Privacy and compliance in the digital age: How the DMA affects your online experience

We create over 300 million terabytes of data every day online. The amount of global data generated annually increased by 23.71% in 2023, and it’s expected to increase by similar amounts in 2024 and 2025.

A lot of this information is created by and about us and our online activities. Users increasingly want transparency about how organizations are collecting, sharing and using this information. A survey of nearly 17,000 consumers worldwide showed that:

• 74% feel companies collect more personal information than they need
• 64% believe most companies aren’t transparent about how they use personal information
• 79% are more likely to trust a company if it clearly explained how it was using the data

The boundless collection of data opens the door to potential privacy violations, which has led to the establishment of data privacy laws around the world to safeguard user privacy rights.

Among them is the Digital Markets Act (DMA), which came into force on November 1, 2022. The DMA’s focus is to regulate large online platforms and address issues related to competition, consumer protection, and privacy in the digital sector.

In this article, we examine how the privacy and compliance requirements of the DMA can impact users’ experiences online, and the steps users can take to further protect their personal data.

The Digital Markets Act (DMA) is a regulatory framework aimed at imposing stricter regulations on big tech companies that it has designated as “gatekeepers“ to promote a fair and competitive digital environment, restrict unfair practices by these gatekeepers, and protect the rights and interests of small businesses and consumers online.

The DMA impacts users in the European Union (EU) and/or European Economic Area (EEA), as well as companies that cater to users in these regions.
The designated gatekeepers under the DMA are:

• Alphabet (Google, YouTube, Android)
• Amazon
• Apple (iOS, App Store)
• ByteDance (TikTok)
• Meta (Facebook, Instagram, WhatsApp)
• Microsoft (LinkedIn, Windows PC OS)

The European Commission has also identified 22 of what they refer to as “core platform services” (CPS) owned and run by the gatekeepers, which are affected by the DMA law. These include social media networks, search engines, browsers, operating systems and messaging services with millions or billions of users.

More companies may be designated as gatekeepers, and more digital services may be included in this list of CPS in time.

The core platform services cover a wide range of activities that people perform online every day. As a result, the data they generate and that gets processed by these companies. Many people are not aware of how much data that they generate, or what kinds, get collected and used by companies.

Online ads
Social media platforms generate billions of dollars in revenue from online advertising, and the DMA mandates that these platforms must obtain explicit user consent from EU residents before processing personal data for use in online advertising.

This means the platforms will need to have clear, user-friendly consent mechanisms in place and be transparent about their data processing practices. It also means informing users that they have the option to decline or withdraw consent and how that would affect their experience on the platform.

This will enable users to have control over their data and make informed decisions about whether to consent to their data being collected and how it may be used. For example, users can consent to receiving targeted ads based on their data, or they’ll receive ads that may not be relevant to them.

Combining personal data

Many of the gatekeepers have multiple core platforms that fall under the DMA, and users might use several of these. The DMA prohibits gatekeepers from combining personal data collected in one platform with personal data collected in another, or with personal data collected via another service provided by them or third parties they do business with.

For example, this means that Meta, which owns Facebook, Instagram and WhatsApp (all core platform services under the DMA), can’t combine personal data from a user who uses two or all three platforms, as could be done for profiling.

Switching platforms

The DMA requires gatekeepers to enable data portability, which is a right under a number of data privacy laws. If a user wants to move to another social media platform, they can request their personal data in a usable format and transfer it to the other platform without penalty, giving them the freedom to choose the best service providers for their needs.

Fair competition

Google Search is the only online search engine to be designated a core platform service by the DMA at this time, and there could be significant changes for users based on changes that Google will have to make.

A critical change could be what Google Search returns in the rankings. The DMA mandates that gatekeepers can’t favor their own services over those of others. This means that Google can’t prioritize its own products in search rankings by default, such as Google Analytics over other analytics platforms when displaying results for a product search.

Switching search engines

Just as social media users have the option to easily change platforms, users have the option to switch to another search engine. Under the DMA’s data portability requirement, Google must provide users with the ability to transfer their data from Google Search to another search engine. For instance, a user’s search history or preferences on Google Search could be transferred to another search engine like Bing or DuckDuckGo, ensuring continuity of user experience.

Explicit consent

Gatekeepers will need to obtain explicit consent from users on all websites and platforms where they display ads, whether their own or third-party platforms. In line with the General Data Protection Regulation (GDPR), the DMA mandates that consent cannot be assumed through pre-ticked boxes or inactivity. Gatekeepers, and the businesses that use their services to advertise, will need to present a clear choice to users, usually through a cookie consent banner asking for permission to collect certain types of data. There are also new restrictions on advertising-related functions, like profiling and retargeting.

Transparency

Transparency goes hand-in-hand with explicit consent, because users must know what they are consenting to and what options they have. Instead of burying these details in lengthy terms and conditions, they’ll need to have a privacy policy and cookie policy that’s easy to understand and access. This will help them take steps to ensure that users aren’t just blindly clicking ‘Agree,’ but are making an informed decision about their data.

Combining personal data

Another way the DMA aims to strengthen user privacy is to restrict how core platform services share and use the data they collect from users. Previously, if someone liked a page related to “home gyms” on Facebook, they might have started seeing ads for fitness gear on Instagram. With the DMA rules, Meta—which owns both Facebook and Instagram—can’t freely share data between the two platforms to curate ads without the user’s explicit permission to do so.

Liking a health and wellness page on Facebook will no longer lead to a flood of protein shake ads on Instagram, unless that’s what the user has agreed to. This cuts down on unexpected or unwanted personalized ads, giving people more say in how their data gets used.

Data collection

Browsers can collect a range of information from users, including operating system, IP address, online activity history, autofill data, download history and passwords.
The DMA emphasizes data privacy, which means that Chrome and Safari — the two browsers identified as core platform services — need to enhance data privacy for users in the EU. Users need to be informed and their explicit consent obtained before collecting any personal data.

Fair competition

One of the key requirements of the Digital Markets Act is that gatekeepers are required to enable fair competition. For web browsers like Chrome and Safari, this means they need to ensure comparable treatment for all websites and browser-based services.

Plugins or extensions

The DMA mandates that gatekeepers must ensure interoperability with third-party services. This could require Chrome and Safari to change their systems to allow for more seamless integration with third-party apps or extensions.

Third-party app stores

The DMA aims to promote fair competition and address concerns about monopolistic practices. Currently, platforms like Apple’s iOS have strict control over app distribution, with the App Store being the sole channel from which users can download apps. Android users can install apps from third-party sources (in addition to the Google Play Store) by a process called “sideloading”, but this raises security concerns and can make users’ devices vulnerable.

However, the Digital Markets Act could introduce changes that enable alternative app stores to exist, providing developers and users with more and safer choices. This might break the dominance of certain platforms and create a more competitive app market. While the specific details and regulations regarding third-party app stores under the DMA are yet to be determined, the Act signals a shift towards a more open and competitive app ecosystem in the European market.

Pre-installed apps and settings

The DMA is setting its sights on pre-installed apps and default settings, which have long given operating systems a home court advantage. Normally, these systems come loaded with apps that are already picked out, and settings that direct users towards using the operating system’s own products and services. Some apps can’t be deleted from devices by users.

The Digital Markets Act will make it easier for users to remove pre-installed apps they don’t want and change default settings that might steer them toward a particular service. For instance, users could swap out Apple Maps for Google Maps without hassle. The DMA also introduces “choice screens” for key services, enabling users to select their preferred apps during setup.

Messaging across platforms

To reduce monopolies, promote competition and give users more choice, the DMA requires gatekeepers to ensure interoperability with third-party services. This means that related services operated by third parties should be able to communicate and integrate with the gatekeepers’ core platforms.

The interoperability requirement has large implications for messaging apps WhatsApp and Messenger, which are core platform services under the DMA. Consumers who use third-party messaging services like Signal or Telegram will be able to chat with users on WhatsApp or Messenger without needing accounts on these platforms and vice versa.

WhatsApp and Messenger are both owned by Meta, which appears to be taking steps to implement this requirement. In September 2023, an as yet inoperative “third-party chats” feature was seen in development versions of WhatsApp. However, this DMA requirement has sparked a debate that it might impact WhatsApp’s end-to-end encryption, which is a hallmark of its security measures.

While the Digital Markets Act strives to keep personal data safe and ensure user privacy, it’s always a good idea for you as user to take control over your own data and take measures to protect it.

The DMA mandates that platforms can only process your data for specific purposes if they have your explicit consent. Being selective minimizes your digital footprint and reduces the risk of misuse.

Before clicking “I agree” or “Allow” on any terms and conditions or cookie consent banners, read what you’re consenting to. If a website does not enable you to learn what technologies will collect your data, how it will be used, who will have access to it, or does not enable granular consent, it’s not compliant.

Over time, platforms might roll out new features or services that require additional data collection. Under many privacy laws, users must be asked for consent again if the conditions of data collection and use change, so you’re only sharing what you’re comfortable with.

You can also schedule a regular review of your privacy settings on websites or platforms you use the most. Use this time to revoke permissions you’re not using or comfortable with.

The power to transfer your data keeps platforms competitive. If you find a service that better meets your needs, has better pricing, or you like their data privacy practices better, you can easily make the switch without losing your data or facing penalties.

Locate the ‘Export Data’ or similar feature within the settings of your account. Platforms compliant with the DMA and GDPR must provide this option. Once your data is exported, you can upload it to another service of your choice that also embraces data portability.

Embrace personalized services that cater to your specific needs and preferences. By opting for tailored experiences, you can enjoy the benefits of customization without compromising your privacy.

When signing up or adjusting your account settings, choose whether you’d like to enable or disable personalization. Some platforms may provide a simple switch between ‘Personalized’ and ‘Standard’ experiences. Select the option that aligns with your comfort level in terms of data collection.

Consumers are more savvy than ever and concerned about their data privacy. When designing or updating your data processing operations or consent management, keep in mind that they’re paying more attention to what, specifically, they’re being asked to consent to; what permissions they’re being asked to allow; they’re less likely to accept getting locked in where they can’t use the platforms or services they want, when they want; and they’re more skeptical of what’s in it for them to agree to more “personalized” services.