Risk Radar | March 2026

Compliance updates

Martyn's law update

Retailers who have premises that may fall within the scope of the Terrorism (Protection of Premises) Act 2025 should note the Home Office has postponed publication of its guidance from spring 2026 to summer 2026.

Extended Producer Responsibility (EPR) Regime

Retailers required to report packaging activity under the EPR regime must submit their packaging data by 1 April 2026. For additional guidance see here.

Product liability reforms

The Law Commission has revealed its terms of reference for its review of the current product safety framework see here. Retailers can expect a public consultation on proposals for reform in the second half of this year.

Fire safety guidance for small businesses

New guidance has been published outlining key responsibilities and potential fines under fire safety law for small businesses in commercial premises. See here.

A new era for UK human rights due diligence

The Independent Anti‑Slavery Commissioner’s draft Forced Labour and Human Rights Bill 2026 sets out wide‑ranging reforms to bring the UK in line with international best practice. The recommendations include a failure to prevent offence which will mean businesses will be responsible where they have caused or contributed to a serious human rights harm unless they can demonstrate the defence that it conducted reasonable human rights due diligence. Retailers should review their anti-slavery practices in anticipation of legislative change.

Data protection updates

Data (Use and Access) Act 2025 provisions take effect

Key reforms under the DUA Act have now come into force, introducing new lawful bases for processing, clearer rules on automated decision‑making and stronger ICO enforcement powers, including the ability to issue GDPR-style fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations.

ICO updates guidance on international transfers

The ICO has published updated guidance to simplify compliance with UK GDPR international transfer rules, introducing a clearer three‑step test and new support materials. The full guidance document can be located here.

New guidance on data protection complaints procedure

This guidance explains what retailers need to do to meet the new requirements for having a data protection complaints process under the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, the ICO has published the guidance now so that businesses can prepare in advance.

How to deal with data protection complaints | ICO.

ICO's response to the Cyber Security and Resilience Bill

The ICO has published its formal response to the Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament on 12 November 2025. The Commissioner welcomes the Bill’s aim to strengthen the UK’s cyber defences and improve the resilience of essential and digital services.

Information Commissioner’s Response to the Cyber Security and Resilience Bill | ICO.

Marketing updates

CMA launches green claims guidance

The CMA has launched new supplemental guidance to the Green Claims Code, confirming that retailers may be liable for green claims made on the products they sell (even where the retailer does not make the claim themselves). Retailers must therefore ensure that they are taking steps to verify green claims. The guidance can be found here.

ASA cracks down on greenwashing

The ASA has banned three adverts from prominent clothing brands that made unsupported environmental claims. This is the latest decision that tackles greenwashing issues – but does it risk deterring retailers from addressing sustainability challenges? See our article here.

CMA strategy published

The CMA has published its 2026-2029 strategy, with its focus for the next 4 years being to promote competition, champion consumers, support pro-growth government policy, attract investment in the UK, and prioritise UK interests. The full strategy can be found here.

CMA issues first fine under DMCCA

The CMA has issued its first fine under the DMCCA, ordering Euro Car Parks to pay £473,000 for failing to respond to an information request. This enforcement action shows that the CMA is prepared to take a firm approach where businesses do not cooperate with investigations. Retailers should expect the regulator to make full use of its strengthened enforcement powers. See the press release here.

Financial Services

Overhaul of Buy Now Pay Later regulation

Retailers offering BNPL at checkout can expect tighter requirements around affordability checks, clearer disclosures and stronger oversight of BNPL providers. Retailers should speak to the lenders that they work with now, if they have not done so already, to understand any operational and contractual changes that may need to be made before July. See article here.