What you need to know to comply with the Digital Markets Act (DMA)

The DMA came into force in November 2022, and has been applicable since May 2023. Designated gatekeepers have until March 6, 2024 to comply with the Act’s requirements. This means that the companies that do business in the European Union (EU), European Economic Area (EEA) and United Kingdom (UK), and that use the gatekeepers’ platforms and services, will also likely be required to comply to maintain access to gatekeepers’ platforms for business operations and revenue.

Gatekeepers in violation of the DMA can be fined up to 10% of annual global turnover, or up to 20% for repeated infringements. Failure to meet compliance requirements that the gatekeepers set would potentially mean loss of access to gatekeepers’ platforms and services for third-party companies relying on them, which could result in significant loss of data, audience and revenue.

The DMA’s requirements are similar in many respects to those of the EU’s General Data Protection Regulation (GDPR), but are broader in some ways, addressing additional access to and uses of end users’ personal data. The Digital Markets Act aims to help ensure healthy competition from smaller, non-gatekeeper companies, greater transparency and choice, and more open digital markets.

The Digital Markets Act was passed along with the Digital Services Act in the Digital Services Act package. Learn about the key differences between the Digital Markets Act and the Digital Services Act: DMA vs DSA.

In the Digital Markets Act, to date the European Commission (EC) designated six “gatekeeper” organizations, chosen as such due to the size, reach and global influence of the platforms and services they own:

• Alphabet
• Amazon
• Apple
• ByteDance
• Meta
• Microsoft

The gatekeepers have to ensure that their platforms comply with the DMA by March 6, 2024, else they risk substantial fines and additional penalties.

These requirements also mean that the many companies that use the gatekeepers’ core platform services likely also need to comply with the Act if they want to keep using them. This includes companies that collect and process user data for their own operations, or access data collected by the gatekeepers.

Companies that collect and use the personal data of users in the EU/EEA and UK must already ensure they obtain valid prior consent (opt in) from online users of these platforms and services, under the GDPR. This includes gatekeepers and third parties that use their platforms, services, and data. If your organization is one of these, e.g. advertising on one or more of the platforms, you need to comply with the Digital Markets Act.

That means you need a consent management solution to ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data. Third parties also need to be able to signal valid consent to the gatekeepers in the course of using their platforms and services to be ready for the DMA.

The gatekeepers provide 22 identified core platform services (CPS) that are required to comply with the Digital Markets Act due to their enormous reach, audience, and data generated:

• 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 3 online advertising services (Amazon, Google, and Meta)
• 3 operating systems (Google Android, iOS, Windows PC OS)
• 2 web browsers (Chrome and Safari)
• 2 large communication services (Facebook Messenger and WhatsApp)
• 1 search engine (Google)
• 1 video sharing platform (YouTube)

The third parties that use these CPS also need to comply with the DMA or risk losing access to gatekeepers, their platforms and services, and the data and revenue they generate.

User privacy and consent under the Digital Markets Act follow the same requirements as the GDPR and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before any personal data is collected.

Users must also be able to change their consent preferences or withdraw consent at any time, and companies must be able to prove consent in the event of an audit by data protection authorities.

A consent management platform (CMP) enables companies to notify users about the collection and use of their data, provide consent options, store this information securely, and signal it to third parties, like the gatekeepers. Companies using Google services must also support the most up to date version of Google Consent Mode. Usercentrics and Cookiebot CMPs support the latest version of Google Consent Mode.

The Digital Markets Act requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:

• process personal data for providing advertising service using CPS
• combine personal data from CPS with data from other CPS or services provided by the gatekeepers
• cross-use personal data from CPS in other services provided by the gatekeeper or CPS
  and/or
• sign end users in to other services in order to combine personal data

In addition to the DMA’s requirements regarding the rights and protections afforded to end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.

Some of the key requirements are:

• allow the use of third-party apps on gatekeepers’ operating system(s)
• allow access to data generated on CPS
• do not allow gatekeepers’ services to be more favorably ranked
• do not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
• enable pre-installed apps to be uninstalled
• enable settings to be changed on operating systems or browsers that lead to the gatekeepers’ products and services
• allow business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
• provide advertisers and publishers information about advertisements placed, remuneration and fees, and metrics free of charge

In alignment with the GDPR and other data privacy laws, the Digital Market Act’s conditions for valid consent are:

Explicit: Active acceptance required, e.g. ticking a box or clicking a link.

Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?

Documented: You have the burden of proof of consent in the case of an audit.

In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.

Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.

Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.

Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

On websites, in apps, and on other connected platforms, the GDPR requires consent to be obtained for the use of cookies and other tracking technologies. This has made cookie banners or similar consent management tools a common sight. But many companies with EU users are still not compliant with the GDPR. This also means they won’t be compliant with the Digital Markets Act, and risk access to the gatekeepers’ platforms and services, including advertising with Google.

A consent management platform can be implemented on websites, apps, and other platforms in minutes, and customized for your company branding, the cookies and other tracking technologies you use, and more.

Usercentrics has Europe’s leading CMP that enables stringent regulatory compliance, including with the Digital Markets Act, right out of the box. It’s built on state of the art technology that scans deeper for cookies and has automated functionality to help you maintain DMA compliance without having to dedicate a lot of tech or legal resources. It also enables companies to meet consent management requirements to maintain access to the gatekeepers’ platforms and services without disruption.

Learn more about how the DMA law affects user privacy and consent management.

European authorities have shown they are serious about data privacy compliance and regulatory enforcement, and the Digital Markets Act will extend that commitment. The European Commission can impose fines for DMA violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated infringement. The Commission can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.

Third-party companies using gatekeepers’ services can lose access to the platforms, data, customers, and revenue if they are found to be noncompliant with the Digital Markets Act. Additionally, DMA violations would also quite possibly violate other privacy laws, like the GDPR, which come with a whole additional set of penalties. The likely result would be a serious hit to brand reputation and customer trust, which would negatively affect revenues and future growth.

Your implementation will depend on your platform, CMS, tools used, e.g. GTAG, Google Tag Manager, etc. However, Usercentrics CMP integrates into all the leading web and app platforms, like WordPress, Magento, Wix, Squarespace, Shopify, Prestashop, and more.

1. Select a flexible, reliable consent management platform that can be customized to your needs and will be easy to maintain by technical or non-technical staff
2. Implement the CMP according to your website setup—via direct integration, head tag, Google Tag Manager, etc.—and the tools you have integrated, including those of the designated gatekeepers under the DMA
3. Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
4. Ensure your privacy policy is up to date regarding your specific data processing activities
5. Activate Google Consent Mode signaling
6. Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
7. Start collecting Digital Markets Act-compliant consent from users

The data privacy landscape will continue to evolve. If the passing and enforcement of privacy laws in recent years is any indication, data privacy interest, regulation and expectations are also likely to continue to increase around the world. Tech giants receive a lot of scrutiny due to the size of their audiences and customers and the enormous amounts of data they generate, obtain and use.

But many smaller companies are part of this tech and data ecosystem, and so also have responsibilities under data privacy laws, particularly if they want to retain their access to these platforms and services and their data to grow their user base and revenue.

Consent management solutions are an important part of companies’ ability to meet data privacy requirements today and in the future, and to be able to adapt quickly to new laws and responsibilities. It’s also a great way to show users that you respect their privacy and treat their data with care and security, providing them freedom of choice to build trust and long-term custom relationships.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.