How the European Digital Markets Act (DMA) impacts user privacy and consent management

The European Digital Markets Act (DMA) is a landmark piece of legislation aimed at promoting fair and competitive digital markets in the European Union. The DMA law sets out a framework for regulating large tech companies, known as gatekeepers, to ensure they do not abuse their market power and to protect user privacy and consent online.

This framework will impose a significant shift for key players in ad tech – the gatekeepers – who will now be accountable to ensure the data they collect has proper user consent, whereas in the past this was the responsibility of the websites that used the gatekeepers’ services.

In this article, we’ll provide a Digital Markets Act summary, exploring the key provisions and the DMA’s impact on organizations and users in the digital space.

The Digital Markets Act (DMA), which came into force on November 1, 2022, is designed to impact competition – namely antitrust issues – consumer protection, and privacy in the digital sector by regulating large online platforms – the gatekeepers.

The DMA imposes restrictions on social networks, search engines, video-sharing platforms, operating systems, cloud computing services, and online advertising services owned by large digital corporations. Because they have a significant impact on the market, these gatekeepers are subject to specific obligations and restrictions to level the playing field for smaller businesses and protect user rights.

For users, it enhances privacy by imposing new data restrictions and allowing them to uninstall preloaded applications.

Innovators and technology start-ups will have new opportunities to compete and innovate in the online platform environment without having to comply with unfair terms and conditions limiting their development.

Consumers will have more and better services to choose from, more opportunities to switch their provider if they wish so, direct access to services, and fairer prices.

Businesses who depend on gatekeepers to offer their services in the single market will have a fairer business environment.

Gatekeepers will keep all opportunities to innovate and offer new services. They will simply not be allowed to use unfair practices towards the business users and customers.

So, who exactly are the gatekeepers? The term gatekeepers refers to the big players in the digital market, such as online platforms and search engines, that have a significant impact on the market and act as intermediaries between businesses and consumers.

The six gatekeepers designated by the European Commission (EC) under the DMA law are:

• Alphabet
• Amazon
• Apple
• ByteDance
• Meta
• Microsoft

In its press release, the EC identifies ‌22 core platform services overseen by these gatekeepers:

• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 2 large communication services (Facebook Messenger and WhatsApp)
• 6 so-called “intermediation” platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
• 1 search engine (Google)
• 2 web browsers (Chrome and Safari)
• 3 online advertising services (Amazon, Google, and Meta)
• 3 most popular operating systems (Google Android, iOS, Windows PC OS)
• 1 video sharing platform (YouTube)

Under the DMA, gatekeepers now have until March 6, 2024, to comply with the full list of do’s and don’ts to ensure fair competition and protect user privacy. These include avoiding unfair practices, providing transparent access to services, and sharing data with business users.

Google has already mentioned they plan to make changes, saying,

“Our goal is to implement modifications that align with the new regulations, while preserving the user experience and delivering valuable, innovative, and secure products for European users” (source: blog.google).

Microsoft accepted its gatekeeper designation, but requested to initiate an investigation into potentially exempting Microsoft’s services such as Bing, Edge, and Microsoft Ads from the DMA.

Apple and TikTok were less welcoming. Apple expressed ongoing concerns regarding DMA privacy and security risks associated with the DMA law (source: Reuters). In a statement, Apple emphasized its commitment to “mitigate these impacts and continue to deliver the very best products and services to our European customers.” TikTok said it “fundamentally disagreed with this decision” and was “disappointed that no market investigation was conducted prior to this decision,” adding it was considering its next steps.

Meanwhile, Meta, the parent company of Facebook and Instagram, launched in October a subscription model for no ads in Europe, “in response to a number of evolving and emerging regulatory requirements in the EU/EEA region”.

Gatekeepers must ensure interoperability with third-party services, allowing them to communicate and integrate with the gatekeeper’s platform. This promotes competition and prevents gatekeepers from favoring their own services over those of competitors. Non-discrimination obligations ensure that gatekeepers treat all businesses and users fairly, without giving preferential treatment to their own products or services.

Gatekeepers must enable users to transfer their personal data from one service to another, known as data portability. This allows users to switch between platforms and maintain control over their data. Gatekeepers are also required to provide real-time access to the data generated by users on their platform to businesses and third parties, upon request.

Gatekeepers must provide a clear and audited description of the techniques used for profiling consumers on their platform. This includes information about the purpose, duration, and impact of profiling, as well as steps taken to seek user consent or provide options for denying or withdrawing consent. Transparency ensures that users are aware of how their data is being used and gives them greater control over their privacy.

In addition to its focus on fair competition and user privacy, the DMA law also includes provisions related to DMA advertising. These provisions aim to ensure transparency and accountability in the advertising ecosystem. Two key articles in the DMA address the needs of advertisers and publishers:

Under this article, gatekeepers are required to provide clear and transparent pricing information to advertisers and publishers. This ensures that all stakeholders have access to relevant information about advertising costs, allowing for informed decision-making and fair competition. Advertisers and publishers can rely on this information to plan and optimize their advertising strategies effectively. (Source: DMA recital 45; article 5.9)

Article 6(g) of the DMA focuses on measurement and verification tools. Gatekeepers are mandated to provide advertisers and publishers with access to reliable and independent tools for measuring and verifying the performance of their advertising campaigns. This helps to establish trust and accountability in the advertising ecosystem, allowing stakeholders to assess the effectiveness and impact of their advertising efforts accurately. (Sources: DMA article 6.8; Annex A.1)

While the Digital Markets Act (DMA) primarily targets the six designated “gatekeeper” companies, it’s important to recognize that the impact extends beyond them. All companies operating digitally within the EU and relying on the platforms and services of these tech giants will also be affected.

For these companies, the DMA represents a significant wake-up call. It introduces the fundamental principle: no consent, no revenue. Compliance entails obtaining explicit consent from users before processing their personal data. However, the requirements go further. Gatekeepers are likely to demand that companies utilizing their services for advertising, e-commerce, analytics, and more adopt consent management processes that align with DMA regulations.

Non-compliance with the DMA poses a substantial financial risk for gatekeepers. Yet, third-party companies face equally significant consequences. Failing to comply could result in the loss of valuable data, audience, revenue, and brand reputation. Access to the user base, data, and services provided by gatekeepers such as Google, Meta, and others would be at stake.

The DMA has significant implications for user privacy and consent management. It introduces restrictions on the legal bases gatekeepers can rely on to process personal data, limiting them to specific legal grounds such as user consent, legal obligations, vital interests, or tasks in the public interest.

The DMA’s focus on obtaining explicit consent aligns with the principles of consent marketing, which emphasizes obtaining permission from individuals before using their personal information for marketing purposes. By requiring explicit user consent when processing personal data, the DMA safeguards user privacy and ensures that individuals have the power to decide how their data is used.

Gatekeepers must obtain user consent for processing personal data in certain cases, such as for online advertising purposes or combining personal data from different services.

The DMA law outlines requirements for obtaining valid consent, including informing users of the consequences of not giving consent and prohibiting deceptive practices (dark patterns) that manipulate users into giving consent.

The DMA mandates that gatekeepers share personal data with businesses operating on their platform and with advertising companies, upon request. This allows businesses to access and use user data to provide personalized services and targeted advertising.

However, gatekeepers must ensure that data sharing is done on fair, reasonable, and non-discriminatory terms, protecting user privacy and preventing misuse of personal data.

One of the key provisions of the DMA law is the requirement for gatekeepers to enable data portability, allowing users to transfer their personal data to other platforms or services. This empowers users to exercise greater control over their data and facilitates competition by enabling users to switch between platforms without losing their data.

Transparency is a fundamental aspect of the DMA, ensuring that users are informed about how their data is processed and giving them the ability to make informed choices.

Gatekeepers must provide clear information about their profiling techniques and obtain user consent for targeted advertising. Users should have the option to deny or withdraw consent and should not be subjected to deceptive practices.

The DMA law mandates gatekeepers to ensure websites and/or companies using their services to collect, manage, and record user consent in a transparent and user-friendly manner. How gatekeepers will achieve this and which legal and technical requirements they will define for advertisers is yet to be determined.

However, we can already understand that users of gatekeepers’ services (e.g. websites, apps and the companies behind those) will play a pivotal role in collecting appropriate consents, even if they’re not the ones ultimately liable for DMA privacy compliance.

Consent management platforms (CMP) like Usercentrics CMP or Cookiebot™ consent solution are already indispensable for businesses to collect appropriate consents for data collection.

As an important part of the DMA privacy ecosystem and the owner of both consent management solutions mentioned earlier, Usercentrics will closely monitor future developments and work to ensure that our solutions remain in line with the implications of the Digital Markets Act (DMA) and other relevant legislation that may emerge or evolve.

While the DMA law aims to protect user privacy and promote fair competition, it also presents challenges for gatekeepers and regulators. Gatekeepers will need to adapt their data processing practices, implement technical changes, and ensure compliance with the DMA’s provisions. Regulators will play a crucial role in enforcing the DMA and ensuring that gatekeepers adhere to their obligations.

The Digital Markets Act represents a significant step towards protecting user privacy and promoting fair competition in the digital sector. By imposing obligations on gatekeepers and enhancing user control over personal data, the DMA law aims to create a more transparent and user-centric digital ecosystem.

As gatekeepers and regulators navigate the implementation of the DMA privacy law, it’s essential to strike a balance between competition, innovation, and user privacy rights.

We’ll make sure to keep you informed about DMA privacy changes as they happen. If you want to receive digital markets act summary updates on matters of consent management straight to your inbox, make sure to subscribe to our newsletter.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.