Digital Markets Act (DMA) compliance: what you need to know

Introduction to the Digital Markets Act and its implications

The European Commission’s (EC) Digital Markets Act (DMA) came into effect in November of 2022. It became actionable in May 2023, but the companies designated as “gatekeepers” by the EC have until March 6, 2024 to ensure their compliance with the Act.

Additionally, companies doing business in the European Union and/or European Economic Area, and that use the gatekeepers’ services will also likely need to achieve and maintain compliance to prevent business disruptions.

Penalties for Digital Markets Act (DMA) violations are significant, and can be up to 10% of global annual turnover for gatekeepers, or up to 20% for repeated violations, among other penalties. Third parties using gatekeepers’ platforms and services could lose access to them, along with their data and user bases. This would cut off advertising, analytics, and other necessary functions, damaging business operations with losses of audience access, revenue, and brand reputation.

Obligations imposed by the Digital Markets Act are fairly similar to some of those required by the General Data Protection Regulation (GDPR), but they cover more territory. For example, the Digital Markets Act includes additional access to consumers’ personal data and uses of it. The Act also aims to bolster the competition landscape and increase fairness among digital companies and benefit smaller organizations in the market.

1. Which companies has the European Commission designated as gatekeepers?

The European Commission has so far designated six “gatekeeper” companies under the Digital Markets Act, based on the size and influence of their platforms and audiences, and their power in the digital market. The list may grow or change in the future.

• Alphabet (parent company of Google and Android)
• Meta (parent company of Facebook, Instagram, WhatsApp and others)
• Apple
• Microsoft
• Amazon
• ByteDance (parent company of TikTok)

The gatekeeper designation means that these platforms and the services they offer have to ensure they’re in compliance with the DMA by March 6, 2024. Otherwise, they risk substantial penalties.

Requirements for Digital Markets Act compliance for third-party companies

Companies that use the gatekeepers’ core platform services in Europe will also need to demonstrate their compliance (e.g. collecting and signaling valid user consent) or risk losing access to those platforms and the associated data, user base and revenue.

Companies operating in the European Union and/or European Economic Area may also need to comply with additional data privacy regulations, like the GDPR. Fortunately, many of the laws’ requirements are in alignment already.

These requirements make implementation of a consent management solution important to help ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data, and that you can signal it to gatekeepers.

2. What is a core platform service under the Digital Markets Act?

To date, the European Commission has identified 22 core platform services (CPS) among those that the gatekeepers own and operate. This list may grow or change over time. These are the services most under compliance scrutiny under the DMA due to their vast audiences, amount of data generated and processed, and consumer and market influence:

• 3 operating systems (Google Android, iOS, Windows PC OS)
• 2 web browsers (Chrome and Safari)
• 1 search engine (Google)
• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
• 3 online advertising services (Amazon, Google, and Meta)
• 2 large communication services (Facebook Messenger and WhatsApp)
• 1 video sharing platform (YouTube)

Third-party entities that make use of the CPS will be required by the gatekeepers to comply with the Digital Markets Act if they want to maintain access to these services, e.g. for advertising. Otherwise they risk significant revenue loss if their access to the platforms is removed.

Does the Digital Markets Act provide more protection for user privacy?

The Digital Markets Act uses the same principles for user privacy and consent as the EU’s GDPR and ePrivacy Directive (ePD). This means that they use an opt-in model, and personal data cannot be collected or processed before valid consent is obtained. Third parties will also have to be able to signal this consent to gatekeepers like Google.

As per the GDPR, consent must be freely given, specific, informed, unambiguous, and obtained in advance of data collection.

Consent is also not a “single use” action. Consumers must be able to change or withdraw their consent at any time, and it must be as easy to do so as it was to provide consent. If a company is audited by data protection authorities, they must be able to provide a record of user consent choices.

A consent management platform (CMP) enables companies to do several things that facilitate valid consent and regulatory compliance with privacy laws. A CMP enables companies to:

• notify users about what personal data they collect from the use of cookies or other trackers
• enable overall or granular-level consent for tracking technologies in use
• provide consent options and enable them to be changed
• store consent data securely

Companies using Google services must also support the most up to date version of Google Consent Mode, as this is used to enable consent signaling to Google when their services are in use.

Prior or opt-in consent is required by the DMA from customers, visitors or site/app users of gatekeepers’ and third parties’ services, if these companies:

• process personal data in the course of providing advertising service using CPS
• combine personal data from CPS with data from other CPS or services provided by the gatekeepers
• cross-use personal data from CPS in other services the gatekeepers or CPS provide
  
  and/or
• sign end users in to other services in order to combine personal data

4. What rights do third-party companies have under the Digital Markets Act?

One of the big goals of the Digital Markets Act is a fairer digital marketplace and improved competition. To this end, the law has a number of requirements that gatekeepers must meet, and which benefit third parties using the CPS. These benefits include:

• allowing third-parties’ apps to equally accessed and used on on gatekeepers’ operating system(s)
• allowing more access to data generated by activities on CPS
• prevention of preferential ranking of gatekeepers’ services
• prohibiting tracking of end users outside of the gatekeepers’ CPS for targeted advertising purposes unless consent is obtained
• ability to uninstall pre-installed apps
• enabling operating system or browser settings leading to gatekeepers’ products or services to be changed
• allowing third-party business users to offer their products and services on their own or third-party platforms for the same price as on gatekeepers’ platforms and services
• providing advertisers and publishers information free of charge about ads placed, remuneration and fees

5. How can companies obtain and store valid consent under the Digital Markets Act?

Conditions for valid consent under the Digital Markets Act are the same as under the GDPR:

Explicit: Active acceptance required, e.g. ticking a box or clicking a link.

Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?

Documented: You have the burden of proof of consent in the case of an audit.

In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.

Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.

Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.

Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

The GDPR and DMA require consent for the use of cookies and trackers on websites. This makes a consent management platform (CMP) a necessary tool in many cases, but a lot of companies doing business in the EU do not have a CMP installed, or it’s installed incorrectly, preventing regulatory compliance.

These companies risk noncompliance with the Digital Markets Act, which also risks their business continuation via access to the gatekeepers’ platforms and services, including advertising with Google.

A consent management platform can be implemented on websites, apps, and other platforms in minutes. A CMP like Cookiebot CMP can be customized to match corporate branding, and deep scans your website to ensure detection and control of all of the cookies and other tracking technologies you use.

Cookiebot CMP is a European leader in helping companies obtain consent and achieve data privacy compliance, and enables this right out of the box. Cookiebot CMP relies on state of the art technology that detects more cookies and trackers. It automates detection, categorization and blocking of them over time to help you maintain compliance without dedicating a lot of technical or legal resources. Protect your operations from DMA violations and ensure you can keep using gatekeepers’ services.

6. How can a CMP get you ready for the Digital Markets Act and why do you need one?

Data protection authorities in Europe have demonstrated that they will pursue compliance with data privacy laws, and enforcement continues to expand. The DMA will build on that commitment.

The European Commission can impose fines for DMA violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated violations. Additionally, the EC can require gatekeepers in the EU to sell parts or all of a business, or institute bans on acquisitions if they would involve lines of business in which the entity had been found to be in violation.

As for third-party organizations relying on gatekeepers’ services, if they fail to comply, they can lose platform access, which would also involve loss of data, audience/customers, and be a hit to revenue. As noted, the DMA bears similarities with other laws, so a DMA violation may also mean a violation of the GDPR or other privacy laws, which have their own potential penalties. This would be publicity no company wants, and would likely damage brand reputation and consumer trust, which would be a further hit to revenues and growth potential.

7. How do you implement a CMP to be ready for the Digital Markets Act?

The specifics of CMP implementation do depend on what platforms you’re using, like your CMS, as well as other tools, including Google Tag Manager and other services. Cookiebot CMP is flexible and can be installed with just a few lines of JavaScript. There’s also a cookies WordPress plugin.

1. Select a flexible, reliable CMP that can be customized to your needs and will be easy to maintain by technical or non-technical staff
2. Implement the CMP according to your website setup and your integrations, including those of DMA’s designated gatekeepers
3. Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
4. Activate Google Consent Mode signaling
5. Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
6. Start collecting DMA-compliant consent from users

Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.