2025 looks set to be a busy year of legal changes for businesses, with governments in both the UK and EU looking to introduce a range of laws to keep up with the pace of change in both business practices and technology.
In this series, our Commercial team highlight some of the key changes to look out for and how they might impact your business in 2025.
| 1. Consumer Rights | |
| Who is affected: | Any businesses selling to consumers in the UK. |
| What is changing: | A host of new consumer rights requirements are being introduced in areas including misleading pricing, fake reviews and regulation of subscription contracts. Under the new legislation (the Digital Markets, Competition and Consumers Act) the Competition and Markets Authority are also being given much stronger enforcement powers for consumer rights breaches. |
| What happens if we aren’t compliant: | The CMA will now be able to directly pursue consumer law non-compliance cases against businesses and levy fines of up to 10% of a company’s global turnover for breaches. |
| When do the changes come in: | These changes will be introduced in stages over 2025 and 2026, but the CMA’s enforcement powers will have effect from 2025. |
| What you should do: | Review and update your consumer terms and conditions and policies to ensure they’re compliant. Review and update your customer purchasing flows to ensure your pricing is clear and all required pre-contract information is provided to customers at the right time. Review your website to ensure there are no fake reviews of your products, or takedown any that you find. Implement reminder notices into your customer services systems where you’re selling subscription products. Train your staff (particularly customer services staff) on the key areas of consumer law compliance (such as refunds, returns and complaints). |
| 2. Data Protection | |
| Who is affected: | Businesses undertaking direct marketing or using targeted online advertising (such as cookies or other tracking technology). |
| What is changing: | The rules around direct marketing and online tracking are being modernised to align them with the UK GDPR regime. These changes include removing consent requirements for some tracking technologies used for analytics, clarifying the requirements for handling complaints from data subjects and easing restrictions on automated decision-making (including by AI systems). |
| What happens if we aren’t compliant: | The new legislation (the Data (Use and Access)) Bill increases the fines that can be imposed on non-compliant business to the higher of £17.5m and 4% of global turnover. |
| When do the changes come in: | To be confirmed. |
| What you should do: | Review your cookies policy, privacy notices and consent terms for direct marketing and online advertising. Ensure you have a formal complaints procedure in place and provide a complaints form for data subjects to use for any complaints about use of their data. |
| 3. AI | |
| Who is affected: | All businesses, but particularly those developing, operating, selling or buying AI systems or services. |
| What is changing: | The EU has introduced extensive rules around the use of AI systems, including banning certain systems and requiring a range of additional compliance (including training, record keeping, transparency and cyber security measures) for other systems classified as high risk. In the UK, the government is looking to introduce targeted legislation on certain areas (focussing initially on AI developers). More generally, businesses will need to focus more on addressing AI-specific issues arising from their day-to-day customer and supplier arrangements as the use of AI systems in all walks of life becomes more prevalent. |
| What happens if we aren’t compliant: | Fines for breaches of the EU AI Act can be up to the higher of €35m or 7% of global turnover. |
| When do the changes come in: | The EU introduced its AI Act in 2024, although the majority of its requirements take full effect in 2026. The full scope and implementation times for UK developments remains to be seen, but is likely to be fairly quick given the speed of change in this area. |
| What you should do: | Anyone operating or serving customers in the EU should immediately assess their use of AI systems against the new AI Act requirements. Where any systems are likely to be within the scope of the Act, significant work will be required to implement the necessary protections, processes and training required to be compliant. All businesses should ensure that are clear on where AI is being used within their business or by their suppliers and ensure that their supplier contracts in particular have robust protections on the use of AI and any consequences of this (including for ownership of IP, confidentiality and data protection). |
| 4. Product Regulation | |
| Who is affected: | All businesses, but particularly those developing, operating, selling or buying AI systems or services. |
| What is changing: | The EU has introduced extensive rules around the use of AI systems, including banning certain systems and requiring a range of additional compliance (including training, record keeping, transparency and cyber security measures) for other systems classified as high risk. In the UK, the government is looking to introduce targeted legislation on certain areas (focussing initially on AI developers). More generally, businesses will need to focus more on addressing AI-specific issues arising from their day-to-day customer and supplier arrangements as the use of AI systems in all walks of life becomes more prevalent. |
| What happens if we aren’t compliant: | Fines for breaches of the EU AI Act can be up to the higher of €35m or 7% of global turnover. |
| When do the changes come in: | The EU introduced its AI Act in 2024, although the majority of its requirements take full effect in 2026. The full scope and implementation times for UK developments remains to be seen, but is likely to be quick given the speed of change in this area. |
| What you should do: | Anyone operating or serving customers in the EU should immediately assess their use of AI systems against the new AI Act requirements. Where any systems are likely to be within the scope of the Act, significant work will be required to implement the necessary protections, processes and training required to be compliant. All businesses should ensure that are clear on where AI is being used within their business or by their suppliers and ensure that their supplier contracts have robust protections on the use of AI and any consequences of this (including for ownership of IP, confidentiality and data protection). |
| 5. Supply Chain and ESG | |
| Who is affected: | All businesses supplying goods or services in the UK. |
| What is changing: | The UK government is likely to strengthen the current legislation on modern slavery and other human rights abuses in supply chains following a consultation on this last year. This is expected to include new due diligence requirements, mandatory rules for modern slavery statements and strong sanctions for non-compliance. Meanwhile, businesses who supply packaging or packaged products will need to ensure they are complying with the reporting and payment requirements of the Extended Producer Responsibility Rules for Packaging. |
| What happens if we aren’t compliant: | It remains to be seen what, if any changes, will be made to the enforcement regime for modern slavery compliance but a fining regime equivalent to other high priority areas such as data protection and consumer rights (with fines based on a % of company turnover) would not be unsurprising. |
| When do the changes come in: | The timeline for any proposed changes to the Modern Slavery Act is still to be confirmed. The Extended Producer Responsibility Rules for Packaging are due to be implemented from October 2025. |
| What you should do: | On the modern slavery rules, most businesses should already have implemented the necessary processes and procedures to comply with the current regime (if you haven’t, you should do immediately). It is therefore best to wait for further clarification from the government before making any further changes. As for packaging producers, if you aren’t already up to speed on your obligations, you should get advice on which aspects of the regime will apply to you (as they vary between businesses) and what you need to do to get compliant. You may also want to investigate potential third-party providers who can manage the EPR compliance process on your behalf, which is the approach most companies are taking. |
If you have any questions or concerns regarding these changes, please contact a member of the Commercial team here.
The information on this site about legal matters is provided as a general guide only. Although we try to ensure that all of the information on this site is accurate and up to date, this cannot be guaranteed. The information on this site should not be relied upon or construed as constituting legal advice and Howes Percival LLP disclaims liability in relation to its use. You should seek appropriate legal advice before taking or refraining from taking any action.
To contact us, please fill out this form and we will get back in touch as soon as possible. Your personal data will be processed in accordance with our privacy policy which can be found here.
Thank you for your enquiry. We will respond as soon as possible.
