and the CMA's new direct enforcement powers as set out in the Digital Markets Competition and Consumers Act 2024 (‘DMCCA’), apply to conduct by AI agents in the same way as they do to human conduct.

How could the changes affect your business? 

Agentic AI refers to autonomous AI systems which act as agents capable of reasoning, planning, and executing complex tasks to achieve specific goals with minimal human oversight, as opposed to conventional AI systems, which provide specific outputs or create content, based on inputs and prompts. Examples include using AI agents to deal with customer queries, process refunds, recommend products and manage marketing campaigns.

The guidance and research published by the CMA make it clear that businesses using agentic AI will remain liable for the shortcomings or errors made by the AI. This is consistent with the approach the CMA has taken in relation to AI in competition law. Where those businesses have contracted with the consumers affected by the errors, as agentic AI is not considered a party to that contract under UK law, actions for breach of contract cannot be brought against the AI but instead must be brought against the business.

Given that the CMA has wide enforcement powers under the DMCCA, and that failure to comply with consumer protection provisions could result in fines of up to 10% of global turnover, this guidance is a timely reminder for consumer-facing businesses who use AI agents. Such businesses must make sure their AI agents are designed and trained to comply with consumer and competition law. The CMA states:

“Consumer law requires you to treat your customers fairly. It does not matter whether they interact with (or get information produced by) a person or an AI agent. It’s important to remember that you are responsible for what an AI agent does in the same way you are responsible for what an employee does”.

In summary, the CMA acknowledges that AI has the potential to boost economic growth and improve people’s everyday lives and it is committed to encouraging its use. However, at the same time, the CMA states that AI must be used responsibly and in compliance with consumer law.

The four key points arising from the CMA’s guidance are:

• Tell your customers if you use an AI agent: Businesses use AI agents in different ways which could be confusing for consumers so always be clear and open about when and how you are using them in order to build trust. Consumers should be given the information they need to be able to make an informed decision and should not be misled.

• Train your AI agents to comply with consumer law: The starting point is to consider what your AI agent will be doing and how this will impact your customers. Think about the data that the AI agent will need to complete its tasks and how to prompt it to respect a customer’s statutory and contractual rights, avoid misleading customers and obtain all requisite consents. Ensure that rigorous testing of the AI agent’s performance in these regards is undertaken before it is deployed.

• Monitor how your AI agents are performing: An AI agent’s performance must be regularly checked to ensure it is delivering the right results, behaving as intended and complying with consumer law. This should be done by keeping a human in the loop, who actively checks that the AI agent is making correct decisions and generating expected results whilst ensuring legal compliance.

• Refine the AI agent quickly if there is a problem: If an AI agent is performing in a way which may result in infringements or potential infringements of the law, you should act quickly to address the problem. This will be the case in particular where an AI agent interacts with large numbers of consumers, especially those who are considered vulnerable.

Using a third-party supplier of AI tools does not remove your risk as you will remain liable for actions taken by your business. It is therefore important to consider the above items when carrying out due diligence on suppliers of such tools and when negotiating contracts with them to give you sufficient rights to audit what they are doing and suitable remedies if there are problems.

What steps should you take?

The CMA guidance is clear and contains useful worked examples of common use cases so you should review that guidance if your business is consumer-facing and you want to build agentic AI into the processes which your consumers will engage with.

Before launching a new AI agent in practice, carefully map and consider what it will be doing and how this will impact consumers and then ensure compliance with the four key points outlined above at all times. It is critical to develop robust processes and policies for training and testing the AI agent at the outset as well as for ongoing monitoring and refinement once it is deployed. These processes must provide for the oversight of a human with appropriate experience and knowledge of consumer law and you should ensure that all staff who will be involved are trained on these issues.

Finally, carry out careful due diligence on your suppliers of such agentic AI tools to ensure that the supplier also complies with the CMA guidance when developing the tools and ensure that contracts with your suppliers give you the audit rights you need to monitor their ongoing compliance as well as remedies in the event of a problem occurring.

Key takeaways

1. Review the CMA guidance;

2. Map your use cases of agentic AI and how they will impact consumers;

3. Develop processes and policies to ensure compliance with the four key points set out in the guidance; and

4. Review due diligence processes for suppliers of AI tools and your contracts with them to ensure they are fit for purpose in terms of compliance with consumer protection.

What new ICO and CMA guidance means for the future of agentic AI 

Contributors: Clare Gray and Tori Lethaby. 

March was a busy month for the Information Commissioner’s Office ('ICO') and Competition and Markets Authority ('CMA') – marked by the respective publications of draft ‘Automated decision-making, including profiling’ guidance (currently out for consultation until 29 May 2026), and ‘Complying with consumer law when using AI agents’ guidance. There is a high degree of alignment in approach between the ICO and CMA to AI governance: while both regulators recognise the potential significant benefits of using AI, both also underline there are key risks that need to be carefully and responsibly managed.

Agentic AI systems do more than execute fixed instructions: they learn, reason, problem-solve, and make autonomous decisions, examples include customer support agents and personal AI assistants. If you are considering using, or are already using, agentic AI to make decisions which affect your customers (who are classed as consumers), then it is likely that you will need to comply with both the CMA’s guidance and the ICO’s guidance once finalised.

If all three of the following criteria apply to you, your use of agentic AI will fall under the ICO’s automated decision-making (‘ADM’) provisions (and required safeguards):

1. you use a system that makes a decision(s) about someone;

2. the decision is a significant decision (meaning that it has legal or similarly significant effects); and

3. the decision is solely automated (in other words, there is no meaningful human involvement).

The ICO sets out key measures and safeguards in its draft guidance (as it is still in draft form, it may be subject to change) that should be followed to ensure that your ADM processes are fair, lawful and transparent.

How could the changes affect your business? 

The key requirements of the ICO draft guidance, and alignments with the CMA guidance, include:

Accountability: Both regulators emphasise the need for organisations to take proactive and ongoing responsibility for agentic AI used within their businesses, instead of treating it as a one-off compliance tick-box exercise.

The ICO guidance requires you to:

• assess and document your lawful basis for processing;

• be responsible for the overall compliance of ADM used (including third-party systems), such as by carrying out Data Protection Impact Assessments and documenting processing activities;

• have a robust monitoring framework in place for bias and errors; and

• provide individuals with mechanisms to challenge decisions.

The CMA emphasises that you are equally responsible for the actions of AI agent as you are for those of an employee and that the requirements of UK consumer law apply in the same way to customers regardless of whether you use AI or human agents (including in circumstances where a third party designs or provides the AI agent on your behalf).

Transparency: Being transparent about automated processes is an important aspect of strong AI governance, and both regulators are aligned on this.

The ICO guidance requires you to provide people with information about all ADM you carry out about them, with a strong focus on transparency and explainability to individuals about how and why you reached the decision about them, and the impact of the decision on them. This is of particular importance if, for example, an individual is unhappy with the ADM that you have carried out about them and contests that decision. In such circumstances, it is key that you understand the underlying rules that apply to your ADM, or factors that have influenced it, to enable you to explain clearly the rationale behind the decision about that individual.

The CMA provides that you must tell customers where you are using an AI agent so that it is clear they are dealing with AI instead of a human – for example, during interactions with chatbots. The CMA stresses that being clear and open with customers is a good way to build trust, that you should provide information that customers need so they can make informed decisions, and that you should not mislead them.

Monitoring and effective incident response mechanisms: Both regulators are aligned on the need for robust, ongoing monitoring of AI agent performance to diagnose any quality issues, bias, or other errors, as well as the need for effective incident response mechanisms.

The ICO guidance requires you to have mechanisms in place to diagnose any quality issues or errors as well as a process to document how you intend to resolve them. Further, where someone is unhappy with the ADM you have carried out about them, they must have the right and ability to query that decision, obtain human intervention, or contest that decision – and you need to tell them how they can do this at the point you provide the decision.

The CMA emphasises that, where it is apparent that an AI agent is not performing as expected, you need to act fast to resolve the issues: “If you do not act quickly to address problems, you may end up breaking the law – ultimately, if an AI agent does something illegal, you will be responsible”.

Human oversight: As AI models can be susceptible to errors and bias, misinterpret data, and ‘hallucinate’ results that are nonsensical or inaccurate, both regulators underline the importance of human oversight.

Human intervention must be substantive, meaningful and ‘cannot be tokenistic’. The ICO emphasises that “the right to obtain human intervention is a key safeguard in the ADM provisions”. Human reviewers should: (i) be appropriately trained or qualified so that they can carry out reviews of decisions and understand the systems outputs, limitation and risks, (ii) be able to influence the outcome, and (iii) have discretion and authority to alter the decision.

The CMA guidance requires you to have a human in the loop to check proactively decisions made by an AI agent, and provides that “Regular human oversight is important to catch mistakes and ensure that AI agents are completing tasks in a legally compliant way”.

What steps should you take? 

If you use, or want to use, ADM in your business processes, it is imperative that you review the ICO draft guidance and build in meaningful policies and safeguards to ensure that your use of agentic AI complies with the requirements around accountability, transparency, monitoring and incident response mechanisms and human oversight. If your customers are consumers, you should also review the CMA guidance to ensure compliance from all angles.

Key takeaways 

1. Review the draft ICO guidance on agentic AI;

2. Formulate meaningful policies and safeguards to ensure compliance; and

3. Where relevant, review the CMA guidance on agentic AI.

Protecting children and their personal data online

Contributors: Izzy Gould. 

Protecting children and their personal data online has become a growing priority in the UK in recent years, with significantly increased attention from legislators and regulators in recent weeks. In March and April 2026:

• The Information Commissioner’s Office ('ICO') published an open letter to technology companies, calling on them to strengthen age assurance measures to prevent children accessing services not intended for them.

• The ICO and Ofcom issued a joint statement clarifying how service providers can comply with both the Online Safety Act 2023 ('OSA') and UK data protection laws when implementing age assurance measures.

• The House of Lords showed growing support for proposals to restrict under 16s’ access to social media and, more recently, voted by a majority to ban mobile phones during the school day.

• A claimant, who began using social media as a child, succeeded in a claim against Meta for mental health harms linked to her social media addiction, bringing renewed attention to addictive platform design and its impact on children.

These build on the measures introduced in recent years:

• The ICO introduced the Children’s Code in 2021, which requires online service providers to implement stronger privacy protections for children.

• In 2023, the OSA introduced new legal duties on online service providers to protect their users, particularly children, from illegal and harmful content, with the risk of significant fines for non compliance.

It is clear that, even following the implementation of the OSA, there are still continuing concerns that greater protection is needed to protect children and their data online. The UK government has signalled the potential for a further crackdown on harmful online content and addictive platforms.

How could the changes affect your business? 

These developments are relevant to any organisation that offers digital services that are likely to be accessed by children, whether or not children are the intended audience.

Increased scrutiny is being placed on how children’s personal data is collected, used, shared, and profiled, particularly where data drives addictive design features, or targeted and/or harmful content.

Existing policies should be reviewed to make sure they comply with the ICO’s Children’s Code. This includes reviewing Data Protection Impact Assessments ('DPIAs'), providing clear and age‑appropriate information to children, limiting profiling, defaulting to ‘high privacy’ settings, moderating content appropriately, and using age‑assurance measures.

There are already substantial penalties for organisations which fail to meet their legal obligations under the OSA, including fines of up to £18m or 10% of a company’s global annual turnover, whichever is higher. The ICO can also impose UK GDPR fines, and recent examples include Reddit (£14.47 million) and MediaLab (£247,590), for failing to implement age assurance measures, and for the unlawful processing of children’s personal data in a way that potentially exposed children to inappropriate, harmful content.

Organisations should “watch this space”, as stricter enforcement will likely follow particularly as the ICO and Ofcom are clearly working closely together in this area as a regulatory priority, increasing the risk of enforcement action.

What steps should you take? 

If you have not already done so, you should assess, as a priority, whether your services fall within scope of the OSA, and whether children are likely users of your goods and services.

Where children are users, you should urgently work to meet the Children’s Code on aspects like content moderation, data minimisation, profiling, age assurance, and platform design.

If your organisation processes children’s personal data, you should carry out a DPIA, if you have not done so already. Any existing DPIAs should be reviewed and updated to reflect evolving expectations and requirements, and new/updated guidance.

Regulators have been clear that protecting children’s privacy online is an ongoing priority. Failure to act promptly increases the risk of regulatory enforcement, financial penalties under the OSA and UK data protection laws, reputational damage, and increased litigation risk where harm to children can be linked to data driven design choices.

Trade unions to gain unprecedented right of access under new rules 

Contributors: Clive Day and Cory Doran. 

Historically, trade unions have not had a general independent right to access a workplace – rather, access has previously only come with formal standing (recognition) in respect of a group of workers.

From October 2026, this is set to change. Section 59 of the Employment Rights Act 2025 inserts a new Chapter 5ZA (new sections 70ZA to 70ZN) into Part 1 of the Trade Union and Labour Relations (Consolidation) Act 1992 to give trade unions the right to access workplaces. This access can be either physical or digital.

At the end of 2025, the government consulted on how this right would work in practice. On 8 April 2026, the government published the outcome, together with the draft Code of Practice on the ‘Right of Trade Unions to Access Workplaces’ (‘Draft Code’) which sets out practical guidance on how the statutory right of access should operate in practice – including how access requests should be made, how employers should respond, how constructive engagement should be facilitated, and how the Central Arbitration Committee (‘CAC’) will exercise its functions where agreement cannot be reached. Trade unions will be able to request access for the purposes of meeting, recruiting, representing or organising workers, or to facilitate collective bargaining.

How could the changes affect your business?

Where an access request is made, qualifying employers should respond, outlining whether the request is agreed or declined, within 15 working days. If discussions continue, parties then have a further 25 working days to negotiate the terms. Businesses may need to provide meeting space, digital access, and ensure privacy for union-worker discussions regarding access.

Employers must take reasonable steps to accommodate a trade union’s request, but this should not come at the expense of the day-to-day operations of the business. Ultimately, where no access agreement is reached, the CAC will have the power to impose one.

Any agreement reached must be registered with the CAC. In the event of repeated breaches of any access agreement or failure to negotiate terms, the CAC can impose access terms and issue financial penalties ranging from £75,0000 to £500,000.

Stronger access rights will likely result in stronger collective bargaining – typically reflected in increased wages, enhanced worker benefits, and improved conditions. Some businesses may also lose the flexibility they once enjoyed, as more organised labour generally increases the likelihood of formal grievances or industrial action – which can, in turn, increase operational risks.

What steps should you take? 

While the relevant legislative provisions are not due to come into force until October 2026, now is the time to familiarise yourself with the requirements.

It is crucial to remain alert to the possibility of a short-notice request for access, and the importance of not being caught out by the need to respond within 15 working days.

In particular, you should review the Draft Code and monitor the associated consultation, which will culminate in a final version being published which employers must comply with: failure to do so carries a risk of intervention by the CAC and potential financial penalties. Employers unfamiliar with trade union participation may need to prepare themselves, as the impact of trade union involvement in the workplace will increase significantly in certain sectors.

Key takeaways 

1. Remain alert to the need to follow strict timelines and negotiation duties if you receive a request from a trade union for access; and

2. Review the Draft Code and await the final version which will be published following completion of the associated consultation.

Breaking down the proposed ban on upwards-only rent reviews 

Contributors: Matthew Sharpe, Maryam Collett, Amy Evans, and Alexandra Jones. 

The English Devolution and Community Empowerment Act 2026 (the ‘Act’) has now received Royal Assent, although secondary legislation will be needed to enforce the ban on upwards-only rent reviews.

Once the relevant sections of the Act are in force, it would spell the effective ‘banning’ of upwards-only rent reviews for commercial leases – in turn presenting pertinent changes for how commercial leases are drafted and negotiated.

The new rules will apply primarily to newly granted business leases where either:

• a new passing rent is not known or specified on an existing rent review (i.e. it is subject to an external factor and cannot be determined when the lease is granted), or

• where existing leases are varied after the Bill is passed so that they do not specify a new passing rent.

Both elements 1 and 2 must be included (defined below) for the purposes of a rent review.

Element 1 refers to an amount of rent ('Reference Amount') being determined by reference to an index or multiplier, the actual rent, a hypothetical market rent or a turnover amount. Element 2 applies when the new passing rent (or reviewed rent) will be different from the Reference Amount.

How could the changes affect you? 

It is usual to see terms in commercial leases which allow for rents to be reviewed so they are the highest of the existing rent or the new rent that was calculated by reference to an index or multiplier. This ensures a minimum baseline of rent that can either stay the same or increase. It is uncommon to see rent review provisions that allow rent to decrease.

The consequence of a newly-granted lease or relevant variation incorporating the above is that rent reviews cannot result in a rent higher than the Reference Amount.

Any rent review mechanism which does prescribe a rent higher than the Reference Amount will be rendered ineffective by the new legislation – resulting in the rent instead being set at the Reference Amount.

Accordingly, the changes not only look set to have the effect of banning ‘upwards-only’ rent reviews – but could also culminate in a reduction of the rent payable.

Terms which allow for rent to go both up and down at the relevant review date will be accepted, along with stepped fixed rents. Caps on rent reviews are also permitted.

Existing leases granted before these provisions come into force will be unaffected, provided that any variation of them does not fall into the above category.

However, a recent amendment to the Act does introduce a retrospective element: all tenancies granted via a tenancy renewal arrangement which was entered into on or after 17 March 2026 will be caught by the new rules proposed under the Act. This mechanism is devised to catch any kind of arrangements for future leases, whether or not they would be regarded as a contract.

Upwards-only reviews are the cornerstone of how property assets are valued; the proposals will change the complexion of the property investment market. While the government’s intentions appear to be limited to trying to address the vacant retail units, the impact of proposals will be much more widespread – covering sectors other than just retail.

This could result in the adoption of shorter leases which do not allow the tenant to renew the lease under the Landlord and Tenant Act 1954. Stepped rent increases and indexed linked reviews which allow for the rent to go up and down will inevitably rise in popularity. There will likely be a knock-on impact on other commercial terms in such arrangements

There is also an indication that the government will look to introduce further guidance permitting landlords to rely on two or more Reference Amounts, so long as the calculations allow the Reference Amounts to both increase and decrease.

It is unclear what the timeline will be before the ban becomes legally binding but it will not take immediate effect now the Act has passed. The government has indicated an intent to consult on permitting the inclusion of collars in rent review clauses. These agree a maximum decrease in the rent and are usually seen alongside caps to the maximum increase which promotes fairness between parties. This consultation will no doubt push back the introduction of the ban, but it may not push back the introduction of the retrospective element covering renewal arrangements, which could become retrospectively binding much sooner.

What steps should you take? 

The Act is now law, but the ban is still pending – signalling change for the way in which the commercial property sector negotiates and deals with rent reviews.

Most newly-granted commercial leases, options to renew, and any variations around rent to existing leases will be caught by these provisions, so it is paramount to get on top of these changes early to ensure a smooth transition if (or when) the ban under the Act comes into force.

The government have confirmed that further guidance will be given before the ban takes effect, but parties should be looking at lease structuring and drafting now to be prepared.

Key takeaways 

1. Landlords may face immediate exposure on tenancy renewal arrangements.

2. Drafting may be more complex in the short term while parties grapple with the proposals.

3. Existing leases entered into before the commencement will generally be exempt.

4. The requirement of upwards-only rent reviews as a condition of being able to sublet will also be affected.

What new draft money laundering regulations could mean for you 

Contributor: Martin Bourne 

The draft Money Laundering and Terrorist Financing (Amendment) Regulations 2026 (‘2026 Regulations’) were laid before Parliament on 26 March 2026, and, once they take effect, will make several changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘2017 Regulations’) – some of which may prove significant.

The 2017 Regulations govern how professionals subject to the UK’s Anti-Money Laundering regime (such as bankers, lawyers and accountants) must conduct customer due diligence on their clients. Now, the 2026 Regulations:

• amend anti-money laundering customer due diligence and introduce enhanced due diligence provisions, including in respect of ‘unusually complex or unusually large’ transactions, high‑risk jurisdictions, pooled client accounts, and onboarding of customers following a bank insolvency;

• convert monetary thresholds from euros to sterling in a manner consistent with Financial Action Task Force standards;

• update provisions for crypto asset businesses to align with the Financial Services and Markets Act 2000 framework for crypto assets, which will be introduced in October 2027;

• expand and refine trust registration requirements in Part 5 and Schedule 3A of the 2017 Regulations – including extending registration to certain non‑UK express trusts holding UK land, extending the two-year exemption from registration of trusts arising on death, introducing an exemption for Scottish survivorship destination trusts, and implementing a de minimis exemption for low‑value, low‑risk trusts;

• remove Stamp Duty Reserve Tax from the list of ‘relevant taxes’ which trigger registration with the trust registration service;

• clarify the scope of regulated trust or company service provider activity so that the sale of ‘off‑the‑shelf’ firms is subject to obligations under Money Laundering Regulations; and

• update information‑sharing and co‑operation provisions so that supervisory authorities can share relevant information with the Registrar of Companies and the Financial Regulators Complaints Commissioner.

How could the changes affect your business? 

The changes introduced by the 2026 Regulations may not be ground-breaking – but they could have significant ramifications for anyone involved in customer due diligence processes and crypto businesses alike.

For those involved in anti-money laundering customer due diligence processes, the 2026 Regulations:

• Make it easier to identify what counts as a 'complex or unusually large' by specifying that 'a transaction is unusually large in each case given the nature of the transaction.' This new wording is important, because it requires relevant persons to judge size and complexity based on the transaction itself, rather than on a general idea of what looks strange.

• Change the definition of ‘high risk jurisdictions’. Under the 2017 Regulations, a connection with a high-risk jurisdiction mandates the application of enhanced due diligence. The new definition restricts high-risk jurisdictions to those identified on the Financial Action Task Force’s blacklist (currently only Iran, North Korea and Myanmar), whereas the current definition captured 22 other countries on the Task Force’s grey list (including Monaco, Bulgaria and the British Virgin Islands). The identification of fewer high-risk jurisdictions in the 2017 Regulations hardly enhances the fight against money laundering. Many jurisdictions notorious for acquisitive crime and money laundering do not feature on either list, and relevant persons should be guided by the Basel AML Index or Know Your Country Ratings Table in judging whether a jurisdiction is high-risk for money laundering.

• Introduce a risk-based approach to due diligence. Whereas the 2017 Regulations permit banks providing ‘pooled’ (client) accounts to apply simplified due diligence, the 2026 Regulations introduce a requirement to apply a risk-based approach to due diligence. This change is likely to result in banks requiring solicitors and other professionals who utilise client accounts to provide more information about their clients, in turn imposing upon them a new administrative burden.

For the crypto sector, the new regulations will:

• Introduce new, enhanced customer due diligence requirements for crypto-asset businesses (such as exchange providers and custodian wallet providers) when they enter into a correspondent relationship with similar providers in other jurisdictions.

• Require crypto-asset businesses to gather information from reliable public sources about the respondent to enable them to (i) understand the respondent’s business, its reputation, and the quality of its AML supervision; and (ii) assess its controls which are designed to stop money laundering and terrorist financing. Businesses will also be required to obtain approval from senior management before entering into such relationships.

• Sharpen regulatory focus on crypto-asset businesses – which have long been identified as attractive to money launderers. Tighter regulation will serve to restrict the extent to which crypto assets can be used to store the proceeds of crime, in turn reducing the customer due diligence burden on relevant persons who receive monies which derive from their clients’ sale of crypto assets.

What steps should you take? 

Affected businesses should review the 2026 Regulations very carefully, ensure that their policies and processes remain both compliant and fit-for-purpose in light of the changes, and implement training on the changes for their employees.

Key takeaways 

1. Check whether your policies and processes comply with the 2026 Regulations;

2. Ensure that any existing measures are still fit-for-purpose; and

3. Train your employees on the 2026 Regulations.

Home Office issues new guidance on ‘Martyn’s Law’ 

Contributors: Martin Bourne and Alasdair Williams. 

The Terrorism (Protection of Premises) Act 2025 (the ‘Act’) – commonly known as ‘Martyn’s Law’ after one of the victims of the Manchester Arena terrorist attack – received Royal Assent in April 2025. Its purpose is to ensure that businesses and event organisers are better prepared so that, in the event of a terrorist attack, lives may be saved.

While the Act is not expected to come into effect until 2027, the Home Office issued extensive guidance for businesses on 15 April 2026, providing worked examples and flowcharts to help premises operators and event organisers identify whether they fall within the scope of the Act, and understand their obligations – effectively marking the beginning of the countdown to formal implementation.

Alongside the Home Office guidance, a public consultation has been launched by the appointed regulator, the Security Industry Authority (‘SIA’), on its own section 12 guidance on Martyn’s Law. The draft guidance sets out information on the SIA’s functions, including the use of its investigatory and enforcement powers.

If you would like to contribute to the public consultation on the SIA’s section 12 guidance, you can do so here until 12 June 2026 (this consultation only relates to the SIA’s guidance, not the Home Office guidance issued on the same day).

How could the changes affect your business? 

The Act will affect qualifying businesses which have at least one building that is publicly accessible – including, but not limited to, retail, leisure, entertainment and healthcare settings. Obligations are split into ‘standard tier’ requirements (for those routinely expected to have 200 people or more on site, including staff), and additional ‘enhanced tier’ requirements (for those which host 800 or more people).

Notable exemptions are provided for events held at premises wholly or mainly used for worship, childcare, primary, secondary, or further education which, due to special considerations, are not in-scope for qualifying events. However, the premises themselves may still be classed as qualifying premises for the purposes of the standard tier duty.

If you are an operator of qualifying premises, or the organisers of any qualifying events, you will be under a legal duty to:

• notify the SIA that you have become responsible for qualifying premises or a qualifying event (or that you have ceased to be responsible);

• ensure appropriate public protection procedures are in place, which must include procedures for evacuation, invacuation (within a premises), lockdown, and communication (alerting people to danger); and

• co-ordinate with other responsible persons as required.

If you are responsible for enhanced tier premises and qualifying events, you must additionally:

• ensure appropriate public protection measures are in place – including measures for detecting suspicious activity, plans for controlled movement of people, physical safety and security measures to mitigate against a theoretical attack, and security measures to protect operational information;

• document the procedures and measures that are in place, or that you plan to put in place, including an assessment of how they are expected to reduce the risk of physical harm to individuals and/or reduce the vulnerability of the premises or event;

• designate a senior individual within your organisation with responsibility for ensuring compliance (where the responsible person is an organisation); and

• co-operate with the responsible person as required where you have control of premises but are not the responsible person.

If you operate a premises that can reasonably expect fewer than 200 people at any given time, you may fall outside of the scope of the Act. However, even relatively modest operators with variable attendance numbers should think carefully about whether they exceed this threshold, even if only occasionally.

While the SIA is likely to use guidance, advice and warning notices to encourage compliance in the first instance and to promote a collaborative approach, it should be noted that there will be a civil penalty regime to deal with non-compliance. The SIA is also empowered to issue compliance notices (to compel compliance with the requirements) and restriction notices (to prohibit activities or events where there are serious deficiencies). Ignoring such notices can amount to a criminal offence – as can the provision of false or misleading information to the SIA. While only summary, these offences are imprisonable – although an unlimited fine is more likely to be the usual consequence.

What steps should you take?

Reviewing the Home Office’s official guidance is a vital preparatory step for any affected business ahead of the Act’s implementation. You should therefore:

• apply the known facts about the premises or event to the definitions and flowchart tests set out within chapters 4 and 5 of this guidance to work out whether you meet the threshold and, if so, which tier applies;

• identify who is in control and has responsibility for complying with the Act if you operate in premises with different owners and occupiers, or premises with two or more uses (note that the Act expects parties to cooperate and coordinate in said circumstance, rather than try to delegate responsibility);

• designate a senior individual within your organisation to be responsible for ensuring compliance and drafting policies and procedures;

• give serious thought to your obligations, and how these can best be met to reduce undue risk and disruption to your operations – for example, preparing relevant policies and procedures in good time ahead of the Act being formally implemented, noting that if you are subject to ‘enhanced tier’ obligations, significant preparation will be required; and

• if you are a qualifying business, it may also be prudent to check how your insurance policies may be impacted, and whether cover will be dependent on meeting specific standards.

Key takeaways 

1. Identify whether your premises or event falls within the scope of the Home Office guidance;

2. Work out which person or organisation has responsibility for complying with the Act, especially in premises with multiple occupiers;

3. Designate a senior employee to be responsible for ensuring compliance; and

4. Start reviewing your policies and procedures ahead of the Act’s implementation.

Goods exporters face stringent requirements under new compliance measures 

Contributor: Saleema Brohi 

On 13 May 2026, the Sanctions (EU Exit) (Miscellaneous Amendments) Regulations 2026 (‘The Regulations’) come into force.

Amongst the most notable changes, the Regulations introduce a new compliance mechanism, known as the Sanctions End-Use Controls, which will give the UK government the power to impose a targeted licence requirement on exports where it identifies that the goods or technology might be diverted to a sanctioned destination or end-user, even where the items are not otherwise subject to export controls. Once the business has been formally notified, it must not export, transfer, or make goods available without a licence. Doing so is a sanctions breach – which, under most UK sanction regimes, would constitute a criminal offence, and could also expose the business to civil monetary penalties and enforcement action.

Alongside the introduction of the End Use Controls, the Regulations make a series of technical amendments across country-specific regimes including updated monetary thresholds, the removal of certain penalty-related provisions that are no longer required, and the introduction of a new flexibility to allow notices to be issued electronically.

Taken together, the changes reflect a broader shift in UK sanctions policy towards pre-emptive, intelligence-led intervention – enabling regulators to act before goods leave the UK, and before any breach has occurred. The changes also signal a more assertive enforcement posture as the UK aligns itself with the approaches adopted by the EU and US (which focus heavily on diversion risk, particularly in relation to Russia, Iran and other high-risk jurisdictions).

How could the changes affect your business? 

The introduction of the End Use Controls will have practical implications for any business involved in the export of goods or technology – even when those items are not normally considered high-risk.

Significantly, exporters may now be required to obtain a licence for goods which previously fell outside the scope of the export controls regime. This requirement can occur at short notice and, once notified, businesses must immediately halt the export or transfer until a licence is granted, potentially leading to operational delays, supply chain disruption and the need to renegotiate delivery timelines with customers.

The changes also increase the compliance expectations faced by businesses. Regulators are likely to expect more robust due diligence on end-users, intermediaries and supply-chain routes, and businesses may encounter more questions from banks, insurers and logistics providers who will also be adjusting their own risk assessments in light of the changes.

The ability to issue notices electronically could also result in you receiving notices more swiftly, underscoring the importance of ensuring that your internal processes allow such notices to be identified and escalated promptly.

What steps should you take? 

You should review and strengthen your sanctions and export-control compliance policies, with a particular focus on diversion risk-assessment. This includes updating due-diligence procedures, screening processes and contractual protections to ensure that end-use and end-user information is verified and documented. You should also review your supply chains to identify transactions that could attract regulator attention and consider whether additional licensing advice is appropriate for higher-risk exports.

Finally, you should review your internal escalation routes to ensure that any End Use Control notifications are flagged and escalated promptly. Staff involved in sales, logistics and compliance should receive updated training on the End Use Controls to ensure that your organisation can respond quickly if necessary.

Key takeaways 

1. Review your sanctions and export-control compliance policies, due diligence processes, and internal escalation routes;

2. Review your supply chains to identify any regular transactions which could fall within the scope of the Regulations; and

3. Implement training for your staff covering the End Use Controls.