The previous instalments of our blog series focussed on substantive-law topics, such as Dark Patterns, Influencer Marketing, or Automated Contracting and corresponding legislative changes which may be considered as part of the upcoming Digital Fairness Act. However, the enforcement of consumer protection law is as important as the substantive provisions themselves. This is illustrated by the results of the Digital Fairness Fitness Check, which has in many instances concluded that practices which are considered problematic are already addressed by EU legislation, but that there is inconsistent or insufficient enforcement by the different EU Member States in practice.
This is sufficient reason to take a closer look at an important procedural tool designed to address cross-jurisdictional violations of consumer protection law in the EU: The Consumer Protection Cooperation (CPC) Network – a network of the consumer protection authorities in the EU which’s activities are governed by the CPC Regulation.
How does it work, what are its up- and downsides and which reforms are considered by the European Commission to make it “fit” for the digital age?
I. CPC Enforcement: How does it work
Many companies – in particular in the digital sphere – use the opportunities of the EU single market and offer very similar (or even identical) services throughout the EU. This is encouraged by legislative measures such as the Geoblocking Regulation, which is designed to prevent unjustified discrimination based on a customer’s nationality. Traders often also employ similar business strategies, contractual terms and marketing measures across EU markets. While this is an important growth-factor for the EU economy and in line with the objective of a common market, it also means that unlawful practices often affect consumers in several Member States at the same time. However, national enforcement authorities only have jurisdiction in the territory of their own country. In practice, this means that national authorities in several Member States would have to conduct parallel investigations against the same trader regarding the same practice. Such parallel proceedings do not only create the risk of diverging decisions and enforcement gaps throughout the EU, but they are also inefficient for both the national authorities and the trader who might have to deal with (up to) 27 different authorities on the same issue.
This is where the CPC Regulation and the CPC Network come in: they enable national authorities to take coordinated action against inadmissible practices affecting consumers in several EU Member States:
The CPC Regulation allows national authorities to direct requests for information and enforcement at their counterparts in other Member States. These authorities can (often: must) then use their enforcement authority to obtain such information. While information requests aim at establishing whether certain practices take place in another Member State, enforcement requests ask the respective national authority to take action to stop an unlawful practice committed by a trader in their territory. Certain grounds to refuse cooperation exist, but absent specific justification national authorities in all Member States are generally obliged to cooperate.
The CPC Network can also be used to issue alerts about potentially unlawful practices (both by authorities which are part of the CPC Network and external bodies such as certain consumer protection associations). In case of “widespread infringements” (relevant for at least three Member States) and “widespread infringements with an Union dimension” (concerning at least two-thirds of the Member States), the CPC Network can also take “coordinated action” where the European Commission (“EC”) takes a coordinating role. The EC may also coordinate so-called “sweeps“ by national authorities, coordinated control actions to detect possible infringements. Such “sweeps” are often used to assess potentially inadmissible practices in a specific market or market sector (see here for an overview of past sweeps). Over the years, consumer protection sweeps have adapted to keep pace with evolving business trends and models: During the 2000s, these checks zeroed in on websites selling airline tickets (back in 2007) and mobile phone ringtones (2008). Fast forward to the 2020s, and the focus has shifted to dark patterns (2022), influencer marketing (2023), and second-hand goods (2024).
II. What are the main results of the Digital Fairness Fitness Check?
The CPC Regulation was not at the centre of the discussion of the Digital Fairness Fitness Check because the focus was on substantive provisions of consumer protection law rather than enforcement procedure. Plus, the EC had already published a report on the CPC Regulation in 2024. While the Digital Fairness Fitness Check largely leans on those findings, it does highlight the central role of the CPC Network in tackling unlawful (digital) business practices. After all, in the context of pan-European business, multi-jurisdictional effects will be the norm, not the exception. At the same time, a general take away from the Digital Fairness Fitness Check is the lesson that issues often arise from insufficient enforcement or diverging interpretation of the law in different Member States rather than from the rules themselves.
Thus, the Digital Fairness Fitness Check recognizes the importance of well-functioning cooperation between national authorities but highlights several (perceived) shortcomings of the current system:
CPC procedures are often perceived as long and cumbersome. The CPC Regulation report lists an (anonymized) example where a dialogue with a trader based on the CPC Regulation dragged on for more than three years. This is certainly a double-edged sword: On the one hand, there is an understandable need for quick action in case of severe infringements of consumer law. On the other hand, it is important that authorities and traders have sufficient time to conduct meaningful investigations and discussions before – potentially far-reaching – decisions are being made which are often very difficult to challenge in practice.
The report also notes that new (in particular) digital technologies and business models require specialized expertise at the national authorities. While meaningful enforcement indeed requires that the respective authorities understand the business models which are subject to their decision, it remains doubtful whether every Member State will dedicate the necessary resources to its respective national authority.
The different resources as well as different investigative and enforcement powers of the national authorities are therefore a further point of criticism from the CPC Regulation report. This is understandable, but it is – partly – baked into the system of a network of national authorities rather than enforcement through a centralized authority. Moreover, the CPC Regulation defines a set of investigative and enforcement powers which every national authority must have by law. Assessing whether these powers are meaningful and sufficient appears more fruitful than a debate whether some authorities have additional competences based on national law. Furthermore, it should be borne in mind that in some Member States consumer protection law is primarily enforced by private entities. Therefore, it would be short-sighted to focus solely on the powers of national authorities.
The report notes problems due to the absence of tools to detect infringements on online markets. This seems, however, to be more of a practical/technical hurdle and a matter of resources than a shortcoming of the corresponding CPC legal framework.
The Digital Fairness Fitness Check points out that the deterrent function of fines is currently limited since authorities from the CPC Network found it difficult to apply such fines as part of a coordinated action. While fines can discourage traders from breaking the rules, it’s worth noting that many of the EU’s complex consumer and digital rules[1] already threaten significant fines for non-compliance. It is therefore important to avoid businesses being penalized twice under overlapping rules and to make sure hefty fines are reserved for genuinely serious cases, otherwise this could not only deter non-compliance but business as such.
Finally, the report mentions that enforcement against traders without a place of business or assets within the EU is challenging. Ensuring equal treatment of all participants on the EU market is indeed an important goal although there are factual and legal limits on extraterritorial enforcement.
III. Next steps
In its recently published 2030 Consumer Agenda, the EC noted that, while the CPC Regulation has delivered positive results, recent developments have highlighted limitations in its effectiveness, especially in keeping up with the growth of e-commerce and cross-border infringements. As a consequence, the EC will propose a revision of the CPC Regulation, most likely by Q4 2026 and in parallel with the publication with the Digital Fairness Act. While the Digital Fairness Fitness Check report focuses on the substantive consumer protection rules, it does not set out any concrete proposals to improve enforcement under the CPC Regulation. However, it clearly recognises that stronger EU-wide enforcement is a priority.
The current enforcement system is based on cooperation between national authorities, with the EC mainly acting as a coordinator. Although the scope of the CPC revision is still unclear and will run in parallel with the drafting for the upcoming Digital Fairness Act, it is likely that the revision will strengthen the EC’s role, potentially allowing it to launch EU-wide investigations into widespread infringements, coordinate or lead enforcement actions, or even impose fines or binding remedies directly, instead of relying solely on national authorities. At the same time, some Member States have stressed the importance of subsidiarity, national enforcement autonomy, and resource constraints. The upcoming debate is therefore not about replacing national authorities, but about whether stronger EU-level powers are needed for the most serious or cross-border cases.
[1] DMA, DSA, GDPR, and AI Act to name a few.
