European Commission investigations under the CPC Regulation

Who’s in charge?

The enforcement of consumer protection law in the EU has historically been organised at national level. The need to address conduct across multiple EU Member States led to the creation of ‘coordinated actions’ under the CPC Regulation, conducted in the name of the various consumer protection authorities across the EU, referred to as the ‘CPC Network’. One of the authorities would be chosen as a ‘coordinator’ and would pursue the case on behalf of the CPC Network as a whole. In a ‘coordinated action’, procedural and substantive decisions are taken by consensus among the concerned consumer protection authorities.

New EU regulations in the digital space such as the Digital Services Act and the Digital Markets Act have given the European Commission a much more central enforcement role. At the same time, the practical application of the CPC Regulation has evolved in a similar direction. If the case concerns a Very Large Online Platform under the DSA, a gatekeeper under the DMA, or any other significant online service provider of pan-European importance, the European Commission will now typically act as the coordinator of any ‘coordinated action’ begun under the CPC Regulation, acting together with one or more ‘lead authorities’ from the CPC Network. 

In such cases, the proceedings continue to be conducted in the name of the CPC Network. But the European Commission handles all communications with the company concerned, and its views, together with those of the lead authorities, are likely to be decisive for achieving consensus within the CPC Network. 

How does it start?

Because many consumer protection infringements can be established simply by accessing the online service concerned and assessing the user experience provided, coordinated actions tend to start - from the company's perspective - with service of a ‘Common Position’ setting out fully reasoned and evidenced allegations that the company is breaking the law.

In reality, the case began earlier, with one of the national consumer protection authorities (‘competent authorities’ in the language of the CPC Regulation) alerting the CPC Network to a ‘widespread infringement with a Union dimension’. This requires a reasonable suspicion of an infringement of the consumer protection rules in at least two-thirds of the Member States, accounting for at least two-thirds of the population of the EU. For an online service operating on a pan-European or global basis, that test will be easily satisfied.

This alert may have originated from ‘sweeps’ conducted by national authorities under the Commission’s coordination. These are targeted website investigations to detect breaches of EU consumer law. This enforcement tool is used when market trends, consumer complaints, or other indicators suggest potential infringements.

Following the alert, the authorities concerned by the infringement (which for online services will likely mean all or almost all of them) will have appointed lead authorities and a coordinator, and the fact gathering will have begun. This may well be entirely invisible to the company concerned. 

The Common Position is the culmination of this exercise, although the European Commission may accompany it or follow it up with requests for information with a view to alleging additional infringements later. There is no provision enabling the Commission to conduct on-site inspections (‘dawn raids’) similar to those in DSA or antitrust proceedings.

Requests for information are issued in the name of the CPC Network, but will come from the European Commission as coordinator. The legal status of such requests is not clearly established by the CPC Regulation. In particular, there is no provision similar to Article 74(2) of the Digital Services Act allowing the Commission to impose fines for supplying incorrect, incomplete or misleading information, or for failing to reply to a request made by formal decision. This said, a failure to cooperate could result in one of the lead authorities exercising its own national investigative powers with a view to imposing fines under its national law in the absence of a response.

It is important to underline that the investigation phase could well be over by the time the company learns of the existence of the investigation. It may well be that the company is simply confronted with the allegations in the Common Position and needs to decide how to respond.

What rights does the company have?

The company will be given a time limit to reply to the Common Position in writing, for example a month. It will likely also be offered an online oral hearing. Importantly, there is no provision for any ‘access to the file’ similar to that in DSA or antitrust proceedings. Depending on the nature of the allegations, this may or may not be problematic. The usual EU law rules on legal privilege apply throughout the procedure.

The company may well be exposed to substantial public pressure before it has had the opportunity to defend itself. The Commission is likely to issue a press release when the Common Position is adopted. More significantly, the Commission and the national authorities may publish the Common Position on their websites (subject to the usual rules on business secrets). Arguably, this reflects the fact that the Common Position represents the conclusions drawn by the authorities at the end of their investigation. But it is nonetheless striking that this is envisaged in the CPC Regulation even before the company concerned has had the opportunity to correct any misunderstandings and demonstrate the legality of its conduct.  

What are the possible outcomes?

• Commitments. Coordinated actions are aimed at securing a change in the conduct of the company concerned. The CPC Network is likely to invite the company to propose commitments at the same time as replying to the Common Position, and in any event the company has the right to propose commitments on its own initiative. Such commitments would not be enforceable by the Commission with fines. Rather, one or more national authorities could impose fines for failure to respect the commitments under their own national procedural laws.

  Proposals for commitments may be published by the Commission or the authorities concerned, and thus consumer organisations and other interest groups may submit observations. The CPC Regulation does not contain any provision entitling the company to receive or respond to such observations.

  The commitments need to be sufficient to persuade the CPC Network that they will bring the infringements to an end. For this, the rule requiring decision-making by consensus is important. While EU consumer protection legislation is supported by detailed guidance issued by the Commission, it remains the case that different national authorities may adopt different interpretations of the law, or simply have different views on its application to the facts of the case. There is no rule determining which views should prevail, and no majority voting system. Rather, the key will be to persuade the Commission and the lead authorities, and to try to secure a consensus among the CPC Network as a whole. 

  Importantly, if the proposed commitments are sufficient to end the infringement, they have to be accepted. Obviously, the Commission and the CPC Network will need to be convinced that this is indeed the case. But they do not have a policy discretion whether to accept commitments, unlike in DSA or antitrust proceedings.

• Changing the conduct. Another option is simply to adjust the company’s practices directly to bring the alleged infringement to an end. This may be an attractive option for companies looking to move on from the investigation as quickly as possible, or where the infringement is both obvious in itself and obvious how to fix. That said, the Commission and the lead authorities will want to examine the changes implemented in the online service, and they may not be convinced.

If the CPC Network is persuaded that all infringements have been terminated, then the coordinated action must be closed. There is no provision for adopting a formal decision recording a past infringement. 

• Persuasion on the merits. Finally, of course, there is the possibility of persuading the CPC Network that there was no infringement to begin with. However, given that the authorities concerned have in their own minds completed their investigation, identified an infringement, and committed themselves publicly to that assessment, it may prove difficult to change their minds. If there are factual errors or misunderstandings the company could of course be successful with this approach, but it may be optimistic to believe that the entire case can be resolved in this way.
• National fines. There is no provision for the European Commission to impose fines for the infringements identified in the Common Position. In principle, EU law empowers a single national authority to impose a fine of at least 4% of group turnover in all the Member States concerned. However, as of February 2025 no such fines have yet been imposed in CPC coordinated actions. For any such fine to be imposed, the CPC Network would need to reach consensus that the commitments process has failed to produce a satisfactory outcome, and one of the national authorities concerned would need to open a national investigation, respect the procedural stages foreseen in its national law, and potentially face a court challenge.  
• Publicity. The most harmful direct consequence of a coordinated action under the CPC Regulation may well be that the conclusions outlined in the Common Position are made public by the Commission at the same time they are communicated to the company concerned, almost inevitably causing reputational and business harm. The Commission and the lead authorities are likely to continue publicising the case until it is settled, with every investigation featuring prominently on the Commission's website afterwards.

What law applies?

EU consumer protection law is generally in the form of Directives imposing a requirement on Member States to adopt their own national rules imposing obligations on private parties. So, for example, an online platform would not infringe the Consumer Rights Directive as such, but rather in Germany it would infringe the German laws, regulations or administrative provisions implementing that Directive, and in France it would infringe the equivalent French rules. 

However, a Common Position in a case coordinated by the European Commission will refer only to the relevant Directive, and allege an infringement of that Directive as such. This is slightly artificial for the reasons just explained, although arguably it is not ultimately problematic because a coordinated action under the CPC Regulation cannot itself lead to a formal infringement decision or a fine imposed by the Commission. Moreover, this approach has the important effect of facilitating a pan-European outcome that is not held up by country-specific aspects that may have been incorporated into national laws when the Directives were transposed. It also tends to increase the influence on the proceedings of the European Commission’s published guidance on the Directives, and its views generally.

How could a parallel DSA investigation influence the outcome?

The Digital Services Act is a distinct legal instrument that imposes obligations directly on private parties (it is a Regulation, not a Directive). Importantly, the European Commission can directly impose fines on designated Very Large Online Platforms for infringement of the DSA.

The significance of the DSA for cases under the CPC Regulation is that its Articles 34 and 35 impose obligations on Very Large Online Platforms to “diligently identify, analyse and assess any systemic risks” and “put in place reasonable, proportionate and effective mitigation measures” in relation to any actual or foreseeable negative effects that their service might have on a high-level of consumer protection as envisaged by Article 38 of the Charter of Fundamental Rights of the EU. These obligations directly overlap with all the provisions under EU consumer protection law that concern the diligence with which an online service provider carries out an activity relevant for the consumer experience.

The implication is that when a Very Large Online Platform is engaging with the Commission in a CPC case concerning its diligence under specific provisions of EU consumer protection legislation (for example, under the Unfair Commercial Practices Directive), it is simultaneously addressing the exact authority that can impose heavy fines - up to 6% of worldwide group turnover - for essentially the same conduct, under the DSA…

This is not an academic point. The Commission has developed a practice of opening a DSA investigation at or around the same time as the adoption of a Common Position in CPC cases coordinated by the Commission. So the prospect of DSA fines for Very large Online Platforms that are not convincing in the CPC procedure is a real one.

Authored by Christopher Thomas, Alexandra Bray.