What the Digital Services Act and Digital Markets Act mean for US businesses

The Digital Services Act package was developed by the European Commission to address an array of concerns about the dominance and influence of big tech companies, the competitive landscape and data privacy. The Digital Services Act and Digital Markets Act, two regulations included in the Digital Services Act package, came into effect in November 2022. These Acts cover digital platforms and services, and the markets they power, in the European Union and European Economic Area. It does not matter if the companies affected are headquartered elsewhere if they have operations and users in the EU.

European companies are familiar with digital regulation and data privacy initiatives by now, with the General Data Protection Regulation (GDPR) in force since 2018, along with additional regional and national laws that have been passed.

But the digital landscape, especially for businesses, is different in the US. There is no federal-level data privacy law and the first state-level law was only implemented in California in 2020. Over a dozen more states have followed since, but US data privacy laws have, to date, followed a different model than is used in Europe and many other countries. US laws tend to use an “opt out” model, where user consent to collect and process personal data is not required in many cases. Consumers’ consent only needs to be obtained to share, sell or use personal data for other business purposes, or, in some cases, to collect specific kinds of data.

So what do the Digital Services Act (DSA) and Digital Markets Act (DMA) mean for US companies? For businesses that don’t have European operations, use the identified core platform services, and collect and process the personal data of EU residents, it may not apply to them directly with regards to factors like consent management.

However, there could be plenty of indirect effects, including influence on pricing of services or imports as EU companies work to manage and recoup the cost of compliance requirements, like investment in IT and staffing.

Additionally, in digital markets, users and customers can be anywhere in the world, as more companies than ever before are global, and the gatekeepers, VLOPs and VLOSEs most certainly have global reach. So there is a strong likelihood that many companies will need to be prepared for DSA and/or DMA compliance by March 6, 2024, when enforcement begins, or before, depending on requirements handed down by gatekeepers to third parties using their platforms.

For the purposes of these regulations, digital services include large categories of services online that companies and consumers access. They range from basic websites, to tools like search engines, to massive online platforms for social networking, ecommerce, and more. They also include the infrastructure services that help drive the digital ecosystem.

Many of these platforms and services function as intermediaries between consumers and companies. Consumers use these platforms for everything from posting photos and listening to music, to selling crafts, buying clothes, or booking travel. Many companies around the world use these platforms to access these audiences, to sell them products and services, show them ads, to access their personal data, and for other reasons.

Digitals markets are the commerce-centric side of this ecosystem, centered around businesses that are dominated by the largest players with enormous audiences, reach, data processing operations and revenues.

Companies that want to advertise with Google or Facebook, sell on Amazon, get their apps into Apple’s App Store, etc. want access to digital markets, which are to a considerable degree controlled by gatekeeper companies today. The Digital Markets Act aims to address concerns with the control these companies have in the EU and EEA and potential effects on stifling competition and innovation.

The Digital Services Act—the regulation that lends its name to the Digital Services Act package— focuses on a wider range of digital intermediary services than the Digital Markets Act does (that law primarily targets only six influential “gatekeepers”). The DSA is aimed at very large online platforms (VLOPs) and very large online search engines (VLOSEs). The law imposes strict requirements on them, aiming to address risks to consumers and society posed by their operations, as well as protect and enhance consumers’ rights, including those of minors and with particular regard for data privacy.

Beyond the VLOPs and VLOSEs, the DSA applies to all digital services that connect consumers to content, goods and services online. Digital platforms have new obligations to assess and counter risks, reduce harms, protect users’ rights online, and meet broader transparency and accountability responsibilities in their European operations. These rules are meant to be uniform across the EU and provide new and additional protections to users and clear responsibilities and legal certainties to companies.

There have been growing concerns in the EU regarding the size and influence of online platforms at a societal level, particularly with regards to political discussions and election information, disinformation and the dissemination of fake news, and the spread of hate speech.

The goal of the DSA is to make online spaces safer and protect consumers’ and users’ rights by making VLOPs and VLOSEs more responsible for content published and shared via their platforms and services. While requirements of the law are only applicable in the EU and EEA at present, as most of the companies affected are US-based, it’s possible for required changes to influence operations more globally over time, especially as data protection and privacy laws are passed in more countries.

On April 25, 2023, the European Commission designated the following 17 companies as VLOPs under the DSA, companies with more than 45 million monthly active users. Zalando is based in Germany. Alibaba’s AliExpress and TikTok (parent company ByteDance) are Chinese-based. The other 14 companies are based in the United States, but with global reach. These US companies are significantly affected by the DSA and/or DMA.

Facebook and Instagram are both owned by Meta, and Google Play, Google Maps, Google Shopping and YouTube are all owned by Alphabet. LinkedIn is owned by Microsoft. Wikipedia is the only organization on the list of VLOPs that is a nonprofit. Apple, Alphabet and Microsoft are, as of 2023, the three most profitable companies in the world. While the regulations are European, their effects will be felt by the largest and most influential tech companies in the world, based in the United States.

All six of the companies designated as gatekeepers to date under the Digital Markets Act are included in the VLOPs list: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.

• Alibaba AliExpress
• Amazon Store
• Apple App Store
• Booking.com
• Facebook
• Google Play
• Google Maps
• Google Shopping
• Instagram
• LinkedIn
• Pinterest
• Snapchat
• TikTok
• X (Twitter)
• Wikipedia
• YouTube
• Zalando

Also on April 25, 2023, the European Commission designated two search engines, also with at least 45 million monthly active users, as Very Large Online Search Engines (VLOSEs):

• Google Search
• Bing

Both these products come from US-based companies as well. Google Search is another Alphabet product, and Bing is owned by Microsoft. Google has by far the largest global share of the search market, between 80%+ to 90%+, depending on the reporting source. Bing, by contrast, tends to be reported as having, at most, a little over 9% of the market. Yahoo and Baidu come in as number 3 and 4, swapping places depending on the source. Baidu is the most popular search engine in China. Of the four, Baidu is the only non-American offering.

The companies with the targeted online platforms were required to publish their active user numbers by February 17, 2023. User numbers are a key metric to determine digital platforms’ reach and VLOP/VLOSE designation — more than 45 million active monthly users, or 10% of Europe’s population.

Those companies had four months to comply with DSA obligations. One of those included carrying out the first annual risk assessment and providing the European Commission with the information.

This involved identifying, analyzing and working to mitigate a wide variety of systemic risks. Such risks included amplification of disinformation on their platforms and services, the presence and dissemination of illegal content, as well as impacts on media freedom and freedom of expression. There are also concerns about more specific risks online, which is where the mitigation requirements are focused. These include groups and areas like the protection of minors and especially their mental health, and addressing gender-based violence.

Designated platforms and search engines are also required to have risk mitigation plans, which are subject to European Commission oversight and independent auditing.

These issues continue to grow around the world, not just in Europe, so there would be significant future value to expanding the mitigation requirements for digital platforms in the EU to the US and elsewhere where these companies operate.

Under the DSA, companies in the US need to be familiar with and prepared to meet compliance requirements if they:

• have digital business operations and users in the EU and EEA
• use the platforms and services of designated VLOPs and/or VLOSEs
• engage in activities where the issues addressed by the law can happen, including sales and information dissemination

Companies affected by the DSA need to invest in and have processes in place for functions like:

• content moderation
• handling user complaints
• transparency of algorithms
• cooperation with and reporting to authorities
• measures to prevent the spread of illegal content

These functions can be very challenging, especially at scale, and can require significant financial, legal and resource investment. So it makes sense, once built out and maintained, to leverage the investment more broadly internationally. Especially as these efforts can also increase user trust and safety, safeguard against violating other laws and drawing authorities’ scrutiny, and ultimately benefit businesses as they create a more secure online environment for their users and the growth of their business.

The DSA will affect pretty much anyone active online in the EU/EEA, and the implications are generally considered positive.

Empowering users

Users will gain a better understanding of why certain content is suggested to them, and they can opt out of profiling. This shift toward centering users’ rights enables individuals to challenge platform decisions on the content they serve and service access.

Online safety

The DSA places a strong focus on ensuring online safety for users. Digital service providers are responsible for preventing illegal content from being published and disseminated on their platforms, and illegal products or services from being sold. Hate speech, misinformation and promotion of illegal products or services need to be removed and prevented from spreading. Users can expect safer digital environments and less exposure to harmful content.

Accountability and transparency

Users get clearer policies from platforms and for their services, including information on AI and human roles. Platforms also have to notify users of significant changes in terms and apply rules fairly, and respect users’ rights and freedom of expression in content moderation (while still controlling for hate speech, misinformation, etc.)

More transparent and user-centric advertising

The DSA strengthens user rights with regards to digital advertising. Under the DSA, companies are restricted from targeted ads based on sensitive data, or toward minors. It requires clear labeling, disclosure of promoting companies, and explanations for ad targeting. Users need to be able to clearly distinguish between sponsored and regular content.

Reduction in illegal content

The DSA’s main objective is to reduce illegal content online, ranging from threats and hate speech to sale of counterfeit goods and unlawful materials. The law aims to make digital platforms safer and curtail harmful textual content or products.

Multiple entities will be involved in DSA enforcement, what is being referred to as a pan-European supervisory architecture. The European Commission is the competent authority for supervision of the designated platforms and services. The Commission will also work closely within the supervisory framework with the Digital Services Coordinators. The national authorities are responsible for supervising smaller platforms, search engines, etc., and need to be ready to do so by February 17, 2024 (the same date as for compliance obligations).

The Commission has launched the European Centre for Algorithmic Transparency (ECAT), which will provide assessment support like whether algorithmic systems are meeting risk management obligations. The Commission is also bringing together expertise from a number of relevant sections to create a digital enforcement ecosystem to address evolving challenges. Should the US decide to enact comparable laws in the future, by then the Commission and EU authorities will have built out a robust and replicable model of enforcement and management.

The Digital Markets Act is a regulation that applies to large tech companies operating in the European Union and European Economic Area. It aims to improve fairness, innovation, and foster competition with smaller digital companies. It requires increased transparency, data sharing, and platform interoperability. It also increases user choice and data privacy.

Six companies have been designated as gatekeepers by the European Commission, with specific obligations under the law. Five of the six are US-based. The companies included on this list may change over time. The Commission has also identified 22 core platform services (CPS) owned and operated by these companies, including search engines, social networking platforms, advertising services, and more. These services have millions of third-party business customers in the EU and globally that rely on them for advertising, analytics, audience access, ecommerce, etc.

The DMA law creates new responsibilities for the gatekeepers to enable greater transparency and a more competitive landscape with smaller companies using their platforms and services, and that collect and process user data in the EU. DMA enforcement will begin on March 6, 2024. The gatekeepers also have to provide better access to data generated on their platforms and enable better portability and interoperability, which will benefit both third-party companies and consumers. The DMA also has provisions for data protection and user privacy, which include and extend requirements of the GDPR.

The Digital Markets Act levies a variety of requirements on the gatekeepers, some of which will directly affect third parties, and some of which will have more relevance to consumers.

Gatekeepers will have to ensure greater interoperability of their platforms and services with those of smaller third-parties, including integrations, communications, and data flow. Gatekeepers can’t favor their services or those of preferred partners over other companies. Non-discrimination obligations require all companies doing business with gatekeepers to be treated fairly, with equal access to services, data, and not limited by algorithms, etc. All of these requirements are to foster greater innovation and competition.

Data generated and stored on gatekeepers’ platforms must not only be more accessible to third parties in real-time, but users must have access to their data, by request, in a portable format to enable transferring it from one platform to another.

There are new restrictions and prohibitions on profiling on gatekeepers’ platforms. This is the practice of compiling data on consumers — often from multiple sources — to more accurately categorize them by demographic information, interests, and other factors that better enable companies to target specific audience segments.

Gatekeepers must provide clear, audited descriptions of profile techniques used on consumers. This includes purpose, duration, and potential impacts of profiling. Data from multiple gatekeepers’ platforms cannot be combined for profiling purposes, however.

Steps taken to obtain user consent and options to deny or withdraw consent must also be included. These requirements help to ensure that consumers are educated about how their data is used, and know what their rights are and how they can control access to it. Profiling of minors, or by using sensitive data, are prohibited under the Digital Markets Act.

Because of consent requirements, gatekeepers will have requirements for third parties using their platforms to obtain valid consent from users and provide them with information about data processing.

The Digital Markets Act introduces restrictions on the legal bases that gatekeepers can use to process personal data — these are also required by the GDPR — and puts a focus on the legal basis of obtaining explicit user consent in many cases. This aligns with the evolution of consent marketing.

Since user data, once collected, usually becomes part of an ecosystem, gatekeepers not only need to obtain consent, but ensure that companies using their platforms and services do as well, and that they’re able to signal consent to the gatekeepers.

As of September 2023, the six gatekeeper companies as designated by the European Commission are:

• Alphabet (Google, YouTube, Android)
• Amazon (Marketplace)
• Apple (iOS, App Store)
• ByteDance (TikTok)
• Meta (Facebook, Instagram, WhatsApp)
• Microsoft (Windows PC OS, LinkedIn)

Of these companies, only ByteDance, as a Chinese-based company, is not American. While the US operations of these companies may be reluctant to adopt the DMA requirements with US business operations, it’s not hard to see why doing so would be an attractive prospect for US-based third-party companies using their platforms, as it could provide significant competitive advantages. Also for US-based online consumers, who would benefit from greater control over their online activities, better privacy protections, and access to innovative new products and services and lower prices.

While not all of the gatekeepers have announced measures or requirements of third parties, the DMA effect will be on companies that:

• have digital business operations in the EU and/or EEA
• use the gatekeepers’ platforms and services for advertising, analytics, ecommerce, etc.
• collect and process user data from EU/EEA residents
• provide products or services to consumers to or from which users could port their data

While some of these affected companies may be EU-based only, it’s quite likely that the new rules will affect the EU operations of many US-based companies with EU operations and customers.

Again, while not all of the gatekeepers have announced new requirements for companies that rely on their platforms and services, changes are likely. While relevant third-party companies should already have consent management solutions in place to comply with the GDPR and/or other laws, not all of them will yet, and so this is likely to be a significant requirement.

Affected companies will need to be up to date on their data processing activities, including what data is collected, where, and by what means. This is an important step for all companies, even separate from privacy law compliance. They’ll need to ensure that they provide the required notifications to users and mechanisms to exercise their rights, whether that’s consenting to data use, or changing, withdrawing, or rejecting it.

Companies will need to be careful how they use data, to ensure they do not use sensitive data, data from minors, or data from multiple platforms for prohibited purposes, like potentially profiling or retargeting. Similar requirements apply under a number of US privacy laws as well, so companies can benefit from looking into global compliance with stricter laws that may then protect them from other international laws that get passed.

Companies may also need to ensure their own interoperability with other platforms and services, and ensure that users can transfer their data to and from them. A particular consideration here is where data gets stored, as there are concerns under a number of laws about international data transfers, and with many of these US-based large tech companies, data centers may be located outside of the EU.

Most excitingly, third-party companies need to be ready to take advantage of the requirements for increased transparency and competitive opportunities with the gatekeepers, and to embrace the access to data, operating information, and potential access to smarter strategies and even larger audiences to spur innovation and competitive advantages in digital markets. It’s entirely possible new strategies and tactics that benefit these companies in the EU could be rolled out in the US and elsewhere to spur further growth.

From a data privacy perspective, the GDPR should already be providing many of the protections and options consumers get under the DMA. But the new regulation strengthens consumers’ rights to privacy and to controlling use of their data online. Consumers have the right to consent to data use broadly or at a granular level, to deny consent, withdraw it in the future, or change the uses to which they consent. These options must be provided by all companies wanting to use personal data online that belongs to users in the EU.

The DMA provides for fewer legal bases for access to consumers’ data, so consent becomes even more important. There are also more restrictions on the ways that companies can use data to target users for advertising and other sales or marketing purposes.

EU consumers will see more options and freedom in their use of digital platforms and services, and more control over their experiences with them, e.g. the ability to remove pre-installed software. They’ll also be able to port their data to different services and apps more easily, making it easier to move one’s profiles and user history to new platforms or tools.

Users should also see more innovation in the platforms they use, and better prices, as innovation helps to lower costs, and increased competition forces companies to cater more to their audiences in order to retain them and grow. Consumers in other markets, particularly one the size of the US, may put pressure on tech companies for access to similar advantages once they become aware of benefits EU users have.

The Digital Services Act and Digital Markets Act are still being figured out in terms of application, enforcement, and other considerations. Change is likely, and could include the lists of affected companies growing or changing, as well as the affected platforms and services and downstream effects on users.

We do know that the Digital Services Act package laws will affect US-based companies, even if they don’t affect US operations today. However, it would be reasonable to expect benefits from the investments to comply with these laws to trickle down, especially if they’re seen to benefit audience growth, competitive advantages, and revenue.

As we have seen with the GDPR and other laws, there are likely to be significant fines and penalties for companies that violate these laws, and over time affected companies will fall in line more to achieve compliance with the DMA and DSA. Companies will need to prioritize data protection, user privacy and consent-based marketing can be expected to continue to grow in prominence and importance for companies that want to grow and maintain good relationships with their customers.

It may take time, but change in digital markets should come with increased transparency and encouragement of competition and innovation, which will benefit consumers and smaller companies, and force gatekeepers to work harder to provide platform and services that people want, and not just rely on their size, revenues, lobbying power, and market dominance to stay on top. These changes are likely to have global effects, especially with the continued expansion of privacy law coverage.

As the GDPR has been influential on other data privacy laws around the world, it will be interesting to see what influence the Digital Services Act package has on digital markets and their regulation in the coming years.

The US is still significantly behind many other countries when it comes to data privacy and consumer protection. Companies adopting compliant consent management practices will also benefit from improved brand reputation and increased trust with their users, which will help to increase engagement and revenue long-term.