How the European Digital Markets Act (DMA) impacts user privacy and consent management

The European Digital Markets Act (DMA) is a landmark piece of legislation aimed at promoting fair and competitive digital markets in the European Union. The DMA law sets out a framework for regulating large tech companies, known as gatekeepers, to ensure they do not abuse their market power and to protect user privacy and consent online.

This framework will impose a significant shift for key players in ad tech – the gatekeepers – who will now be accountable to ensure the data they collect has proper user consent, whereas in the past this was the responsibility of the websites that used the gatekeepers’ services.

In this article, we’ll provide a Digital Markets Act summary, exploring the key provisions and the DMA’s impact on organizations and users in the digital space.

The Digital Markets Act (DMA), which came into force on November 1, 2022, is designed to impact competition – namely antitrust issues – consumer protection, and privacy in the digital sector by regulating large online platforms – the gatekeepers.

The DMA imposes restrictions on social networks, search engines, video-sharing platforms, operating systems, cloud computing services, and online advertising services owned by large digital corporations. Because they have a significant impact on the market, these gatekeepers are subject to specific obligations and restrictions to level the playing field for smaller businesses and protect user rights.

For users, it enhances privacy by imposing new data restrictions and allowing them to uninstall preloaded applications.

Innovators and technology start-ups will have new opportunities to compete and innovate in the online platform environment without having to comply with unfair terms and conditions limiting their development.

Consumers will have more and better services to choose from, more opportunities to switch their provider if they wish so, direct access to services, and fairer prices.

Businesses who depend on gatekeepers to offer their services in the single market will have a fairer business environment.

Gatekeepers will keep all opportunities to innovate and offer new services. They will simply not be allowed to use unfair practices towards the business users and customers.

So, who exactly are the gatekeepers? The term gatekeepers refers to the big players in the digital market, such as online platforms and search engines, that have a significant impact on the market and act as intermediaries between businesses and consumers.

The six gatekeepers designated by the European Commission (EC) under the DMA are:

• Alphabet
• Amazon
• Apple
• ByteDance
• Meta
• Microsoft

In its press release, the EC identifies ‌22 critical platform services overseen by these gatekeepers:

• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 2 large communication services (Facebook Messenger and WhatsApp)
• 6 so-called “intermediation” platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
• 1 search engine (Google)
• 2 web browsers (Chrome and Safari)
• 3 online advertising services (Amazon, Google, and Meta)
• 3 most popular operating systems (Google Android, iOS, Windows PC OS)
• 1 video sharing platform (YouTube)

Under the DMA, gatekeepers now have until March 6, 2024, to comply with the full list of do’s and don’ts to ensure fair competition and protect user privacy. These include avoiding unfair practices, providing transparent access to services, and sharing data with business users.

Google has already mentioned they plan to make changes, saying,

“Our goal is to implement modifications that align with the new regulations, while preserving the user experience and delivering valuable, innovative, and secure products for European users” (source: blog.google).

Microsoft accepted its gatekeeper designation, but requested to initiate an investigation into potentially exempting Microsoft’s services such as Bing, Edge, and Microsoft Ads from the DMA.

Apple and TikTok were less welcoming. Apple expressed ongoing concerns regarding privacy and security risks associated with the DMA law (source: Reuters). In a statement, Apple emphasized its commitment to “mitigate these impacts and continue to deliver the very best products and services to our European customers.” TikTok said it “fundamentally disagreed with this decision” and was “disappointed that no market investigation was conducted prior to this decision,” adding it was considering its next steps.

Meanwhile, Meta, the parent company of Facebook, stated that it’s currently evaluating the commission’s designation.

Gatekeepers must ensure interoperability with third-party services, allowing them to communicate and integrate with the gatekeeper’s platform. This promotes competition and prevents gatekeepers from favoring their own services over those of competitors. Non-discrimination obligations ensure that gatekeepers treat all businesses and users fairly, without giving preferential treatment to their own products or services.

Gatekeepers must enable users to transfer their personal data from one service to another, known as data portability. This allows users to switch between platforms and maintain control over their data. Gatekeepers are also required to provide real-time access to the data generated by users on their platform to businesses and third parties, upon request.

Gatekeepers must provide a clear and audited description of the techniques used for profiling consumers on their platform. This includes information about the purpose, duration, and impact of profiling, as well as steps taken to seek user consent or provide options for denying or withdrawing consent. Transparency ensures that users are aware of how their data is being used and gives them greater control over their privacy.

The DMA has significant implications for user privacy and consent management. It introduces restrictions on the legal bases gatekeepers can rely on to process personal data, limiting them to specific legal grounds such as user consent, legal obligations, vital interests, or tasks in the public interest.

The DMA’s focus on obtaining explicit consent aligns with the principles of consent marketing, which emphasizes obtaining permission from individuals before using their personal information for marketing purposes. By requiring explicit user consent when processing personal data, the DMA safeguards user privacy and ensures that individuals have the power to decide how their data is used.

Gatekeepers must obtain user consent for processing personal data in certain cases, such as for online advertising purposes or combining personal data from different services.

The DMA outlines requirements for obtaining valid consent, including informing users of the consequences of not giving consent and prohibiting deceptive practices (dark patterns) that manipulate users into giving consent.

The DMA mandates that gatekeepers share personal data with businesses operating on their platform and with advertising companies, upon request. This allows businesses to access and use user data to provide personalized services and targeted advertising.

However, gatekeepers must ensure that data sharing is done on fair, reasonable, and non-discriminatory terms, protecting user privacy and preventing misuse of personal data.

One of the key provisions of the DMA is the requirement for gatekeepers to enable data portability, allowing users to transfer their personal data to other platforms or services. This empowers users to exercise greater control over their data and facilitates competition by enabling users to switch between platforms without losing their data.

Transparency is a fundamental aspect of the DMA, ensuring that users are informed about how their data is processed and giving them the ability to make informed choices.

Gatekeepers must provide clear information about their profiling techniques and obtain user consent for targeted advertising. Users should have the option to deny or withdraw consent and should not be subjected to deceptive practices.

The DMA mandates gatekeepers to ensure websites and/or companies using their services to collect, manage, and record user consent in a transparent and user-friendly manner. How gatekeepers will achieve this and which legal and technical requirements they will define for advertisers is yet to be determined.

However, we can already understand that users of gatekeepers’ services (e.g. websites, apps and the companies behind those) will play a pivotal role in collecting appropriate consents, even if they’re not the ones ultimately liable for DMA compliance.

Consent management platforms (CMP) like Usercentrics CMP or Cookiebot™ consent solution are already indispensable for businesses to collect appropriate consents for data collection.

As an important part of the privacy ecosystem and the owner of both consent management solutions mentioned earlier, Usercentrics will closely monitor future developments and work to ensure that our solutions remain in line with the implications of the Digital Markets Act (DMA) and other relevant legislation that may emerge or evolve.

While the DMA aims to protect user privacy and promote fair competition, it also presents challenges for gatekeepers and regulators. Gatekeepers will need to adapt their data processing practices, implement technical changes, and ensure compliance with the DMA’s provisions. Regulators will play a crucial role in enforcing the DMA and ensuring that gatekeepers adhere to their obligations.

The Digital Markets Act represents a significant step towards protecting user privacy and promoting fair competition in the digital sector. By imposing obligations on gatekeepers and enhancing user control over personal data, the DMA aims to create a more transparent and user-centric digital ecosystem.

As gatekeepers and regulators navigate the implementation of the DMA privacy law, it’s essential to strike a balance between competition, innovation, and user privacy rights.

We’ll make sure to keep you informed about these changes as they happen. If you want to receive DMA updates on matters of consent management straight to your inbox, make sure to subscribe to our newsletter.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.