The Digital Markets Act and legal compliance: A guide for businesses that use core platform services

By March 6, 2024, the designated “gatekeepers” under the Digital Markets Act (DMA) must be ready to comply with the regulation’s requirements for their identified core platform services or risk hefty fines and other penalties.
 
That date doesn’t impact just these large tech companies. Businesses with digital operations in the European Union (EU) and/or European Economic Area (EEA) must also be ready for the Digital Markets Act so they can continue to use the core platform services without interruption

In this article, we examine who the Digital Markets Act applies to, the legal obligations imposed by the regulation, and how businesses can get ready for the DMA.
 

 
It’s important to note that the Digital Markets Act focuses squarely on gatekeepers, who must actively work to meet the obligations set forth by the European Commission (EC). This isn’t to say that business users are off the hook. The regulation will also affect businesses with digital operations that rely on the gatekeepers’ platforms and services to collect and process data from users in the EU and/or EEA.
 
The DMA’s mandates around data privacy have a broad reach, encompassing not just the platforms but also all personal data collected on the platforms. Moreover, gatekeepers often have their own terms of service or contractual agreements that businesses must follow while using their platforms, which may align with the DMA’s requirements on transparency and data protection. Additionally, the European Union and its member states have other data privacy laws that must also be observed, like the General Data Protection Regulation (GDPR).
 
This means that businesses using core platform services can’t afford to be passive observers and must bring their data practices and policies in line with the DMA. This is a necessary step for any business that wants to keep using these services without legal complications or loss of platform access.
 
Although there are several obligations imposed on gatekeepers under the DMA, the following could have direct consequences for businesses who use the core platform services and dictate how they must operate under the DMA law.

 
The Digital Markets Act puts tight controls on the legal bases for gatekeepers to collect personal data, making user consent pivotal to the process. Article 2 (32) of the regulation brings the definition of user consent in line with the definition under the GDPR:
 
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
 
Consent under the Digital Markets Act, therefore, must meet four key criteria: it must be freely given, specific, informed, and unambiguous.
 
Freely given: Consent is freely given if the person giving it has the choice to do so, isn’t pressured, coerced or manipulated into giving it, and won’t be penalized or disadvantaged if they decline. Consent cannot be a condition for accessing a service or product unless the processing of personal data is necessary for that service or product to function. The process for withdrawing consent must be as straightforward as granting it, enabling people to easily change their minds.
 
Specific: Consent is not specific if someone agrees to a vague or overly broad collection of data. Specific consent means that users must agree to each distinct purpose for which their personal data is being collected and processed, and have access to information about each one to make that decision. For example, if a business wants to process an individual’s data for advertising and for analytics purposes, they must obtain separate consent for each of these purposes. If a business wants to use the data for another purpose later on, they have to obtain a new, separate consent that specifically addresses this new use.
 
Informed: For consent to be informed, users must have all the relevant information before making a decision. This includes understanding what data will be collected, for what specific purposes it will be used, and who will have access to it. Users must also be informed about their right to withdraw their consent at any time and the consequences of doing so.
 
Unambiguous: There should be no room for interpretation: consent is unambiguous if the user has clearly agreed to the data processing. Typically, this is done through the user performing an action, such as ticking a box or clicking a button that says, “I agree to the terms and conditions”. Silence, inactivity, scrolling, or pre-selected boxes do not qualify as unambiguous consent.
 
When consent complies with all of the above conditions, it’s a clear and affirmative action under the Digital Markets Act and the GDPR.

 
Businesses that collect and process personal data from users in the EU and/or EEA must collect valid, explicit consent from users. While the obligations, fines, and penalties under the DMA are aimed at gatekeepers, businesses can’t afford to overlook their own data collection practices. Failure to secure valid consent not only risks losing access to the core platform services, but it could also trigger penalties under the GDPR or other laws.

 
The Digital Markets Act has stringent requirements when it comes to combining user data across the different platforms gatekeepers operate and between platforms owned by a gatekeeper and third-party platforms.
 
Article 5 (2) of the DMA specifically states that gatekeepers cannot:

• (a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
• (b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
• (c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
• (d) sign in end users to other services of the gatekeeper in order to combine personal data

unless the end user has been presented with the specific choice and has given valid consent under the GDPR.
 
The goals here are to prevent gatekeepers from gaining an unfair advantage by pooling user data from multiple sources, and to protect user privacy.
 
This provision restricts the ability of both gatekeepers and third-party businesses to use data across multiple platforms to profile customers for targeted advertising. Profiling of minors is already prohibited under the GDPR.
 
However, the Digital Markets Act does not prohibit profiling altogether, and gatekeepers need to be open about how they carry out user profiling. They must provide audited information about the data they collect, how it’s processed, what it’s used for, how long it will be stored for profiling purposes, and the impact of profiling on gatekeepers’ services.
 
Importantly, gatekeepers must also show how they’re making users aware of the profiling, how they’re seeking user consent, and provide users with the option of denying or withdrawing consent for data collection and use for profiling. Personal data of users who deny or withdraw consent cannot be used for profiling.

 
Businesses cannot combine user data from different platforms — even if those platforms are third-party services — for the purposes of profiling without explicit user consent for that specific kind of data sharing.
 
This means businesses need to have systems in place to ensure that user data collected from different platforms remains separate. In essence, the DMA mandates a more transparent and segregated approach to data management for everyone involved.
 
The latter is especially important in light of the DMA’s requirements on interoperability. Gatekeepers must enable users to switch between different services, access and port their data easily, and ensure compatibility and integration with other platforms or services. Businesses and advertisers who have access to user data from multiple platforms cannot combine this data for profiling without valid consent from users.

The Digital Markets Act regulates gatekeepers, and there are no fines under the regulation for other businesses that do not comply. However, there are potential repercussions for businesses that fail to handle user data according to its requirements.
 
Noncompliance may result in limited access to or removal from core platform services, which are often critical channels for businesses to connect with potential customers and drive sales and ad revenue. Businesses can lose access to their data and audience, leading to a loss of revenue as a result of such removal.
 
A different but equally pressing concern is reputational damage. Falling short on the DMA’s data protection rules has the potential to undermine customer trust, which can lead to lower conversion rates, customer churn, and a loss of revenue.

Understanding the Digital Markets Act and how it affects operations and services can help businesses allocate resources — whether in terms of personnel or budget — towards becoming and staying compliant. By doing so, businesses can secure a footing in both legal safety and increased customer trust.
 
Preparing for the Digital Markets Act requires businesses to ensure GDPR- and ePrivacy Directive-compliant user consent collection and signaling of the users’ preferences to websites or apps.

 
Securing valid user consent starts with having a clear, easily accessible privacy policy that explains what data will be collected, how the data will be used, and who may have access to it.
 
Cookie consent banners must also have straightforward language that conveys what data is being collected and for what purpose. These banners must be designed to obtain opt-in consent that’s freely given without using manipulation or misleading language.
 
Businesses looking for a streamlined approach to managing these consent requirements can use a consent management platform (CMP) like Usercentrics CMP. Usercentrics is a Google Consent Mode-certified CMP partner, and the CMP helps businesses collect and document valid user consent to meet regulatory requirements. This helps businesses achieve legal compliance, avoid fines, and maintain customer trust as they grow. Usercentrics CMP integrates with many popular content management systems, streamlining setup.
 
Looking to set up or switch to a CMP to get ready for the Digital Markets Act? Start your free 30-day trial of the Usercentrics CMP.

 
A systematic schedule for internal audits can serve as a safety net to monitor compliance as the DMA and other relevant regulations evolve. These audits should focus on data protection impact assessments (DPIA) to evaluate the specifics of how user data is processed, stored, and shared under the Digital Markets Act.
 
Equally important is assessing the data practices of external partners and vendors. If they’re handling data that originates from a business’s platforms, their data processing policies must also align with regulations. A lapse on their part can have repercussions for the business relationship and potential legal consequences. Many data privacy laws require contracts with third-parties engaged in data processing to outline responsibilities regarding data access, protection and use.

 
Businesses must reexamine their existing marketing strategies in response to the Digital Markets Act’s strict guidelines on user profiling and restrictions on retargeting. Rather than relying on targeting based on combined user data, businesses should adopt consent-based marketing and explore other strategies, including contextual advertising.
 
This shift to context rather than user-specific targeting aligns better with the DMA’s requirement for explicit user consent for data usage. It also offers an avenue for businesses to maintain effective advertising strategies without jeopardizing user trust. Consent-based marketing safeguards user privacy and provides a more transparent interaction between the business and the consumer, potentially leading to stronger and more trustworthy brand relationships.

 
Businesses that collect user data on multiple platforms should prioritize data management strategies that protect user privacy and comply with different regulations. Each step of the data lifecycle — collection, storage, usage, deletion — must be scrutinized to ensure that personal data is protected and not shared with unnecessary third parties or any other unauthorized individuals or companies. Businesses must also ensure that data from different platforms is not combined for profiling and targeted advertising.

Getting everyone in the company on the same page about getting ready for the DMA is a powerful way to make it a part of daily operations and lower the risk of contravening its requirements.
 
Public-facing teams such as marketing, sales, and customer success that share unified messaging about alignment with the DMA strengthen the company’s commitment to user privacy, ethical practices, and legal compliance.
 
To achieve this, internal teams need comprehensive training to understand how to stay on the right side of the Digital Markets Act and have DMA-specific talking points at their fingertips for client meetings and sales presentations.