The Digital Markets Act (DMA): DMA compliance for companies

Author

Read time

19 mins

Published

Oct 6, 2025

Summary

The Digital Markets Act (DMA) has reshaped how large online platforms — and their millions of business customers — handle privacy, transparency, and user consent. This guide explores DMA compliance requirements, its impact on user experience and privacy, technical aspects like APIs and CMS integration, risks of noncompliance, and practical steps for companies to build trust and growth.

The Digital Markets Act has become a defining regulation for digital markets in the European Union, European Economic Area, and United Kingdom since it became enforceable in March 2024. It is designed to create fairer competition, give users more control over their personal data, and restrict monopolistic behaviors of the designated gatekeepers.

While the primary targets are the largest tech platforms, businesses of all sizes are impacted by the requirements as the gatekeepers seek to achieve compliance across the digital ecosystem. To remain competitive, compliant, and trustworthy, companies must adapt their technical systems, legal practices, and user experiences to align with the DMA.

Key takeaways

The DMA explicitly applies to gatekeepers, but its requirements affect all businesses relying on their platforms and services and operating in EU digital markets.
DMA compliance focuses on transparency, interoperability, and giving users meaningful control over their data.
Explicit consent is required for combining or cross-using personal data across services.
Companies must balance seamless user experience with strong privacy protections in consent flows. Users now have more rights and more ways to exercise them.
APIs and CMS integrations play a critical role in ensuring interoperability and transparency.
Noncompliance can result in fines up to 10 percent of global annual revenue, or 20 percent for repeat violations. DMA violations can also be violations under laws like the GDPR.
Enforcement is intensifying across the EU, with regulators prioritizing user rights and fair competition. Fines have already been levied in the hundreds of millions to multiple billions of Euros.
Consent management platforms (CMPs), like those from Usercentrics, help organizations operationalize DMA compliance.

The European Digital Markets Act (DMA): the basics

The Digital Markets Act is meant to better control the business practices of large tech platforms in European digital markets, and provide more protection and choice to consumers. We provide an overview of the purpose of the law, the gatekeepers, enforcement, and the DMA’s timeline.

Purpose and goals of the DMA

The DMA’s overarching mandate is to enable healthier competition in digital markets and reduce monopolistic practices. Specifically, it is meant to:

Provide smaller businesses with fairer opportunities to compete against dominant gatekeepers
Give consumers greater transparency and genuine choice when choosing and interacting with digital services
Strengthen privacy protections and require explicit consent before combining or cross-using personal data
Ensure more open digital markets through measures such as interoperability, fair access, and data portability

The DMA’s requirements share similarities with the General Data Protection Regulation (GDPR), particularly around consent, but the DMA goes further. It covers how platforms grant access, share data, and allow business users to compete, not just how they process personal data.

Who does the DMA apply to?

The DMA directly applies to companies that have been designated “gatekeepers,” which are large digital platforms providing core platform services, such as search engines, app stores, online advertising, and social networking.

There were six designated gatekeepers when the DMA came into effect in May 2023:

Alphabet (Google)
Amazon
Apple
ByteDance (TikTok)
Meta (Facebook, Instagram, WhatsApp)
Microsoft

Booking.com was added in May 2024. These gatekeepers owned and operated what have been designated as core platform services. These are defined as digital services provided by gatekeepers that play a critical role in linking businesses with consumers.

They include online intermediation services, search engines, social networks, video-sharing platforms, operating systems, web browsers, cloud services, advertising services, and messaging or communication services.

Because of their global scale, massive user base, and influence, these services are subject to stricter rules to ensure fair competition, transparency, and greater user choice.

As noted, however, the DMA’s influence reaches third-party companies as well. As Tilman Harmeling, Senior Expert, Privacy at Usercentrics, explains:

“Third-party companies are required to follow the guidelines of the gatekeepers, which are about providing a fair competitive market environment and prevention of market abuse. Therefore the gatekeepers adjusted their platform services on aspects like fair access, transparency, data portability and therefore non-exclusivity and so on. The users of the platform services have to comply.”

For businesses that rely on gatekeeper platforms — for example, advertisers using Google Ads or app developers publishing in Apple’s App Store — this means following the DMA-aligned rules those platforms implement.

What are third-party companies’ rights under the Digital Markets Act?

In addition to the DMA requirements of gatekeepers and regarding the rights and protections for end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their core platform services.

Enable the use of third-party apps on gatekeepers’ operating system(s)
Enable access to data generated on core platform services (CPS)
Do not rank gatekeepers’ services more favorably than third parties’
Do not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
Enable uninstallation of pre-installed apps
Enable changes to default settings in operating systems or browsers that otherwise direct users to gatekeepers’ products and services
Enable business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
Provide advertisers and publishers with information about advertisements placed, remuneration and fees, and metrics free of charge

As Tilman Harmeling notes,

“The DMA provides third-party companies with several rights, which aim to create a more competitive and fair digital marketplace by preventing gatekeepers from abusing dominant positions and ensuring that third-party companies can compete on equal terms. These rights can be found in Chapter 3 of the DMA.”

Timeline of the DMA

The DMA was passed in November 2022 and came into force in May 2023. However, there was a grace period before enforcement began in early 2024. Designated gatekeepers were required to comply by March 6, 2024.

Booking.com, which was only designated in May 2024, has until November 2024 to comply. Enforcement actions began quickly, with investigations into Alphabet, Apple, and Meta launching the same month as compliance requirements began.

For third-party businesses, the timeline is equally important. Any company operating in the EU, EEA, or UK that relies on gatekeeper platforms to process consumer data must ensure that its use of those services aligns with DMA-compliant practices.

Learn more about the DMA and its impacts on businesses, from startups to global enterprises.

Who enforces the DMA?

The European Commission (EC) is the body responsible for designating gatekeepers, monitoring compliance, and enforcing penalties. Its enforcement powers are extensive:

Fines of up to 10 percent of a gatekeeper’s global annual turnover, rising to 20 percent for repeat infringements
Behavioral or structural remedies, including forcing a company to divest part of its business
Blocking acquisitions that could reinforce anti-competitive behavior

Noncompliance could result not only in lost platform access, but also in reduced personalization functionality for advertising, leading to significant losses in data, audience, and revenue.

The EC has already demonstrated its willingness to act. In April 2025, it fined Apple and Meta EUR 500 million and 200 million, respectively. In September 2025, it fined Google EUR 2.95 billion for abusive practices with online ad tech.

Digital Markets Act impact on core platform services and users

The Digital Markets Act (DMA) directly affects the gatekeepers’ core platform services, which include the digital tools and environments people use every day — from search engines and browsers to messaging apps and social networks.

These changes influence how platforms collect and use data, how they treat competitors, how users experience online services, and how the services themselves will evolve. The regulation emphasizes transparency, consent, interoperability, and fair competition, reshaping the relationship between platforms and their users.

Social media companies rely heavily on personal data to target advertising and personalize content. Under the DMA, they must adopt clearer consent processes and limit how data is shared across services.

Platforms must obtain explicit, informed consent before processing data for advertising.
Users can decline or withdraw consent without losing access to core functionality.
Gatekeepers cannot freely combine data from multiple platforms they own, e.g., Facebook, Instagram, and WhatsApp from Meta, without explicit user consent.
Data portability enables users to move their data to competing platforms.

DMA and search: Google Search

As the only search engine currently designated a core platform service, Google faces strict new obligations:

Search results may no longer prioritize Google’s own services over competitors’ (“no self-preferencing”).
Users can more easily switch to competing search engines.
Data portability helps ensure that search history and preferences can be transferred to alternatives such as Bing or DuckDuckGo.

DMA and advertising: Google, Microsoft, Amazon, and Meta

Digital advertising is central to gatekeepers’ — and their customers’ — revenue, and the DMA raises the bar for transparency and consent requirements:

Explicit user consent is required before personal data can be processed for advertising or profiling.
Pre-ticked boxes or inactivity can no longer count as consent.
Platforms must be transparent about how advertising data is used and provide easy-to-understand policies.
Sharing personal data across services for ad targeting requires clear opt-in consent.

DMA and web browsers: Chrome and Safari

Browsers are many people’s main gateways to the internet, and the DMA introduces obligations to ensure user privacy, improved user experience, and better competition.

Users must be informed and give consent before personal data such as browsing history or autofill information is collected.
Browsers must ensure fair treatment of websites and services, avoiding preferential treatment.
Interoperability requirements may mean more support for third-party plugins and extensions.

DMA and operating systems: Google Android, iOS, Windows PC OS

Operating systems are under scrutiny because of their control over browsers, app ecosystems, and default settings.

Gatekeepers must allow the installation of third-party app stores, increasing consumer choice and developer opportunities.
Users should be able to uninstall pre-installed apps and change default settings more easily.
Choice screens must let users select preferred apps (e.g., maps or browsers) during setup, reducing lock-in.

DMA and messaging services: WhatsApp and Facebook Messenger

Messaging apps are central to user communications and will need to adapt to interoperability requirements.

Gatekeepers must enable messaging across platforms, so users of apps like Signal or Telegram can exchange messages with WhatsApp or Messenger users.
Meta is already developing features like “third-party chats” to meet this obligation.
While this expands choice and competition, it raises concerns about the impact on end-to-end encryption and security.

What is DMA compliance?

The Digital Markets Act (DMA) is a European Union regulation that sets out obligations for gatekeepers that have entrenched market power. These companies must follow strict rules to ensure fair competition, and those effects ripple outward to the many businesses that depend on them.

For example, advertisers using Google Ads or developers publishing apps in Apple’s App Store must follow DMA-aligned processes to keep access to those platforms.

DMA compliance, therefore, means more than following the letter of the law. It encompasses adopting practices that enable transparency, interoperability, and user choice. Even small and midsize businesses need to pay attention, as their operations often intersect with gatekeeper-controlled environments.

DMA compliance requirements

The DMA introduced a broad set of requirements, but several areas are especially relevant for businesses. These focus on how personal data can be used, how services interoperate, and how users are treated when interacting with digital platforms.

Like the GDPR, under the DMA user consent must be obtained for collection and use of personal data in many cases. It must be freely given, specific, informed, and unambiguous, with a clear affirmative action.

This affects the design and function of consent banners, as users must receive clear, easily understood information about their rights and choices, and have user-friendly ways to exercise them.

There is added complexity of companies’ needing to comply with multiple regulations, including the GDPR and country-specific consent and cookie banner requirements. This makes robust geolocation functionality in your consent management platform critical for accuracy to mitigate noncompliance risks.

From compliance to conversions: Best practices for cookie banners.

Effective consent flows under the DMA should be transparent, simple, and respectful of user choices. They need to reflect the variety of purposes and choices users now have, and must present options in a clear way, avoid manipulative dark patterns, and enable granular decision-making across different purposes.

Declining consent should not block access to a core platform service. Companies that implement thoughtful, user-friendly consent processes can differentiate themselves by showing commitment to privacy and seamless user experience.

Companies also need to be able to provide proof of consent to gatekeepers to retain access to critical platforms. This is where your CMP needs integration with tools like Google Consent Mode, Microsoft UET Consent Mode, and Amazon Consent Signal to signal consent choices to those companies’ services to control their function.

Restrictions on combining data for profiling

The Digital Markets Act has stringent requirements when it comes to combining user data across the different platforms gatekeepers operate and between platforms owned by a gatekeeper and third-party platforms.

Art. 5 (2) DMA specifically states that unless end users have been presented with a specific choice and provided GDPR-compliant consent, gatekeepers cannot:

Process the personal data of end users who are using third-party services that use gatekeepers’ core platform services for the purpose of digital advertising
Combine personal data from relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services
Cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa
Sign in end users to other services of the gatekeeper in order to combine personal data

The goals here are to prevent gatekeepers from gaining an unfair advantage by pooling user data from multiple sources, and to protect user privacy. Gatekeepers and third-party businesses are restricted from using data across multiple platforms to profile customers for targeted advertising.

User profiling under the DMA

Profiling of minors is already prohibited under the GDPR, but the Digital Markets Act does not prohibit profiling altogether. Gatekeepers need to be transparent about how they carry out user profiling.

They must provide audited information about what data is collected, how it’s processed, for what purposes, how long it will be stored for profiling purposes, and what impact profiling will have on the gatekeepers’ services.

Gatekeepers also have to show how they’re informing users about the profiling, how they’re obtaining valid consent, and provide users with the option of denying or withdrawing consent — for profiling, but also for data collection broadly. Users who decline or withdraw consent can’t have their data used for profiling.

Learn more: Get our guide on the future of data in marketing. Harness first-party data and advanced measurement tools to drive results while protecting your business.

Prohibition on self-preferencing

Gatekeepers cannot self-preference their own products in rankings, and must enable users to easily uninstall pre-installed apps or switch to alternative services. Businesses interacting with these platforms must be aware of these obligations, because they will shape the technical and commercial relationships they rely on.

Impact on user experience

One of the most visible outcomes of the DMA is its influence on how individuals can interact with digital services. Consent requirements are one, but requirements like data portability, interoperability, and prohibitions on self-preferencing also directly impact users.

People can source apps from outside the dominant app stores. They can delete pre-installed apps they don’t want. And they can exercise competitive choice by more easily moving to new providers while taking their data with them.

Companies have strong incentives not only to comply with privacy best practices, but to push for innovation in products and services and exceptional customer service to attract and retain customers in this more competitive landscape.

Accelerate your growth while protecting your business

Businesses face privacy demands from all sides — regulations, partners, and customers. Enhance digital strategy, maintain compliance, and build trust with Privacy-Led Marketing.

Explore the guide

Technical compliance: APIs and CMS integration

Meeting DMA requirements is not only a legal exercise; it also presents technical challenges. Gatekeepers must provide interoperability through APIs, and companies need to be prepared to use them. This affects how data is shared, how consent is transmitted, and how businesses integrate with gatekeeper services.

APIs are essential for ensuring that user data can be accessed or ported in a user-friendly way. Similarly, CMS platforms must work seamlessly with consent management tools to ensure that consent signals are properly captured, stored, and transmitted.

For developers, this means paying attention to security, scalability, and the evolving requirements set by both gatekeepers and regulators.

Here are just some of the integrated Usercentrics API product features:

Automated website scan of cookies and trackers, with classifications that website owners can control
Automatic blocking of cookies and trackers until consent is obtained
Automated cookie declaration, widget, and legal text setup and maintenance
Customizable banner template for appearance, text, languages, and geolocation

Platforms that use the Consent Management API have a competitive advantage and deliver benefits to developers and their customers. Make it easy to achieve and maintain privacy compliance.

Robust APIs and documentation make it easy to integrate with popular CMS and other platforms
Pre-built, customizable consent banner templates and popups that website owners can easily add to their sites without coding
Display banners based on user location, language, or website content to obtain legally compliant consent according to applicable data privacy laws around the world
API infrastructure can be implemented at scale, accommodating tens of thousands of websites and handling large numbers of consent banners efficiently and securely
Competitive pricing that’s designed to scale with your business, so you can increase average order value, upsell to existing customers, and activate legacy customers
Increase customer loyalty and reduce churn with a more comprehensive solution that includes data privacy compliance
Build a privacy-first reputation to differentiate yourself from competitors and stand out as a platform that is committed to flexible, scalable, user-friendly data privacy

Interoperability, data protection, and Google services

Alphabet, Google’s parent company and one of the designated gatekeepers under the DMA, has implemented various measures to comply with the DMA’s requirements. More changes are likely to come as Google remains somewhat at odds with the European Commission.

Some of these measures are related to interoperability and data protection and impact both EU and UK consumers and businesses.

Google DMA changes for consumers

Web browsing: Users will see a choice screen enabling them to choose their default browser and default search engine on Android. Non-Android users will receive only the default search engine choice screen.
Third-party apps and app stores: It’s easier for users to understand how third-party apps and app stores collect, handle, and share their personal data. Developers have a more transparent way to share this information, including adding a clear link to the app’s privacy policy, helping users make informed choices about granting access to permissions.
Data portability: Users can share a copy of their data from Chrome, Google Maps, Play Store, Google Search, Google Shopping, and YouTube with third-party apps and services.
Data sharing and additional consents: Users can select which Google services they’d like to link which can share data between them.

Google DMA changes for businesses

Third-party apps and app stores: Several improvements for third-party apps and app stores in Android 14, including app updates that trigger only when the app is not in use.
Billing options: Businesses can offer their own billing system for users to complete in-app purchases alongside, or instead of, purchases made through the Play Store.
Communication outside the app: Developers of apps distributed on the Play Store can lead users away from their app to promote offers.
Google-certified CMP for advertising: Publishers and advertisers must use a Google-certified consent management platform to continue serving ads to EU and UK users to enable GDPR/UK GDPR compliance. This step also promotes the DMA’s transparency and data protection objectives.

CMPs play a crucial role in enabling companies to comply with the DMA and gatekeepers’ policies as they evolve.

An organized way to obtain, manage, document, and signal user consent across digital platforms
Designed to quickly adapt to regulatory and policy changes with automated updates to support ongoing compliance and mitigating risks as laws, technologies, and operations change
Support transparency and accountability for data processing activities by recording consents and updates to preferences over time, and providing a clear audit trail for how user data is being handled
Default integration of Google Consent Mode v2, like in Usercentrics CMP, enables websites to adjust the operation of Google services based on user consent, respecting privacy choices without compromising collection of essential data analytics
Google-certified CMPs, like Usercentrics CMP, enable websites and apps to meet the requirements of IAB Europe’s Transparency & Consent Framework (IAB TCF v2.2), a standardized approach for managing user consent across the advertising ecosystem

Step-by-step CMP DMA compliance checklist

Many companies that rely on gatekeeper platforms in the EU, EEA, and UK must meet DMA requirements. If you already comply with GDPR, you are partly prepared, but additional steps are often necessary. This checklist outlines a streamlined path to ongoing compliance.

Use a CMP to collect, store, and signal valid user consent.
Provide clear information about what data is collected, why, and who can access it.
Customize consent flows and privacy notices to align with regulatory requirements.
Integrate with your CMS, apps, and advertising tools.

Match the banner design with your website’s branding to promote trustworthiness and consistent user experience.
Use clear language to explain purposes of cookies and data use, ideally with geolocation support to display information in relevant local languages.
Scan for and specify categories of cookies and their functions.
Activate Google Consent Mode — enabled by default in Usercentrics CMP — and/or other consent signaling tools, like from Microsoft or Amazon, to meet platform requirements.
Enable users to easily review and change their consent preferences at any time.

Place banners prominently without blocking site access.
Present accept/deny options equally, avoiding dark patterns.
Offer granular controls (e.g., by cookie category.)
Keep the interface flexible with easily accessible settings so users can update preferences anytime.
Regularly review and update your privacy policy to reflect changes in laws, business operations, or technologies in use.

Step 4: Monitor and audit data operations and privacy compliance

Conduct periodic audits of data processing and consent practices.
Review settings regularly to keep pace with regulatory changes.
Keep secure, detailed records of user consent for proof of compliance or DSARs.
Stay up to date on guidance from the European Commission and data protection authorities.

SMB vs. enterprise strategies for DMA compliance

Small businesses benefit from solutions that are quick to implement, like Usercentrics Cookiebot CMP, which provide automated compliance with minimal technical effort.

Enterprise organizations with more complex needs can meet compliance requirements with Usercentrics Web CMP, which provides advanced integrations and in-depth analytics for multi-platform and multi-market operations. Each company’s roadmap should reflect its size, resources, and regulatory risk profile, as well as its growth plans.

Data privacy compliance isn’t just for websites and apps. Get our guide on social media and email marketing compliance. Learn how to protect your business, build trust, and drive sustainable growth.

Example compliance scenarios

Consider an e-commerce company that advertises with Google Ads. Under the DMA, it must use compliant consent flows that align with Google’s EU user consent policy to maintain ad performance.

Similarly, an app developer using multiple advertising networks must integrate an in-app CMP like Usercentrics App CMP to obtain and signal consent before serving personalized ads. These scenarios illustrate that DMA compliance is not abstract — it has direct operational and commercial implications.

Make smarter data-backed, privacy-led decisions with our marketing measurement guide

Risks of DMA noncompliance

The risks of ignoring the DMA because you’re not a gatekeeper are significant and extend beyond financial penalties. The European Commission can — and already has — imposed fines of up to 10 percent of global annual revenue, or 20 percent for repeat violations.

Gatekeepers are not going to expose themselves to unnecessary noncompliance risks from their customers. Removing a small customer’s access to Google Ads or Google Analytics isn’t a big deal to Google, but could be a major operational or financial problem for the company that’s not meeting requirements.

Noncompliance also carries reputational risks. Consumers are increasingly aware of their data rights, and failure to respect those rights can damage trust and loyalty. For many companies, the long-term cost of losing customer confidence could exceed the cost of regulatory penalties. Potential advertisers, partners, and investors can also be scared off, affecting future growth.

How Usercentrics helps with DMA compliance

A flexible, scalable CMP is a vital tool for achieving and maintaining DMA compliance. Usercentrics helps businesses capture, store, and transmit valid consent signals while maintaining a user-friendly experience, whether your privacy compliance needs are for digital operations in European, American, or global markets.

Whether you’re an indie game developer or a Fortune 500 company, Usercentrics CMPs are Gold Tier Google-certified CMP partners that integrate seamlessly into your tech stack, and can be fully customized to your branding and regulatory needs. Protect your business, build trusted, long-term customer relationships, and turn privacy compliance into a competitive advantage.

Still have privacy compliance concerns?

Data privacy is complex and evolving. Book your free demo today — let’s discuss how to protect your brand and business.

Book demo

Celestine Bahr

Director Legal, Compliance & Data Privacy, Usercentrics GmbH

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Frequently asked questions

The Digital Markets Act (DMA) is a European Union (EU) regulation designed to create an open and fair digital market with strong protections for consumers’ personal data.

It targets large online actors — or gatekeepers — that have a significant impact on the market due to their size and reach, as well as the nature of their businesses.

The Act aims to provide better services and more choice for consumers while also creating a more equitable environment for smaller businesses and startups. It does this by setting clear rules that prevent gatekeepers from engaging in unfair practices that could stifle competition and innovation.

The Digital Markets Act (DMA) applies within the European Union (EU), European Economic Area, and United Kingdom.

It targets gatekeepers, which are large digital platforms with a significant reach, like Google, Amazon, and Apple, that have a presence in countries throughout the region.

Although the provisions of the Act are only applicable in the EU/EEA and UK, it’s likely that regulators from other countries and regions will use the DMA as a jumping-off point for formulating additional data privacy laws and guidelines.

As such, it’s possible that the spirit of the DMA — creating a more even playing field within digital markets — as well as the repercussions for going against it, will be relevant across the world.

Digital Markets Act (DMA) compliance refers to the adherence of gatekeeper companies and their platforms to the requirements and prohibitions set out in this regulation.

This includes allowing interoperability with third-party services, giving business users access to specific data, and disallowing gatekeepers from favoring their own services over those of third parties.

To be compliant, gatekeepers are required to submit reports demonstrating their adherence to the Act within six months of being designated as a gatekeeper and provide updates at regular intervals set by the European Commission (EC).

Failure to do so may result in fines of up to 20 percent of these businesses’ global revenue or even divestitures.

The Digital Markets Act (DMA) applies to seven large digital platforms identified as gatekeepers by the European Commission (EC).

These are global companies with significant economic power, extensive user bases, and established market positions. Their activities are being regulated in order to prevent abuse, as well as to help ensure fair competition and innovation in the digital market, along with maintaining high standards for data privacy.

To qualify, a platform must have an annual turnover of at least EUR 7.5 billion in the EU, a market capitalization of at least EUR 75 billion, provide services in at least three EU countries, and have more than 45 million monthly active users.

The EC has designated seven gatekeepers: Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft.

The European Commission (EC), the politically independent arm of the European Union (EU), is responsible for enforcing the provisions of the Digital Markets Act (DMA).

The implementation of the Act is specifically overseen by joint teams from the Directorate-General for Competition (DG COMP) and the Directorate-General for Communications Networks, Content and Technology (DG CONNECT).

In addition to being tasked with ensuring that gatekeepers comply with the DMA’s rules and regulations, these bodies are empowered to investigate gatekeepers’ business practices and are responsible for making recommendations to the EC about penalties for noncompliance as well as the designation of new gatekeepers.

The Digital Markets Act (DMA) aims to create a fairer competitive environment that will enable smaller businesses to innovate and compete in the digital market without facing discriminatory practices.

In line with this, third-party companies interacting with gatekeepers have several important rights under the DMA. These include the right to access data generated through the use of the gatekeeper’s platform; the ability to promote offers and conclude contracts with users outside of the gatekeeper’s platform; and the right to interoperability with the gatekeeper’s services.

By providing third-party companies with these rights, the DMA aims to create a more dynamic and open digital market that will benefit both businesses and consumers.

Being compliant with the General Data Protection Regulation (GDPR) does not mean that your business will automatically be compliant with the Digital Markets Act (DMA). The DMA targets gatekeepers or large businesses with extensive user bases and market power, while the GDPR focuses on regulating data privacy for individual users of digital services.

Although the DMA’s requirements are more extensive, much of the Act is only applicable to gatekeepers. However, many of the data privacy requirements created by this regulation are passed down to third-party companies that use gatekeepers’ services. The rules around this use, for example, those set out requiring the use of Google Consent Mode v2, will vary depending on the gatekeeper with which a third-party is interacting and which of their services are in use.

Fines can reach up to 10 percent of global annual revenue, or 20 percent for repeat violations. The European Commission also has the authority to impose additional measures such as restrictions on services or divestiture. Companies that aren’t gatekeepers can lose access to platform features like personalization, and may also incur GDPR penalties for violations of that regulation.

Yes. Even though the law directly targets gatekeepers, small businesses that rely on gatekeeper platforms must meet compliance obligations to maintain access and avoid losing essential business functionality.

APIs provide the interoperability that the DMA requires. They enable businesses to exchange data fairly with gatekeepers and allow users to port their information between services in a transparent way.

Companies should focus on transparency and usability. Consent flows must present options clearly, avoid manipulative designs, and enable users to choose granular preferences without penalizing those who decline. Many of the requirements for valid consent under the GDPR and other laws also apply under the DMA.

Industries that operate in digital markets and that rely heavily on gatekeeper platforms are most impacted, including app developers, e-commerce retailers, advertising technology providers, and SaaS businesses.

Article