The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising. It will take until well after the last turkey sandwich has been eaten to grapple with all of the issues raised by the report, given the main document alone runs to almost 300 pages and is accompanied by 13 detailed appendices. However, some initial observations may be made already about the potential implications for a broader range of players than just the tech giants of Google and Facebook.
What is the CMA market study?
The CMA’s study is part of its wider strategy for digital markets and was launched in July 2019. Since then it has been gathering data from a wide range of sources. Under the framework of the Enterprise Act 2002 (“EA 02”) under which this study has been undertaken, the CMA has the powers to refer the market for an in-depth market investigation reference (“MIR”) at the end of this process where it (i) has reasonable grounds to suspect a feature of a market in the UK prevents, restricts or distorts competition and (ii) making such a reference appears to be an appropriate and proportionate response. Following completion of such in-depth process and where appropriate findings are made, the CMA has extensive powers under the EA 02 to make binding orders to address the concerns identified.
The CMA's provisional findings
In this case, the CMA’s provisional view is that there are reasonable grounds to suspect that there are features of markets – the open display advertising market, general search and search advertising markets and social media and display advertising markets – which distort competition. The concerns primarily relate to Facebook and Google and many of the proposed remedies relate to these companies which are described as platforms with Strategic Market Status.
Potential implications
However some of CMA’s proposals may have broader implications, either directly or perhaps indirectly. The CMA expressly recognises that many of the issues highlighted arise at the threshold between consumer, competition and data protection law and require engagement between the different regulators responsible for these areas. There is likely to be significant scope for influence between these particularly in light of the CMA’s comment that “cooperation is particularly important at the current time, when the interpretation and practical application of GDPR is still evolving.”
For example, the CMA is proposing a rule that all platforms should be required to give consumers an option to use their services without requiring in return the use of consumers’ data for personalised advertising. Arguably, this could worsen the web browsing experience of consumers if they are repeatedly shown inappropriate adverts and it could be detrimental to the sales of firms reliant on personalised advertising to generate business as well as potentially the website operators that sell the advertising space and intermediaries involved in the real time bidding of the same. The CMA is also proposing an ex ante obligation on platforms to design content and privacy policies in a way that facilitates consumer choice. This may necessitate a re-think by business owners about the functionality of their platforms without data tracking tools. In addition, updates may need to be made to privacy policies to set out the changes as to when personal data will be collected and how it will be used. Just-in-time cookie notices may also need to be updated to specifically provide consumers with the possibility of opting-in or out of the use of the cookies and similar technologies used to facilitate personalised advertising. These are proposed as remedies to improve transparency and give greater control over data. The CMA describes these as “significant changes” which would require “careful consideration.”
Next steps
The CMA does not, however, propose to make an MIR in order to take forwards these matters, despite the concerns it has identified and the powers it has at its disposal. Instead it proposes to make recommendations to government. It would therefore be left to government to decide whether to take forwards such proposals and on what timescales to do so. It will be interesting to see the extent to which the ICO might, as suggested above, be influenced by the CMA’s proposals in the interim.
Responses to the consultation on these areas, including the substantive concerns, remedies and the proposal not to make an MIR, are sought by 12 February 2020. The final report, taking account of responses to the consultation, is due in the summer of next year.
Further information
Please contact a member of the the Technology Law team if you would like to discuss these issues further.
Latest blogs & news
When can organisations rely on “consent” under data protection laws? The Court of Appeal clarifies in RTM v Sky Betting and Gaming
The Court of Appeal's recent decision in RTM v Bonne Terre Limited & Hestview Limited [2026] EWCA Civ 488 is an important one for any business/controller that relies on consent as a lawful basis for processing personal data or sending direct marketing communications. In short, the legal test for consent under data protection legislation is an objective one, not a subjective inquiry into the data subject’s internal state of mind.
“Recruitment Rewired”: what employers need to know about automated recruitment
On 31 March 2026, the Information Commissioner’s Office (ICO) published its Report, “Recruitment Rewired: an update on the ICO’s work on the fair and responsible use of automation in recruitment”, setting out its findings and regulatory expectations for employers using AI‑enabled or automated tools in recruitment.
Employment law changes tech businesses need to know about
A significant number of employment law reforms are coming into effect in 2026 and 2027 following the introduction of the Employment Rights Act 2025 at the end of last year.
Court of Appeal confirms scope of data controllers’ security obligations
In a recent decision, the Court of Appeal allowed the UK Information Commissioner's appeal against the decision of the Upper Tribunal in proceedings involving DSG Retail Limited ("DSG"). The case arose from a nine-month cyber-attack in 2017-2018 on DSG’s systems, during which the attackers scraped transaction data from point-of-sale terminals from over 5.6 million payment cards. The compromised data included card numbers and expiry dates but not cardholders' names, meaning the attackers could not directly identify individuals from the data alone.
Copyright & artificial intelligence: Progress, pause and persistent uncertainty
The UK Government has now published its March 2026 Report on Copyright and Artificial Intelligence, following its 2024–25 consultation on the use of copyright protected works in AI training. The outcome is significant - not for what it introduces but for what it postpones.
Government announces tough new late payment laws – what happens next?
The UK Government has confirmed a major package of reforms to tackle late payments, a persistent pressure point for small businesses, costing the economy £11 billion a year and contributing to 38 business closures every day.
What tech businesses need to know in 2026
At our recent Tech Briefing, 'What tech businesses need to know in 2026', we explored how the EU’s Digital Omnibus package and the UK’s Employment Rights Act will reshape compliance for UK tech SMEs.
Five common contract weaknesses – and how to fix them
Most commercial disputes don’t come from exotic legal issues - they come from everyday contract weaknesses that could have been avoided with a few smart tweaks
2026 marks a turning point for data governance in the UK
2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises, and sanctions, organisations.
Why limitation of liability clauses deserve more attention than they get
Too often, limitation of liability clauses are treated as standard boilerplate - something to tidy up at the end of a negotiation once the “real” commercial points are agreed.
From Seed to Series A and Beyond: 7 Key Insights for Tech Founders
In this article, we share 7 key considerations to help tech founders navigate the journey from seed funding to Series A and beyond.
Biggest EU Digital Shake-Up Since GDPR? What Businesses Need To Know
In November 2025, the European Commission unveiled its Digital Omnibus package – a set of proposals aimed at simplifying (not deregulating) EU rules on data protection, cybersecurity and AI.
Clearview AI ruling confirms UK GDPR applies beyond borders
In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
UK Tech SMEs & the November Budget
Founders and teams across the country are looking for signals that the UK still backs its innovators. Here’s what’s top of the wish-list:
Why does software ownership matter? Six key legal takeaways for tech businesses
For founders, investors and anyone involved in the tech sector, understanding who owns your software and how to prove it is critical. Whether you’re seeking investment, planning an exit or simply aiming to protect your IP, clarity on ownership can make or break a deal
Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?
The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.
Three Cautionary Tales for UK Tech Companies
In tech, the law often arrives after something has gone wrong. Here are three cautionary tales* and the lessons every founder, CTO and in-house counsel should take away.
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
A game changer for data processors? The ICO issues a significant fine against a processor
The recent cyberattacks on major UK retailers have put cybersecurity back in the spotlight. But a more significant development for data protection practitioners has been flying under the radar: the Information Commissioner’s Office (ICO) has issued a notable fine directly against a data processor for breaching UK GDPR security obligations - an important shift in enforcement focus.
Key takeaways: What recent consumer law reforms mean for service providers
On 6 April 2025, the first wave of consumer protection provisions under the Digital Markets, Competition and Consumers Act 2024 (“DMCC Act”) came into force, marking the most significant overhaul of UK consumer protection law in over a decade.
Share insightLinkedIn X Facebook Email to a friend Print