Digital Markets Act glossary: Legal definitions and DMA terms every business should know

Importance of understanding DMA terms for businesses

Understanding the DMA glossary is crucial for businesses operating in the digital space, especially if you want to maintain your ad monetization revenue streams after March 2024. Familiarity with key DMA terms and definitions enables you and your businesses to understand requirements imposed on gatekeepers and third parties using their services. It will help you effectively apply them to your operations using these platforms to continue access to needed data and continued revenue-generating functions like advertising.

Failing to grasp the implications of the DMA and compliance with it in EU markets could lead to substantial losses in ad monetization revenue.

For businesses designated as gatekeepers, compliance with the DMA is essential for continuing to do business in the EU. They’ll need to adapt their practices and ensure transparency, privacy protection, non-discrimination, and fair competition. Other businesses, although not designated as gatekeepers, still need to be aware of the DMA’s provisions as it may impact their interactions with gatekeepers and have implications for their compliance as third parties using gatekeepers’ services.

Key DMA terms and definitions – DMA glossary

Here are some of the most important terms and definitions used in the DMA.

DMA’s definition of core platform services

The DMA defines core platform services (CPS) as those integral to the operation of a digital business. Such services include online search engines, operating systems, web browsers, voice assistants, online social networks, video sharing platforms, and more. To date, 22 CPS have been identified, but this number may change in the future as further discussion and review are conducted.

DMA’s definition of gatekeepers

The DMA’s definition:

“Gatekeeper means an undertaking providing core platform services”. (source: DMA)

• Gatekeepers are companies that have a significant impact on the digital ecosystem and act as intermediaries between businesses and consumers. They collect and process massive amounts of user data, have the power to control access to essential services, and can potentially exploit their position to the detriment of competition and innovation.
• The Act identifies certain criteria for determining which companies are gatekeepers, and imposes specific responsibilities on them to ensure data privacy as well as fair and transparent practices.
• Gatekeepers have a duty to provide fair and non-discriminatory access to their platforms, services, and data in the EU. They must also ensure that their terms and conditions are transparent and that they do not engage in practices that would harm competition or restrict consumer choice. 
• In the context of the DMA, a gatekeeper refers to a corporation operating one or more core platform services. To qualify as a gatekeeper, a company must meet specific criteria related to annual revenue, market capitalization, and the number of users.

The European Commission has designated six key gatekeepers:

• Apple 
• Alphabet (owner of Google and Android)
• Microsoft
• Amazon
• Meta (owner of Facebook, Instagram, WhatsApp, and others) 
• ByteDance (owner of TikTok)

DMA’s definition of a business user

“Business user means any natural or legal person acting in a commercial or professional capacity using core platform services for the purpose of or in the course of providing goods or services to end users”. (source: DMA)

Business users are third-party entities that rely on gatekeeper platforms to reach end users and provide products or services. Under the DMA, gatekeepers must negotiate certain conditions with business users to promote fair and non-discriminatory treatment. For example, business users should have the freedom to negotiate more favorable conditions with other companies, communicate directly with end users, terminate contracts with gatekeepers easily, and access data generated through their use of gatekeeper platforms. These obligations aim to protect the rights and interests of business users operating on gatekeeper platforms.

DMA’s definition of personal and sensitive data

“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. (source: DMA after GDPR’s definition)

Personal data refers to any information that can directly or indirectly identify an individual. This includes but is not limited to names, email addresses, phone numbers, IP addresses, etc. Personal data is at the core of many marketing activities, and its collection, storage, and processing are subject to regulations to protect individuals’ privacy.

Sensitive data, on the other hand, refers to a special category of personal data that requires extra protection due to its potential impact on an individual’s privacy and fundamental rights. This includes information related to race, religion, health, sexual orientation, biometric data, etc. Sensitive data is subject to stricter controls and requires explicit consent for processing under most privacy laws.

DMA’s definition of consent 

Consent is a fundamental concept in the DMA regulation, especially in relation to data processing and marketing communications. It refers to the permission granted by individuals for their personal data to be collected, processed, and used for specific purposes. 

Consent can be obtained through an opt-in or opt-out mechanism. However, under the DMA and many other global privacy laws, like the EU’s General Data Protection Regulation (GDPR), informed and explicit user consent must be obtained before any personal data is collected, i.e. opt-in or prior consent.

Opt-in is a method for consent where individuals actively give their consent by taking a specific action, such as checking a box or clicking a button. Opt-out, on the other hand, assumes consent unless individuals explicitly indicate otherwise, usually through an unsubscribe-type option. It’s important to note that the requirements for obtaining valid consent vary across different jurisdictions and regulations. For example, while the EU uses an opt-in consent model, the data privacy laws in the United States to date use an opt-out model in most cases.

“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. (source: DMA after GDPR’s definition)

DMA’s marketing definitions

The DMA will have a major impact on marketers and businesses selling their goods and services on Google, Amazon, and social platforms. They can expect some significant changes, such as:

• easier ways to advertise products and services on big platforms, giving them more freedom to customize how they present their products
• stricter rules about using people’s personal data for ads
• strict rules regarding remarketing to minors

Therefore, it’s essential to know the marketing terms included in the DMA. Here are the most important ones.

Interoperability

“Interoperability means the ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function”. (source: DMA)

Interoperability refers to the ability of different systems, platforms, or services to work together effectively and seamlessly. Gatekeepers are required to ensure effective interoperability of their operating systems, hardware, and software. They must also open up their number-independent interpersonal communication services (NI-ICS) and interoperate with other NI-ICS providers. This means that gatekeepers must allow users to switch between different services, access and port their data easily, and ensure compatibility and integration with other platforms or services. For example, users should be able to exchange messages between WhatsApp and iMessage. Interoperability obligations promote competition, user choice, and innovation in the digital market.

Profiling

In the context of the Digital Markets Act (DMA), profiling signifies a multifaceted process of automated data analysis. It involves the systematic use of personal data to gain insights into various facets of an individual’s life, activities, and preferences. These insights may encompass evaluations or predictions regarding an individual’s occupational performance, economic standing, state of health, personal inclinations, interests, trustworthiness, behavior patterns, and even the whereabouts and movements of the person.

“Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”. (source: DMA after GDPR’s definition)

Ranking

Ranking refers to the order in which search results, recommendations, or offerings are displayed or prioritized by gatekeepers. Gatekeepers must apply transparent, fair, and non-discriminatory conditions to the ranking of their own products and services as well as those of third parties. This means that gatekeepers should not favor their own offerings over similar offerings from competitors. The ranking obligations aim to ensure a level playing field and fair competition among businesses operating on gatekeeper platforms.

“Ranking means the relative prominence given to goods or services offered through online intermediation services, online social networking services, video-sharing platform services or virtual assistants, or the relevance given to search results by online search engines, as presented, organized or communicated by the undertakings providing online intermediation services, online social networking services, video-sharing platform services, virtual assistants or online search engines, irrespective of the technological means used for such presentation, organization or communication and irrespective of whether only one result is presented or communicated”. (source: DMA)

Conclusion and next steps

By familiarizing yourself with key terms, such as consent, personal data, gatekeepers, etc., you can navigate the legal terminology and make more DMA-aligned decisions to help ensure your company’s compliance where required.

To take your understanding of DMA terms to the next level, consider the following proactive steps to comply with the DMA:

• Stay updated: Keep abreast of the latest DMA regulations and developments in data protection and privacy. Subscribe to our newsletter to get informed about the latest updates.
• Conduct a compliance audit: Assess your organization’s data processing practices and identify any areas of noncompliance. Scan your website and check its degree of GDPR compliance.
• Educate your team: Provide training and resources to your employees to ensure they understand their responsibilities and obligations regarding the DMA.
• Seek legal advice: Consult with qualified legal and compliance professionals, like a Data Protection Officer, to ensure your marketing practices align with DMA regulatory requirements and best practices.

Remember, understanding DMA terms not only helps protect your business from noncompliance, but also builds trust with your customers. By embracing compliance and incorporating data protection and respect for users’ privacy into your business, you can create a solid foundation for long-term success. 

Usercentrics (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.