On 6 April 2025, the Digital Markets, Competition and Consumers Act 2024 made fake reviews a banned practice in the United Kingdom. Most of the commentary since has focused on the obvious target: invented reviews, paid endorsements, the fake five-star economy. That focus misses the part of the Act that matters most to any business with a public rating. The law does not stop at individual reviews. It reaches the aggregate score itself.
The score is in scope, and that changes the question
The Act bans more than fake reviews. It governs what the legislation calls "consumer review information", a category defined to include aggregated data: overall ratings, review counts, rankings. The published score is not a by-product the law ignores. It is squarely within scope.
This shifts the compliance question in a way most businesses have not registered. The old question was defensive and binary: are any of our reviews fake? The new question is harder and quantitative: does our aggregate score genuinely reflect the experience of our customers? A rating can be built entirely from real, verified reviews and still be misleading, if the way those reviews were collected has produced a number that does not represent the customer base. Under the Act, a score that misrepresents genuine experience is a regulatory exposure, even when no single review is false.
That is the conceptual leap. The risk is no longer located in the individual fake review. It is located in the gap between the published score and the genuine one.
Why a policy is not an answer
The Act creates a positive obligation: any business that publishes reviews or aggregated review information must take reasonable and proportionate steps to prevent misleading material, and must maintain a clear, public policy on how reviews are handled. The CMA found, when its grace period closed in July 2025, that over half of the websites it reviewed could be failing this obligation.
Most businesses will respond to this by writing a policy. A document stating that the company does not solicit fake reviews, published in the footer, box ticked. But a policy is a statement of intent. It does not tell you, or a regulator, whether your actual published score is an authentic representation of customer experience. The obligation is to take steps that genuinely prevent a misleading rating. You cannot demonstrate that you have prevented something you have never measured.
This is the gap between the letter of the Act and what compliance actually requires. The Act asks businesses to ensure their reviews are genuine representations of customer experience. A policy asserts it. Only measurement can show it.
What "reasonable and proportionate steps" looks like when you take it seriously
The CMA's standard is deliberately not a fixed checklist. It is risk-based: higher-risk practices demand more extensive measures. For a business whose reputation, and revenue, depends on a public rating, taking the obligation seriously means being able to answer a question that no policy document addresses.
Is there a divergence between the score produced by spontaneous, organic reviews and the score produced by the collection process as a whole? If the two diverge significantly, the published number is not a neutral reflection of experience. It is shaped by how reviews were gathered. That divergence is measurable. It is, in fact, the single most informative signal of whether an aggregate score is authentic or steered, and it is precisely what a regulator examining "genuine representation" would look for.
A business that can measure this gap, document it, and act on it is doing something a policy cannot: it is demonstrating, with evidence, that its score reflects reality. A business that cannot measure it is, in the Act's terms, unable to show it has taken reasonable steps at all.
From marketing metric to governance object
For a Chief Risk Officer or Head of Compliance, this is the real significance of the DMCC Act. It moves the online rating out of the marketing department and into the risk register. The exposure is defined, the enforcement is direct, and the penalties reach 10% of global annual turnover. The CMA does not need to prove a single consumer was misled: for a blacklisted practice, the conduct alone is the breach.
Three questions follow, and none of them is answered by a policy. Does your published rating reflect the genuine experience of your customers, or the way you collect reviews? Do you know the size of the gap between the two? And if a regulator asked you to demonstrate that your score is an authentic representation, could you?
Measuring the integrity of review collection, and the distance between a published score and the genuine one, used to be a question of curiosity. Under the DMCC Act, it is a question of compliance.
Read also: A 4 million euro reviews ruling in Italy, and why it matters under the UK's new fake-review regime.
© Fametrue 2026. All rights reserved.
Back to the Observatory