CMA Opens Formal Consultation on CMA Apple Google App Store Payment Rules
The UK's Competition and Markets Authority (CMA) has launched a formal consultation on proposed new conduct requirements targeting Apple and Google under the country's digital markets competition regime. At the heart of the proposals is a fundamental shift in how app developers can communicate with their own customers: the new rules would remove restrictions that currently prevent UK app developers from "steering" users away from Apple and Google's in-app payment systems toward cheaper or alternative payment options. This move positions the UK as one of the most assertive regulatory environments in the world for platform competition — with significant implications for developers, digital commerce, and data sovereignty.
For years, Apple and Google have enforced policies that require app developers to use their proprietary payment systems for in-app purchases, earning commissions of up to 30% on every transaction. These commissions — often referred to as the "app tax" — have been a persistent source of friction between the platforms and the developer community. Under the CMA's proposed requirements, developers operating in the UK market would be permitted to inform users about alternative payment methods, direct them to external websites, and potentially offer lower prices outside the platform ecosystem. This is what regulators term "steering" — and until now, both Apple and Google have explicitly prohibited it.
What "Steering" Actually Means for App Developers and Digital Businesses
The term "steering" has a precise regulatory meaning in this context. It refers to the ability of app developers to actively communicate with their users — within an app or via email — about alternative purchasing options that exist outside of the Apple App Store or Google Play Store. Currently, both platforms prohibit developers from including links to external payment pages, mentioning lower prices available on the web, or even directing users to a developer's own website to complete a purchase.
For small app developers and independent software vendors, this restriction has long represented a structural disadvantage. A developer selling a £10/month subscription through Apple's App Store sees Apple take up to £3 before they even begin to recover customer acquisition costs. Multiply that across thousands of subscribers, and the economic impact is substantial. The CMA's proposed conduct requirements would give developers the legal right — enforceable under UK digital markets law — to communicate these alternatives to their customers.
"The ability to tell your own customers that a better deal exists on your own website is a basic commercial freedom that app store rules have systematically stripped away," said a senior digital policy analyst at a UK technology advocacy group. "What the CMA is proposing is not radical — it's restoring a fundamental market dynamic."
This consultation follows the designation of Apple and Google as firms with Strategic Market Status (SMS) under the UK's Digital Markets, Competition and Consumers Act — a landmark piece of legislation passed in 2024 that gave the CMA new powers to impose bespoke conduct requirements on the most powerful digital platforms. As reported by UKTN, this consultation represents one of the CMA's first substantive uses of those powers.
The Scale of App Store Market Power
The market concentration figures alone underscore why regulators have acted. With Apple's iOS and Google's Android collectively accounting for virtually the entire UK smartphone market, developers have no meaningful alternative distribution channel for mobile apps. The CMA has previously described this as a "two-sided platform" with significant network effects — meaning developers must be present on these platforms to reach users, and vice versa, creating a structural lock-in that conventional competition law struggles to address.
According to data published by Statista, the global app economy generates hundreds of billions of dollars annually, with a significant portion of that value flowing through platform payment systems. The commission structures imposed by Apple and Google have been the subject of antitrust investigations in the EU, the US, South Korea, and Japan — making the CMA's action part of a broader global regulatory pattern.
How the UK's Approach Compares to EU and US App Store Regulation
| Jurisdiction | Regulatory Framework | Key Requirement | Status |
|---|---|---|---|
| European Union | Digital Markets Act (DMA) | Sideloading, alternative app stores, anti-steering prohibition lifted | In force (gatekeepers designated) |
| United Kingdom | Digital Markets, Competition and Consumers Act | Conduct requirements for SMS firms; steering consultation underway | Consultation phase |
| United States | Open App Markets Act (proposed) | Anti-steering and sideloading provisions | Not yet passed into law |
| South Korea | Telecommunications Business Act amendment | Mandatory alternative payment systems | In force |
| Japan | Smartphone Software Competition Promotion Act | Third-party payment systems and app stores required | In force |
The UK's approach sits in interesting contrast to the EU's Digital Markets Act (DMA), which came into force for designated gatekeepers and has already forced Apple to allow alternative app stores and payment methods across the 27-member bloc. The DMA's requirements are broader in some respects — mandating sideloading and interoperability — while the CMA's current consultation is more narrowly focused on the steering prohibition specifically. However, the CMA's enforcement mechanism is arguably more flexible: conduct requirements can be tailored to each SMS firm, meaning Apple and Google may face different obligations based on where the competitive harm is most acute.
As The Guardian has previously reported, Apple's response to DMA obligations in Europe has been closely watched by regulators worldwide, with the company introducing compliance measures that critics have described as deliberately cumbersome — a "core technology fee" for alternative distribution that many developers argued preserved the economic deterrent even while technically permitting alternatives.
Privacy and Data Sovereignty Implications of Alternative Payment Flows
For privacy professionals and IT decision-makers, the CMA's proposals raise a set of questions that go beyond simple economics. When users are steered toward external payment pages — away from the relatively controlled environment of Apple Pay or Google Pay — questions arise about data handling, GDPR compliance, and the security of alternative payment processors. Developers who implement external payment flows will need to ensure that any third-party payment provider they use meets UK GDPR standards, particularly around data minimisation, lawful basis for processing, and cross-border data transfers if the payment processor is based outside the UK or EEA.
There is also a digital sovereignty dimension here that aligns closely with broader European debates about platform dependency. The UK's designation of Apple and Google as firms with Strategic Market Status reflects a recognition that dependence on two US-headquartered platforms for virtually all mobile commerce creates structural vulnerabilities — not just for individual businesses, but for the economy's digital infrastructure as a whole. This mirrors arguments made in EU digital policy circles about reducing reliance on non-European cloud and platform providers, a theme extensively covered in the context of the EU's Digital Markets Act.
From a cybersecurity standpoint, alternative payment flows also introduce new attack surfaces. Security teams at app companies will need to conduct thorough risk assessments of any payment provider they consider integrating, particularly given the volume of sensitive financial data involved. The CMA's proposals do not appear to mandate specific security standards for alternative payment processors — this is an area where developers will need to exercise their own due diligence, potentially in consultation with frameworks like PCI DSS and ISO 27001.
What Happens After the CMA Consultation Closes?
The CMA's consultation process is a formal step in the process of designating and enforcing conduct requirements under the Digital Markets, Competition and Consumers Act. Interested parties — including app developers, consumer groups, payment processors, and the platforms themselves — are invited to submit evidence and opinions on the proposed requirements. The CMA will then review responses before finalising its position.
If the conduct requirements are confirmed, Apple and Google would be legally obligated to permit steering within the UK. Non-compliance could trigger enforcement action from the CMA, which has the power to impose fines of up to 10% of global annual turnover for breaches of conduct requirements — a figure that, in Apple's case, would represent tens of billions of dollars. The CMA has also signalled that it will monitor compliance proactively, rather than waiting for developer complaints.
For the developer community, the practical timeline matters enormously. Even if requirements are finalised relatively quickly, implementation will depend on Apple and Google updating their developer agreements, App Store Review Guidelines, and technical infrastructure to permit steering. Given the history of both companies' compliance approaches in other jurisdictions, developers and legal teams should expect a period of careful scrutiny of whatever implementation mechanisms the platforms propose.
Originally reported by UKTN. Summarised and curated by European Purpose.
