AI consumer protection UK: how four regulators are building it without an AI Act
In short: AI consumer protection UK is being built without a standalone AI Act. On 3 June 2026 the Digital Regulation Cooperation Forum (DRCF), the joint forum of the ICO, FCA, CMA and Ofcom, opened a call for input on consumer interest and AI. It gathers the consumer evidence the four regulators need to apply rules they already hold. The first deadline is 3 July 2026.
A firm that puts a generative or agentic AI tool in front of consumers in the UK has no single AI statute to comply with. It has sector regulators, each applying the rules it already holds. On 3 June 2026 four sector regulators, working together as the Digital Regulation Cooperation Forum (DRCF), asked the public what consumers actually fear about AI, and what they will tolerate in exchange for its benefits. The answers will shape how the UK enforces consumer protection for AI, even though no new AI law is on the table.
Why the UK has no AI Act, and what it has instead
The UK decided in the AI White Paper of March 2023 (A pro-innovation approach to AI regulation) not to create a standalone AI statute or a new AI regulator. It told existing regulators to apply five cross-sector principles within their current remits: safety and security; transparency and explainability; fairness; accountability and governance; and contestability and redress. Those principles are not statutory. They are applied through the powers each regulator already has.
The DRCF keeps sector regulators aligned. Set up in 2020, it brings the CMA, ICO, FCA and Ofcom together to make digital regulation more coherent across their remits. It is not a legal entity in its own right and holds no powers of its own. The new call for input sits inside the DRCF’s Consumer interest and AI project, and it does one thing the White Paper principles left undone: it builds the consumer evidence that gives those abstract principles content.
What the DRCF call for input on AI consumer protection asks
The call runs in two phases. Phase one (questions 1 to 16) examines consumer attitudes: how much risk consumers will tolerate from generative and agentic AI in exchange for convenience and lower cost, how far they understand the technology, whether disclosures and consent mean anything to them, and who they expect to be accountable when AI causes harm. The deadline is 3 July 2026. Phase two (questions 17 to 28) asks what tools, frameworks and obligations can deliver good consumer outcomes in practice. The deadline is 2 September 2026. Responses go to the DRCF via Ofcom and are treated as submitted to all four regulators. The DRCF notes that submissions may be disclosed under the Freedom of Information Act 2000.
Two points in the questions matter more than the rest. In question 25 and footnote 7 the DRCF floats an outcomes-based model, expressly “analogous to Consumer Duty type frameworks”, as a cross-sectoral vehicle for AI consumer protection. That is a financial-services concept being tested as a general template across the whole economy. At question 18 the DRCF asks whether consumers should be able to opt out of AI and, if not, “what is the legal basis for the use of their data”; at question 22 it asks whether consent is the right lever at all. Those land directly on the UK GDPR Article 6 lawful basis and on the automated decision-making regime in Articles 22A to 22D of the UK GDPR, inserted by the Data (Use and Access) Act 2025 and in force from 5 February 2026.
How AI consumer protection in the UK maps onto four regulators
The call covers both generative AI and agentic AI, and it stretches from consumer-facing chatbots to back-office decisions that materially affect consumers. The reason it engages four regulators at once is that a single AI deployment can touch data protection, financial services, consumer law and online safety in the same transaction. The table below maps the consumer concerns the DRCF is probing onto the levers that already exist and the regulator that leads on each.
| Consumer concern (DRCF theme) | Existing UK lever | Lead regulator |
|---|---|---|
| Transparency about how AI uses personal data | UK GDPR Articles 13 and 14, and the Article 22A to 22D safeguards on automated decisions | ICO |
| Fair outcomes from AI-driven services | FCA Consumer Duty (PRIN 2A) for regulated financial services | FCA |
| Misleading or manipulative AI practices | Unfair commercial practices and CMA direct enforcement under the Digital Markets, Competition and Consumers Act 2024 | CMA |
| Redress when an AI decision causes harm | Article 22C right to contest, plus sector complaint and ombudsman routes | ICO and sector regulators |
| Harmful AI-generated content | Illegal and harmful content duties under the Online Safety Act 2023 | Ofcom |
The call is, in effect, a request for the evidence needed to put consumer content into the White Paper principles. Fairness, transparency and redress are easy to assert and hard to apply without knowing what consumers actually expect. The same cross-regulatory pattern is visible elsewhere: data protection and competition law are no longer enforced as separate regimes, and AI is pulling the four DRCF members closer still.
What this means for regulated firms
The firms most exposed are those deploying consumer-facing AI directly, with their vendors sitting behind them in the supply chain. For a deployment that makes a significant decision about a consumer by automated means, responding to the call and running a data protection impact assessment is not enough on its own. The deployment is lawful only if three substantive conditions are met first: it has an Article 6 lawful basis; it satisfies Articles 22A to 22D, meaning either meaningful human involvement or a permitted ground together with the Article 22C safeguards (information, the right to make representations, human intervention and the right to contest); and, for FCA-authorised firms, it delivers Consumer Duty good outcomes. The operational scaffolding, the impact assessment under Article 35 and the Article 28 processor contracts across every sub-agent an orchestrator can call, sits on top of those conditions, not in place of them.
Two practical points follow. First, anything a firm submits to the call may be disclosed under FOIA and is treated as held by all four regulators, so commercially sensitive detail needs handling with that in mind. Second, this is phase one of a two-phase project feeding the 2027 DRCF Responsible AI Forum, so it is agenda-setting rather than imminent rulemaking. The shaping happens now, and it is cheaper to influence the evidence base than to argue with a finished framework. If you are mapping a consumer-facing AI deployment against the Article 22 regime, our AI, data and governance advice page sets out the scope, and the wider data protection practice covers the lawful-basis and safeguards analysis.
Viewpoint
The telling move in this call sits in question 25 and footnote 7: the DRCF is testing whether a Consumer Duty style outcomes obligation could become the cross-sectoral vehicle for AI consumer protection in the UK. In my view that is the likeliest outcome. The UK has set its face against a standalone AI Act, the ICO is selling certainty rather than deregulation, and an outcomes-based duty is the path of least resistance because the FCA has already built and operated one. The evidence the DRCF is now gathering is exactly what a regulator would need to argue such a duty is workable. Firms already inside Consumer Duty have a template; most data controllers do not, and they are the ones who should be reading phase two. I would watch the 2 September response window and the run-up to the 2027 forum, alongside the ICO’s 2026 enforcement priorities, which already turn on whether a controller can show how an automated decision was made.
Frequently asked questions
What is the DRCF call for input on consumer interest and AI?
It is a call for views opened on 3 June 2026 by the Digital Regulation Cooperation Forum, the joint forum of the ICO, FCA, CMA and Ofcom. It gathers evidence on how consumers approach the risks and benefits of generative and agentic AI, and on the tools that could protect them, to inform the four regulators’ forthcoming AI work.
When are the DRCF call for input deadlines?
There are two. Phase one, on consumer attitudes (questions 1 to 16), closes on 3 July 2026. Phase two, on the tools and frameworks for consumer protection (questions 17 to 28), closes on 2 September 2026. Responses go to the DRCF at Ofcom and may be disclosed under the Freedom of Information Act 2000.
Does the UK have an AI Act?
No. The UK has chosen a sector-regulator model under the 2023 AI White Paper rather than a standalone AI statute. Existing regulators apply existing law. The closest binding rule for AI affecting individuals is the automated decision-making regime in UK GDPR Articles 22A to 22D, inserted by the Data (Use and Access) Act 2025 and in force from 5 February 2026.
Can responses to the DRCF call be disclosed under FOIA?
Yes. The DRCF states that information submitted is treated as submitted to each member regulator and may be subject to a request under the Freedom of Information Act 2000. Firms submitting commercially sensitive material should frame their response with that exposure in mind.
If you are assessing how a consumer-facing AI product sits against the UK GDPR, the automated decision-making regime and the Consumer Duty, Bratby Law advises operators, fintechs and platforms on AI as a data protection question. Contact Rob Bratby.
