The Competition and Markets Authority (CMA) has taken anti-virus software firm, Norton (specifically the appropriately named NortonLifeLock UK Limited and NortonLifeLock Ireland Limited), to court after it refused to provide information for an investigation into auto-renewing contracts and anti-virus software. This is the first time the CMA has used its powers to seek a court order in relation to a consumer protection case.

The regulator is conducting an ongoing investigation, opened in November 2018, into the anti-virus software sector following claims that some companies in the industry may not be complying with consumer law. The CMA has identified concerns that Norton’s terms and practices, specifically for automatically renewing contracts, could result in customers paying for services they no longer want or need. In 2019 the CMA wrote to 16 other anti-virus companies across the sector requesting they review their practices and terms and conditions to ensure that they are compliant with consumer law and put them on notice that they could also face scrutiny.

In order to progress the investigation, the CMA sent a notice to Norton requesting details, including research undertaken by the company into how customers responded to website information on auto-renewal and pricing. Norton has refused to provide some of the information requested in the notice, although it has not been specified which parts have not been supplied.

During the case, the CMA is investigating whether Norton:

  • provides sufficiently clear or prominent information that a contract will automatically renew, both before the customer enters into the contract and before it automatically renews;
  • provides the customer with adequate ways to cancel the automatic renewal;
  • uses price promotions that present a regular introductory price as a sale price; and
  • uses unfair contract terms to increase the prices paid by customers when contracts automatically renew.

Under the Consumer Rights Act 2015, the CMA has the power to send a written notice to any person or company requiring them to provide information to enable the CMA to exercise, or to consider whether to exercise, its powers to enforce consumer protection legislation, as it is doing as part of the anti-virus software sector investigation. If a person does not provide the requested information, then the CMA may make an application to the court for a court order requiring them to comply, as has happened in the Norton case.

It is important to note that, whilst the CMA can raise concerns over a breach of consumer protection law, only the courts can rule that a particular practice has broken the law. Under the Enterprise Act 2002, the CMA cannot impose fines on businesses, but it can enforce the legislation through the courts.

It will be interesting to see the outcome of the case and whether the courts do enforce the information notice of the CMA. The ruling will likely set a precedent in the balance of power between regulators and companies not just in the anti-virus software sector but also more widely.

The result of the CMA investigation into the anti-virus software industry and the implications of the Norton investigation could result in software companies having to review their terms and practices, specifically as to automatic renewal of contract terms and termination provisions.