The Digital Markets Act (DMA) for global brands: enhancing enterprise growth and success

The Digital Markets Act (DMA) is a regulation aimed at protecting user privacy and creating fair competition among digital companies. While the act primarily applies to users in the European Union (EU) and/or European Economic Area (EEA), its influence promises to be felt worldwide. Any global enterprise brand with a user base in these regions from whom it collects personal data must pay close attention to the Digital Markets Act. It presents both challenges and new avenues for growth and competitive differentiation.

We explore the implications of the Digital Markets Act for global enterprise brands, the role of consent in gathering compliant data, and the concrete steps enterprises should take to get ready for the regulation.

Gatekeepers under the Digital Markets Act are companies that meet certain financial and audience thresholds laid out by the European Commission (EC). They also own and operate what have been designated as core platform services that businesses use to reach their audiences. These large tech companies must fulfill these criteria for three successive financial years.

Companies that meet these requirements don’t automatically become gatekeepers. They are designated as such by the EC, which named six companies as gatekeepers in September 2023 and may add more over time.

The DMA’s compliance rules and potential penalties specifically target gatekeepers. Global brands and enterprise companies, however large, don’t fall under the purview of the Digital Markets Act if they aren’t designated gatekeepers.

However, this doesn’t mean they can disregard the regulation, as inevitable changes in the digital marketplace will affect all businesses that rely on the gatekeepers’ core platform services.

The six gatekeepers and 22 core platform services (CPS) designated by the European Commission. (Source: European Commission)

The regulatory changes aimed at gatekeepers will potentially echo through global digital markets, potentially reshaping business models, partnerships, consumer spending, and competitive dynamics.

The DMA’s emphasis on data portability may require global enterprise brands to be more flexible in enabling customers to move data to other platforms. Even if these brands aren’t directly regulated by the Digital Markets Act, their interfaces with gatekeepers might necessitate this functionality, affecting their technical and compliance requirements. Data portability is also a key user right under many other data privacy regulations around the world.

The data portability requirement also presents opportunities, as it removes some of the friction that keeps users tied to one service. This makes it easier to attract consumers who want to move to another platform. It also incentivizes companies to improve their products, pricing, and customer care to keep customers happy and prevent churn.

The Digital Markets Act encourages gatekeepers to ensure their systems and data are interoperable with those of competitors and business partners. One of the most immediate benefits is that non-gatekeepers could face fewer technical barriers, resource commitments, and costs to integrating their services or apps with those of gatekeeper platforms.

Interoperability can also be a catalyst for innovation. If a company knows that it can easily integrate with another platform, it might be more willing to invest in new, innovative features, knowing that these can be readily adopted at scale. Not to mention significantly expanding offerings to attract new customers with less investment up front.

The mandate for gatekeepers to offer transparent information about ad performance metrics could significantly influence decision-making for global enterprise brands. With more transparent data, these brands can make informed choices about how and where to allocate resources to their advertising and overall business strategies.

Further, the open sharing of ad performance metrics can offer enterprises real-time insights into the effectiveness of their campaigns, enabling brands to optimize their strategies quickly, without resorting to a trial-and-error approach.

Gatekeepers are restricted from combining users’ personal data from a core platform service with personal data from any other service, whether operated by the gatekeeper or a third party, unless they have obtained explicit consent from users. (This is still prohibited for minors and if it would involve sensitive personal data.) This can significantly affect the business operations of global enterprise brands, particularly in how they analyze customer behavior, personalize marketing strategies, and optimize products.

These constraints limit the capacity to aggregate data across different touchpoints, such as mobile apps, websites, and third-party platforms, to create a comprehensive customer profile.

Despite the challenges, these restrictions can also serve as an opportunity for brands to reassess and bolster their data privacy and data governance policies. Brands might turn to data minimization strategies, focusing only on the most essential pieces of data needed to achieve their goals. They might also look at new approaches to reaching their audience, including adopting consent-based marketing techniques.

Using a core platform service to reach an audience may require global enterprise brands to obtain explicit user consent more frequently. This necessitates robust mechanisms to acquire and store consent in a verifiable manner, as well as to be able to signal it to gatekeepers.

However, upholding consent requirements also offers benefits. One notable advantage is improved customer trust. When a brand clearly states how it uses customer data and secures explicit consent, it sends a powerful signal to its customer base that it values and respects their privacy. Enabling granular consent makes consumers feel like they have control over how their data is used. This can be a distinguishing factor that sets a brand apart in crowded markets.

Collecting data based on explicit user consent can also result in higher quality data because users who opt in are more engaged and interested in the brand’s products or services and having input into their offerings and communications, leading to more effective marketing campaigns.

When it comes to data collection, the Digital Markets Act — via gatekeepers’ likely requirements of third parties relying on their platforms — requires a level of responsibility from businesses. One area that demands attention is user consent, which defines the legality and can influence the quality of data gathered. It also sets the tone for user/enterprise interactions. The most desirable and potentially valuable data is consented, granular, high quality, and aligned with privacy regulations.

Under the Digital Markets Act, consent is valid per the GDPR’s specifications when it is freely given, specific, informed, and unambiguous. Global enterprise brands must obtain explicit or opt-in consent from users in the EU/EEA prior to collecting and processing personal data.

The varying levels of opt-in consent rates have distinct implications for business performance and marketing personalization, each offering its unique set of opportunities and challenges.

When fewer people opt to have their data collected, the amount of consented data available is limited. This creates a bottleneck for marketing teams. They have fewer opportunities to segment their audience, which makes it challenging to offer many personalized experiences.

The result is generic marketing messages, lower click-through rates on ad campaigns, and low engagement and high unsubscribe rates from email campaigns.

But while the dataset may be small, it’s not irrelevant. Businesses can still analyze this data and identify any commonalities among the users who have opted in to get value out of the limited dataset.

For instance, if most opt-ins for a global enterprise brand are from a particular country, they can consider geo-targeted promotions to this interested audience, while simultaneously taking steps to improve their overall opt-in rates in other markets.

When opt-in rates are at a moderate level, businesses find themselves with a valuable middle ground. They possess a larger dataset that is both compliant with privacy regulations and rich enough to begin nuanced marketing initiatives. Since a larger number of people have agreed to share their data, businesses can better tailor their ads, messages, and offerings.

For example, a multinational media streaming service could analyze viewing history data from its opted-in user base to identify preferences for certain types of shows or genres. Using this information, the service could create custom playlists or featured content sections that reflect these preferences, enriching the user experience and increasing content consumption rates.

This type of personalization moves beyond general recommendations, offering a more targeted approach that speaks to individual tastes.

A high level of opt-in consent gives a business an expansive, high-quality dataset to work from. Businesses can implement AI and machine learning algorithms that consider hundreds of customer attributes. For instance, a global retailer could use AI to predict stock needs based on historical trends and real-time sales data from various locations around the world, offering location-specific promotions or flash sales.

Businesses can also identify cross-selling or upselling opportunities by analyzing purchase histories and customer interactions. A global software company could recognize that customers who purchased a basic software package often upgrade to a premium service after six months. Accordingly, they can send targeted promotional material for the premium service at the five-month mark.

Under the Digital Markets Act, gatekeepers and global enterprise brands can’t adopt a “growth at all costs” mentality. Instead, they need to align their data collection methods with the regulation to protect user privacy while also maintaining data quality.

To streamline the process of collecting user consent across multiple languages and locations, global brands can implement a website consent management platform (CMP) like Usercentrics CMP. It not only simplifies data management for websites with multi-language and multi-regulation requirements. It also offers integrations with major enterprise software, such as Adobe, Microsoft, HubSpot, and Google products, including Google Ads, Google Analytics, Google Search Console, and Google Tag Manager. This built-in compatibility enables a seamless compliance process across technology platforms.

Usercentrics CMP also comes equipped with a geolocation feature that automatically displays region-specific consent banners, thereby aligning with local data protection laws around the world.

Companies looking to set up or switch to a CMP to get ready for the Digital Markets Act get a 30-day free trial of the Usercentrics CMP.

People are more willing to give their consent if they know exactly how their data will be used. Global enterprise brands should regularly evaluate their privacy and cookie policies, and, if necessary, update them. The policies should be easy to find, both on the website and within or via the consent banner. They should be written in comprehensive and simple language and must clearly specify the types of data being gathered, the purposes for its collection, the duration of its storage, and the parties that may have access to it.

Data privacy laws and regulations are always evolving, and the Digital Markets Act is no exception. In fact, the European Commission has publicized the DMA timeline well beyond the date it came into effect. Article 53 (1) states that by 2026 — and every three years thereafter — the EC will evaluate the DMA regulation and determine whether it needs to modify its rules and obligations. As noted, the list of gatekeepers will also be reviewed.

Global enterprise brands should schedule regular internal audits that focus on data protection impact assessments (DPIA) to evaluate how user data is processed, stored, and shared. This will help ensure that data practices are aligned with the DMA’s rules, even if they change.

No enterprise should do it alone. Professional advice is indispensable when it comes to interpreting complex laws and developing a sound readiness plan, especially for a global enterprise company that must adhere to data protection laws around the world. Companies should consult qualified legal counsel, and employ a Data Protection Officer (required by law in some regions) to oversee data protection and privacy compliance operations.