Healthcare Marketing Compliance in 2026: What Every Dental Practice, Pharmacy and Clinic Owner Needs to Know

Author: Abel Getachew, GPhC Registered Pharmacist and Independent Prescriber | Founder, PrimacyLeads

Published: June 2026

Beyond POM Advertising: The Compliance Risks Hiding in Plain Sight

If you read our previous guide on CAP Code Rule 12.12 and the prescription-only medicine advertising prohibition, you may have concluded that avoiding drug names in your marketing is sufficient to stay compliant. It is not.

The regulatory framework governing how private healthcare practices market their services extends far beyond POM advertising into areas that most practice owners interact with daily without realising the exposure they carry. Patient testimonials on your website. Before-and-after photos on your Instagram. Time-limited offers in your email marketing. Your team's personal social media accounts. The reviews on your Google Business Profile. Each of these carries specific, documented regulatory risk that the ASA, CMA and professional regulators are actively monitoring and enforcing in 2026.

This guide covers each of these areas with the specific rule references, real enforcement examples and compliant alternatives that practice owners need.

The Before-and-After Photography Trap

Before-and-after imagery is the most powerful conversion tool available to dental practices, aesthetic clinics and specialist treatment providers. It is also the area with the most prescriptive regulatory requirements — requirements that most practices violate without knowing.

What the Rules Actually Require

The ASA and CAP treat before-and-after photographs as testimonials under CAP Code Rules 3.47 to 3.50. This classification has significant practical implications because testimonials carry specific evidentiary requirements that casual photography does not.

Under the CAP Code, advertisers using before-and-after imagery must hold signed and dated proof that the photographs are genuine and have not been digitally manipulated. This means written documentation confirming the authenticity of each image pair, signed by the patient and dated at the time of capture.

The ASA's position is explicit on what constitutes compliant before-and-after photography. The same patient must appear in both images — stock photographs or composite images are never acceptable. Both photographs must be taken under identical conditions — the same lighting, camera angle, distance from subject and background. No retouching, filters, colour correction or skin-smoothing may be applied to either image. The timeframe between photographs must be stated — for example "two weeks post-treatment" — so the viewer understands the context. And the results shown must be representative of typical outcomes, not the single best result the practice has ever achieved.

Where Practices Get Caught

In 2019, the ASA investigated before-and-after images for a teeth whitening product and ruled that the images showed a "near-instantaneous and dramatic" clearing of skin blemishes that did not represent what consumers could genuinely expect. Despite the advertiser submitting clinical trials and customer testimonials, the ASA concluded the evidence was insufficient to substantiate the visual impression created by the photographs.

In a separate ruling against The Dental Suite in 2017, the ASA found that the advertiser could not provide signed and dated proof that before-and-after dental images were genuine and unmanipulated. The ruling was upheld and published permanently.

The critical principle across all before-and-after enforcement is this — the regulatory standard is not whether the images are technically accurate, but whether the impression they create in the mind of the viewer is substantiated by the evidence the advertiser holds. A genuine photograph taken in different lighting conditions can create a misleading impression even though the image itself is authentic.

The Compliant Approach

Every practice using before-and-after imagery should implement a documented photography protocol. Each image pair requires a signed consent form from the patient specifically authorising marketing use — separate from clinical treatment consent. Both images should be captured using a standardised setup with controlled lighting and a fixed camera position. A written record of the date, treatment performed and timeframe between images should accompany every pair. And the images selected for marketing should represent the range of typical outcomes, not exclusively the most dramatic transformations.

Patient Testimonials and Review Compliance

The Testimonial Rules Most Practices Ignore

Patient testimonials on websites, social media and Google Business Profiles are governed by CAP Code Rules 3.47 to 3.50. The most commonly violated requirement is Rule 3.47, which states that testimonials must relate to the product or service being advertised and must be genuine. Marketers must hold signed and dated documentary evidence that the testimonial is genuine.

What this means in practice: every patient testimonial displayed on your website, quoted in your social media content or featured in your advertising requires signed written permission from the patient, dated documentation confirming the testimonial is genuine and unedited, and evidence that the experience described is representative of what other patients could expect.

A patient testimonial that implies clinical efficacy — "my symptoms completely disappeared" or "my teeth have never looked better" — carries additional requirements because it constitutes a health claim that must be substantiated under Rule 3.7. The subjective elements of a testimonial — "I felt more confident" or "the experience was wonderful" — do not require clinical substantiation. The objective elements — "my pain was eliminated" or "the treatment achieved permanent results" — do.

The New Fake Review Rules Under the DMCCA 2024

The Digital Markets, Competition and Consumers Act 2024 introduced an entirely new dimension to review compliance that most healthcare practices have not yet absorbed. The DMCCA explicitly bans commissioning, publishing or failing to address fake or misleading reviews. Platform operators — including practices that display reviews on their websites — must take "reasonable steps" to prevent such practices.

The CMA's enforcement guidance published in April 2025 specifically addresses endorsements and reviews, making clear that businesses must not publish selectively positive reviews while suppressing negative ones, incentivise patients to leave positive reviews without disclosing the incentive, or display reviews in a way that creates a misleading overall impression of patient satisfaction.

For dental practices and clinics that actively encourage Google reviews — which is a legitimate and important part of local SEO — the compliance requirement is transparency. If you offer any incentive for a review, even a verbal request at the end of a positive appointment, the review should not be presented as entirely unsolicited. And if negative reviews exist alongside positive ones, selectively hiding or failing to respond to negative reviews could be construed as creating a misleading impression under the DMCCA.

The CMA's New Enforcement Powers: Fines Without a Court Hearing

This is the regulatory development that most fundamentally changes the risk profile for private healthcare practices in 2026, and it has received almost no attention in the healthcare marketing conversation.

What Changed in April 2025

The consumer protection provisions of the DMCCA came into force on 6 April 2025. Before this date, the Competition and Markets Authority could only enforce consumer protection law through the courts — a slow, expensive process that meant enforcement action was rare and reserved for the most egregious cases.

Since April 2025, the CMA can directly pursue enforcement action without going through the courts. It can investigate businesses, issue fines, order practices to change their behaviour, and require them to pay compensation to affected consumers — all through administrative proceedings rather than litigation.

The Scale of Potential Penalties

The CMA can now impose fines of up to 10% of global annual turnover for breaches of consumer protection law. For an individual — including a sole trader operating a dental practice, pharmacy or specialist clinic — the maximum fine is £300,000. These are not theoretical maximums. The CMA opened its first consumer enforcement investigations under the new regime in November 2025.

For a private dental practice generating £800,000 in annual revenue, a 10% fine represents £80,000. For a pharmacy group generating £2 million, it represents £200,000. These figures would be existentially damaging for most independent healthcare businesses.

How This Applies to Healthcare Marketing

The CMA works collaboratively with the ASA and sector regulators including the GPhC, GDC and CQC. The ASA's own published guidance notes that it refers "egregious" advertising cases to the CMA and to Trading Standards for further action. The DMCCA's enforcement framework creates a pathway from an ASA advertising complaint to a CMA investigation with meaningful financial penalties — a pathway that did not exist before April 2025.

In practice, this means that a pattern of non-compliant advertising — multiple ASA rulings, repeated failure to amend advertising after being told to do so, or systematic misleading of consumers — can now escalate from an ASA compliance notice to a CMA investigation with fines attached. The healthcare practices most at risk are those that have received ASA guidance or rulings and have not fully implemented the required changes.

Time-Limited Offers and Urgency Tactics

Why "Book by Friday" Is a Compliance Risk

The use of urgency and scarcity in healthcare advertising — countdown timers, limited-time discounts, "only 3 slots remaining" messaging — sits in a regulatory area that most healthcare marketers treat as a standard sales technique. It is not standard in healthcare.

The ASA's guidance on cosmetic interventions explicitly states that healthcare advertisers must not use time-limited offers that could pressure consumers into making hasty decisions about medical or dental procedures. The reasoning is that medical and dental treatments carry inherent clinical risk, and a patient who books under time pressure may not have made a fully informed decision about those risks.

CAP's updated guidance specifically prohibits practices from glamourising cosmetic procedures, implying they are risk-free, or using time-limited offers such as "Book by Friday for 20 percent off" in relation to any cosmetic treatment. For dental practices offering treatments like composite bonding, teeth whitening, Invisalign or facial aesthetics, this prohibition applies directly.

The principle extends beyond cosmetic treatments. Any healthcare marketing that creates artificial urgency — "this month only," "limited availability," "prices increase next week" — must be assessed against whether it could lead a patient to make a treatment decision without adequate time for reflection and informed consent.

What Is Permitted

Genuine availability information — "our next available appointment is in three weeks" — is factual and not subject to urgency restrictions. Seasonal pricing structures that reflect genuine business costs are permissible provided they are not presented as countdown-driven pressure tactics. And informing patients about waiting list positions or appointment availability is a legitimate part of practice communication.

The distinction is between providing information that helps patients plan and creating psychological pressure that compromises informed decision-making.

Your Team's Social Media: When Personal Posts Become Practice Advertising

The Invisible Liability

One of the least understood areas of healthcare marketing compliance is the point at which a team member's personal social media post becomes attributable to the practice. The GDC, GPhC and ASA all take the position that clinical staff who post about their work — including treatment outcomes, patient interactions or clinical capabilities — are creating content that may be assessed as advertising by the practice.

A dental hygienist who posts an Instagram story showing a patient's smile transformation with the practice tagged is creating marketing content for the practice whether or not the practice authorised it. A pharmacist who posts about the weight management service their pharmacy offers is potentially advertising a POM-adjacent service on a public platform. A clinic nurse who shares a patient's testimonial video on their personal TikTok is creating content that the ASA may assess as a testimonial requiring signed documentation.

The Practical Solution

Every private practice should have a documented social media policy that covers clinical staff's work-related posts on personal accounts. The policy should specify that staff must not name prescription-only medicines in any work-related post, must not share before-and-after imagery without documented patient consent and compliance with the practice's photography protocol, must not make efficacy claims about treatments, and must not tag the practice in posts that would themselves breach advertising regulations if posted on the practice's official accounts.

This policy protects both the practice and the individual clinician. A GDC fitness-to-practise investigation triggered by a dental nurse's Instagram post is a governance failure that a documented social media policy would have prevented.

Google Business Profile Compliance

Your Most Visible Marketing Asset Is Probably Non-Compliant

For most private healthcare practices, the Google Business Profile is the single most viewed piece of marketing content — more visible than the website homepage, more frequently read than any social media post. It appears in every local search, every Google Maps query, and every "near me" search for dental, pharmacy or clinic services.

Despite this visibility, the Google Business Profile is rarely included in compliance reviews. The business description, the services listed, the posts published through Google Business, and the responses to patient reviews all fall within the scope of advertising regulation and are subject to the same CAP Code requirements as any other marketing material.

A Google Business Profile that lists "Botox" or "anti-wrinkle injections" as a service is advertising a POM to the public. A response to a patient review that references specific treatment outcomes is potentially making an efficacy claim. A Google Business post promoting a time-limited offer on cosmetic treatments may breach the urgency restrictions discussed above.

The Compliant Google Business Profile

The service categories listed should describe clinical consultations and assessments rather than specific POM treatments. Review responses should thank the patient and reference the general experience rather than confirming specific clinical outcomes. Google Business posts should follow the same compliance standards as any other advertising channel — no POM names, no absolute efficacy claims, no urgency-based promotional pressure.

The Consumer Contracts Regulations 2013: The Cooling-Off Period

A regulatory requirement that directly affects patient acquisition systems — and that most practices do not implement — is the 14-day cooling-off period mandated by the Consumer Contracts Regulations 2013.

When a patient books a service at a distance — online, by phone, or by email — they are entitled to a 14-day cooling-off period during which they can cancel without giving a reason. This applies to consultation bookings, treatment packages, and any service agreement made without face-to-face interaction.

For practices using online booking systems, Calendly links, or website forms as their primary patient acquisition pathway, this regulation means that a patient who books a consultation online has 14 days to cancel. Treatment packages sold through website payment pages are subject to the same cooling-off rights. And any terms of service that attempt to waive the cooling-off period for distance-sold healthcare services may be unenforceable.

The compliant approach is to acknowledge the cooling-off right in your booking confirmation, include cancellation instructions in your automated booking emails, and design your patient journey to move from online booking to in-person consultation within a timeframe that allows the clinical relationship to supersede the distance-selling relationship.

Building a Compliance-First Marketing Infrastructure

The regulatory areas covered in this guide — before-and-after photography, testimonials, the DMCCA's new enforcement powers, urgency tactics, staff social media, Google Business Profile compliance, and cooling-off periods — represent the layer of compliance risk that exists beneath the headline issue of POM advertising.

Most private practices that receive regulatory attention are not sanctioned for a single dramatic violation. They are flagged for a pattern of lower-level non-compliance — a before-and-after photo without consent documentation here, an efficacy claim in a review response there, a time-limited offer on an aesthetic treatment — that collectively creates an impression of a practice that has not integrated regulatory compliance into its marketing architecture.

The practices that are best protected are those that treat compliance as a structural feature of their marketing system rather than a checklist applied after the creative work is done. Every piece of marketing content — from a Google Business post to an Instagram story to a website landing page — should pass through a compliance review that is as routine as spell-checking.

As a GPhC registered pharmacist who builds patient acquisition systems for private healthcare practices, I apply this standard to every campaign before a single pound of advertising spend is deployed. The clinical background is not incidental — it is the foundation of the compliance review, because understanding the regulatory environment requires understanding the clinical environment that generated it.

The Compliance Audit Checklist for This Guide

Do you hold signed, dated consent forms for every before-and-after image displayed on your website and social media?

Are your before-and-after photographs taken under standardised conditions — identical lighting, angle, distance and background — with no digital retouching?

Do your patient testimonials contain objective efficacy claims that require clinical substantiation under CAP Code Rule 3.7?

Have you reviewed your Google Business Profile description, services list and review responses for POM references or efficacy claims?

Does your practice have a documented social media policy covering clinical staff's work-related posts on personal accounts?

Do any of your marketing materials use time-limited offers, countdown timers or scarcity language in relation to medical or dental treatments?

Does your online booking system acknowledge the 14-day cooling-off period required by the Consumer Contracts Regulations 2013?

Have you assessed your review management practices against the DMCCA 2024 requirements on fake and misleading reviews?

If you are uncertain about any of these questions, the risk is measurable, the regulatory environment is actively enforcing, and the new CMA powers mean the financial consequences of non-compliance are materially larger than they were before April 2025.

About the Author

Abel Getachew is a GPhC registered pharmacist and independent prescriber with over six years of NHS and private pharmacy experience. He is the founder of PrimacyLeads, a patient acquisition agency that builds compliant growth systems for dental practices, community pharmacies, and specialist medical clinics across the UK. Every campaign built by PrimacyLeads is reviewed against ASA, MHRA, GDC, GPhC, CQC and CMA guidelines before deployment.

To request a complimentary compliance review of your practice's current marketing, book a 15-minute consultation at primacyleads.co.uk.

Regulatory references cited in this article: CAP Code Edition 12, Rules 3.1, 3.7, 3.47-3.50. Digital Markets, Competition and Consumers Act 2024. Consumer Contracts Regulations 2013. CMA Annual Plan 2025-2026. CMA Enforcement Guidance, April 2025. ASA Advice Note: Before and After Photos, June 2025. ASA Advice Note: Cosmetic Interventions — Social Responsibility. ASA Ruling: The Dental Suite, 13 December 2017. ASA Ruling: Smiles Powder UK Ltd, 29 May 2019. GDC Guidance on Advertising. GPhC Standards for Registered Pharmacies.