What is the Digital Markets Act (DMA)?
The Digital Markets Act (DMA) is a regulation affecting organizations doing business in the European Union. As of November 2022, when it went into effect, it addresses antitrust concerns with large tech companies —gatekeepers— that control a lot of online activity and process massive amounts of consumer data.
The DMA law is meant to impact competition and ensure fairness and transparency from the gatekeepers. Because of their outsize influence on the market and consumers, the DMA applies restrictions to a variety of tech services, including search engines, cloud services, social networks, video-sharing platforms, online advertising networks, and more products and services owned by large digital enterprises.
A major goal of the DMA is to level the playing field for smaller organizations in the digital space, and provide greater protections for user rights and data. For example, there are new restrictions on data access, and users can now uninstall applications preloaded on their phones, in browsers, and on other platforms.
Who are the DMA’s gatekeepers and what do they control?
Big Tech, tech giants, gatekeepers: they all pretty much all refer to the same players. So who has the European Commission (EC) identified as highly influential organizations that strongly impact the market and function between consumers and so many other businesses?
The seven are:
- Alphabet (parent company of Google and Android)
- Amazon
- Apple
- Booking.com
- ByteDance (parent company of TikTok)
- Meta (parent company of Facebook, Instagram, WhatsApp, and others)
- Microsoft (parent company of LinkedIn)
Of these seven companies, all are based in the United States, with the exception of ByteDance, which is Chinese. The EC also listed 23 critical platforms/services run by these gatekeepers:
- 1 search engine (Google)
- 1 video sharing platform (YouTube)
- 1 online travel agency
- 2 large communication services (Facebook Messenger and WhatsApp, both owned by Meta)
- 2 web browsers (Chrome and Safari)
- 3 most popular operating systems (Google Android, iOS, Windows PC OS)
- 3 online advertising services (Amazon, Google, and Meta)
- 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
- 6 intermediation platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
Omissions of note included Korean conglomerate Samsung (market leader for mobile devices running Android), Google’s web-based email service Gmail, and Microsoft’s web-based email service Outlook.
The EC’s explanation for the decision to exclude those providers and services was as follows:
“The Commission has concluded that, although Gmail, Outlook.com and Samsung Internet Browser meet the thresholds under the DMA to qualify as a gatekeeper, Alphabet, Microsoft and Samsung provided sufficiently justified arguments showing that these services do not qualify as gateways for the respective core platform services. “Therefore, the Commission decided not to designate Gmail, Outlook.com and Samsung Internet Browser as core platform services. It follows that Samsung is not designated as gatekeeper with respect to any core platform service.”
What are the gatekeeper’s obligations under the DMA?
The DMA has a compliance deadline for gatekeepers of March 6, 2024 to meet a list of “do’s and don’ts”. These requirements are intended to enhance user privacy and help to ensure fair competition in digital markets.
The “do” list focuses on a wider ecosystem and information sharing. The “don’t” list focuses on disallowing preferential treatment, silos, excessive tracking, and limiting user choices.
How are gatekeepers responding to the DMA?
The response from the tech giants has been mixed. Google has announced that they will be making changes, noting in a blog post: “Our goal is to implement modifications that align with the new regulations, while preserving the user experience and delivering valuable, innovative, and secure products for European users.”
Microsoft welcomed the EC’s decision to open an investigation into potential DMA exemptions for services such as Bing, Edge, and Microsoft Ads. It did note that it accepted its gatekeeper designation.
The DMA’s reception by Apple and TikTok was less positive. Apple expressed ongoing concerns with the DMA law regarding privacy and security risks. Apple’s statement did note a commitment to “mitigate these impacts and continue to deliver the very best products and services to our European customers.”
TikTok’s parent company ByteDance did say it would meet the criteria, while at the same time “fundamentally disagreed with this decision,” disputing whether it should be included on the list at all, and was “disappointed that no market investigation was conducted prior to this decision”.
Meta’s response was more limited, with a spokesperson commenting, “We are evaluating the Commission’s designations and will set out further information in due course as we work to comply with the DMA.”
What does the DMA law require from gatekeepers?
There are three main categories of change or new responsibility for the gatekeeper organizations:
- interoperability and nondiscrimination
- data portability and access
- transparency and profiling
The DMA law’s interoperability and nondiscrimination requirements
A big part of the DMA’s requirements is meant to expand the digital ecosystem in a healthy, sustainable way. Gatekeepers will have to ensure the interoperability of their platforms and services with third parties. Communications and integrations with gatekeepers’ platforms are required. This helps prevent excessive advantage and promotes competition. Gatekeepers cannot favor their services over those of smaller competitors.
Nondiscrimination requirements focus on fair treatment of all businesses, intended to prevent preferential treatment for gatekeepers’ own products and services, or those of favored partners.
The DMA law’s data portability and access requirements
Under the DMA privacy law, gatekeepers cannot prevent users from changing services or service providers. They must have control over their data and be able to transfer it to another service or platform, also known as data portability under many privacy laws.
Users, businesses, and other third parties must also have real-time access to data they generate on gatekeepers’ platforms, if requested. Data access or data subject access requests are a form of this.
The DMA law’s transparency and profiling requirements
Gatekeepers have to provide clear, audited information about how profiling of consumers is performed on their platforms. Much like many privacy laws include requirements about data processing, including purposes and sharing, the DMA requires information to be provided about the purpose, duration and impact of consumer profiling.
Gatekeepers must also ensure efforts are made to obtain user consent, and provide options to enable users to withdraw or deny consent for data collection and use. Overall, the goal is to ensure that consumers are educated and kept informed about what data they provide to companies, how it’s used, and what their privacy rights are.
What are the benefits of the Digital Market Act (DMA)?
While the DMA targets large tech companies, a wide variety of organizations benefit from its requirements.
Consumers: Access to more and improved services, more options to switch providers, direct access to services, more competitive pricing, better data protection.
Businesses: Greater fairness in the market for smaller companies that depend on services provided by the gatekeepers.
Gatekeepers: Maintain opportunities for innovation and rolling out new products and services. Greater clarity about allowed business practices.
Tech startups and innovators: New opportunities to be competitive on online platforms and in the digital ecosystem without having to comply with onerous third-party terms and conditions that stifle growth.
What the DMA means for user privacy and consent management
User privacy and data protection are key goals for the Digital Markets Act, so the law’s impact will be substantial. The DMA restricts the legal bases that gatekeepers can use to process personal data. These organizations can claim legal obligation, vital interest, or public interest, but will need to be able to back them up. User consent is also a viable legal basis, but it must be obtained in a valid way.
Consent marketing emphasizes the importance and benefits of obtaining explicit and informed user consent and ensuring user control over their data before collecting and processing it for marketing operations, so the DMA further supports this.
DMA privacy law requirements for valid user consent
To process users’ personal data for a number of reasons, gatekeepers have to obtain valid consent from them and are prohibited from using manipulative design practices to get it (e.g. dark patterns). Activities requiring prior consent include online advertising or combining personal data from different services. Users must also be informed that they can decline consent and the results of doing so.
DMA privacy law requirements for sharing personal data
The Digital Markets Act aims to remove unfair competitive advantages and information silos among tech organizations with platforms that collect and process consumers’ personal data. It mandates that the gatekeepers share data (with limitations) that they collect—upon request—with other businesses or advertisers operating on their platforms. This helps enable these smaller companies to use user data for targeted advertising or to personalize services as well.
The data sharing must be reasonable and can’t be done in a preferential way, and user privacy and data protection must be a priority.
DMA privacy law on data portability rights
The right to data portability isn’t universal among privacy laws, but is part of the GDPR and the DMA. Gatekeepers must enable users to request their personal data (typically in a commonly usable format) and be able to transfer it to other platforms or services. This right enables users to maintain control over their data and does not penalize them for leaving a platform or stopping usage of a service, It also helps encourage competition among platform providers and others to provide the best experiences and services to users.
DMA privacy law on transparency and user control
It is standard under privacy laws that users must be informed about data collection and use, and the DMA is no exception. Consumers must be able to make informed choices about access to their data and its use, and these notifications about what data is collected, what it’s used for, who it could be shared with, and more, enable that.
Profiling techniques must be clearly explained by gatekeeper organizations, and users must be asked for consent prior to organizations using targeted advertising. Users must also be able to decline or withdraw their consent at any time.
DMA law compliance and consent management platforms
All companies that collect and use consumers’ personal data have responsibilities to inform users about data collection and use, as well as to obtain it in a compliant way (e.g. with consent) and manage and share it securely. This includes gatekeepers and the third-party organizations that use their services.
There is more to be determined regarding exactly how gatekeepers and third parties, like advertisers, will achieve compliance and data use, and what the exact legal and technical requirements will be. However, existing privacy laws, like the GDPR, already provide strong requirements and best practices for companies doing business in the EU, and the DMA works in conjunction with existing (and potentially future) regulations.
Third parties that use gatekeepers’ platforms and services, like websites and apps, will be key in the collection of user consent before personal data is collected and used. While the gatekeepers will be required to comply with the DMA, these smaller companies that use their platforms and do business with them will be on the front lines, so to speak, with user engagement, obtaining consent, etc.
A consent management platform can be a key tool in obtaining compliant consent from users for data use. Consent management platforms (CMP) like Cookiebot™ consent solution and Usercentrics CMP are already valuable tools for organizations of all types and sizes to obtain valid user consent and comply with data privacy laws.
Usercentrics, the parent company of Cookiebot™, is closely monitoring developments to ensure that solutions provided meet the Digital Markets Act (DMA) and other relevant regulations now and in the future.
Implementation challenges and future implications of the DMA law
While the gatekeepers and other organizations already have to comply with existing privacy regulations, the DMA will require additional efforts and will likely present some challenges.
Needed adaptations of data collection and processing practices, technology updates and changes, and other actions will likely be needed to meet DMA compliance requirements. Regulators will play an important role in enforcement and ensuring gatekeepers’ actions meet requirements and don’t just pay lip service to data sharing requirements and other actions.
The Digital Markets Act and its role in the digital world
The DMA represents further strengthening of consumers’ rights regarding their personal data, as well as ensuring protection of the data and those rights. The obligations that the identified gatekeepers have to comply with the DMA and restrictions placed on these companies also helps to level the playing field of digital markets and help smaller organizations compete globally. This will also foster better innovation and enable improved online experiences for users. The DMA aims to help create a more transparent and user-centric digital ecosystem.
We’ll make sure to keep you informed about the implementation of this regulation and the implications of other privacy laws. To receive updates directly to your inbox, subscribe to our newsletter.
Usercentrics (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.