Digital Markets Act (DMA) compliance: step by step guide

Learn how a high performance consent management platform can help your company implement data privacy practices to comply with DMA requirements from gatekeeper platforms and drive privacy-led marketing.
Resources / Blog / Digital Markets Act (DMA) compliance: step by step guide
Published by Usercentrics
13 mins to read
Jul 30, 2024
Start scan

The Digital Markets Act (DMA) became enforceable in March 2024, targeting seven large digital platforms — designated as “gatekeepers” — that operate in the EU, European Economic Area (EEA), and UK. These companies wield significant economic power due to their widely used services, extensive customer bases, and dominant market positions.

Under the DMA guidelines, only gatekeepers are explicitly required to comply with the Act’s stringent rules. However, due to the nature of these products, they also pass some of the privacy requirements on to third-party companies using their services to help ensure privacy compliance in their full tech and business ecosystems.

As a result, businesses operating in the EU, EEA, and UK that collect personal data and use gatekeepers’ platforms, must align their practices with DMA requirements or risk losing access to gatekeepers’ services.

We take a look at the practical effects of the DMA on third-party companies and provide step by step instructions for implementing digital tools with your tech stack that will enable you to comply with data privacy requirements in the DMA, continue growing your digital marketing efforts, and maintain trust with your users.

The European Digital Markets Act (DMA) requirements: the basics

The DMA was passed in November 2022, coming into force in May 2023, though there was a grace period before enforcement began in early 2024.

Its mandate includes enabling healthy competition in digital markets for smaller, non-gatekeeper companies; greater transparency and choice for consumers; more stringent data privacy requirements; and more open digital markets.

“Third-party companies are required to follow the guidelines of the gatekeepers, which are about providing a fair competitive market environment and prevention of market abuse. Therefore the gatekeepers adjusted their platform services on aspects like fair access, transparency, data portability and therefore non-exclusivity and so on. The users of the platform services have to comply,” explains Tilman Harmeling, Senior Expert, Privacy at Usercentrics.

The Act’s requirements are similar in many respects to those of the EU’s General Data Protection Regulation (GDPR), but are broader in some ways, addressing additional access to and uses of end users’ personal data.

Designated gatekeepers had until March 6, 2024 to comply with the DMA’s requirements. Those that have not yet met the regulation’s requirements can be fined up to 10 percent of their annual global turnover, or up to 20 percent for repeated infringements.

The European Commission (EC) can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.

European authorities have already shown that they’re serious about ensuring gatekeepers’ compliance with the DMA. In a recent investigation into Apple’s steering practices related to its App Store (deemed a “core platform service”), the EC has warned Apple that it will have to pay a fine — which might be in the range of EUR 35.4 billion, or 10% of its total global turnover — if it does not allow users and app developers to make use of application marketplaces other than its native store by March 2025.

Facebook parent company Meta has also already been charged with violating the DMA, which could result in penalties in the tens of billions of dollars.

To maintain access to gatekeepers’ platforms, companies that do business in the EU, EEA, and UK that involve processing consumers’ personal data will also need to follow DMA guidelines set by the gatekeepers in line with the Act.

For these companies, failure to meet the requirements that the gatekeepers set would potentially mean loss of access to key features of gatekeepers’ platforms and services, like personalization functionality for advertising. This could result in a significant loss of data, audience, and revenue.

The DMA was passed along with the Digital Services Act (DSA) in the Digital Services Act package. Learn about the key differences between the Digital Markets Act and the Digital Services Act: DMA vs DSA.

What companies does the Digital Markets Act designate as gatekeepers?

Gatekeeper organizations are characterized as such because of their size, the size of their audiences and customer bases, as well as the global influence of the platforms and services they own. The EC has designated seven of these organizations:

  • Alphabet (parent company of Google and YouTube)
  • Amazon
  • Apple
  • Booking.com
  • ByteDance (parent company of TikTok)
  • Meta (parent company of Facebook, Instagram, and WhatsApp)
  • Microsoft (parent company of LinkedIn)

What are the gatekeepers’ core platform services?

The gatekeepers provide 23 identified core platform services (CPS). Each is required to comply with the DMA requirements due to their enormous reach and audience size, as well as the amount of data generated.

  • Intermediary platforms: Amazon Marketplace, App Store, Booking.com, Google Maps, Google Play, Google Shopping, Meta Marketplace
  • Social networks: Facebook, Instagram, LinkedIn, TikTok
  • Online advertising services: Amazon, Google, and Meta
  • Operating systems: Google Android, iOS, iPadOS, Windows PC OS
  • Web browsers: Chrome and Safari
  • Large communication services: Facebook Messenger and WhatsApp
  • Search engine: Google
  • 1 video sharing platform: YouTube

Third-party companies that use these CPS also need to comply with the providers’ DMA guidelines or risk losing access to gatekeepers’ platforms and services, as well as the data, audience access, and revenue they generate.

Digital Markets Act (DMA) requirements for third-party companies using gatekeepers’ core platform services

The DMA requirements have a trickle-down effect on the many companies that use the gatekeepers’ core platform services, if they collect and process user data for their own operations and that data is used on gatekeeper services, or access data collected by the gatekeepers.

These companies must fulfill certain conditions set by gatekeepers in line with the Act. As the GDPR already requires organizations that collect and use personal data to obtain prior consent (opt in) from users of these platforms and services in the EU, EEA and UK, meeting these DMA conditions can be relatively straightforward.

“Art. 5 (2) DMA: Gatekeepers must ensure that valid consent is obtained when users/companies of gatekeepers’ core platform share end users’ data. As a result, the responsibility for valid consent has been partially transferred to the gatekeepers, if their services are used,” explains Tilman.

In practice, third-party organizations need to obtain and store valid user consent, and signal it to gatekeepers’ services to control what personal data they collect. The most streamlined way to do this is using a consent management platform with tools like Google Consent Mode integrated.

The DMA guidelines for user privacy and consent are similar to the requirements under the GDPR and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before, or at the point when, any personal data is collected.

Users must also be able to change their consent preferences or withdraw consent at any time, and gatekeepers must be able to prove consent from direct and third-party users in the event of an audit by data protection authorities.

We break down the best solutions for data privacy management in a comprehensive comparison guide. Discover essential tools for managing compliance and data privacy effectively.

Read guide

Consent management to enable Digital Markets Act (DMA) compliance

The Digital Markets Act requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:

  • process personal data for providing advertising service using CPS
  • combine personal data from CPS with data from other CPS or services provided by the gatekeepers
  • cross-use personal data from CPS in other services provided by the gatekeeper or CPS

and/or

  • sign end users in to other services in order to combine personal data

Companies using Google services must also support the most up to date version of Google Consent Mode.

A consent management platform (CMP) like Usercentrics CMP enables companies to notify users about DMA cookies use, provide consent options, store this information securely, and signal these actions to third parties, like the gatekeepers.

What are third-party companies’ rights under the Digital Markets Act?

In addition to the DMA requirements regarding the rights and protections for end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.

  • enable the use of third-party apps on gatekeepers’ operating system(s)
  • enable access to data generated on CPS
  • not rank gatekeepers’ services more favorably ranked than third parties’
  • not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
  • enable pre-installed apps to be uninstalled
  • enable settings to be changed on operating systems or browsers that lead to the gatekeepers’ products and services
  • enable business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
  • provide advertisers and publishers information about advertisements placed, remuneration and fees, and metrics free of charge

“The DMA provides third-party companies with several rights, including fair access to platforms, interoperability, data portability, transparency, equal treatment, access to data, non-exclusive contracts, and the ability to contest gatekeeper decisions.

“These rights aim to create a more competitive and fair digital marketplace by preventing gatekeepers from abusing dominant positions and ensuring that third-party companies can compete on equal terms. These rights can be found in Chapter 3 of the DMA,” says Tilman.

Learn more: See the European Commission’s published list of “do’s and don’ts” for gatekeepers

The DMA guide for valid consent largely aligns with the GDPR and many other data privacy laws. Practically, consent needs to be given freely in advance and must be explicit, informed, and granular, while also being documented and easy to withdraw.

Freely given infographic

Find out what a DMA-ready consent management platform is and how to choose one.

Learn more

How to make your website compliant with the Digital Markets Act (DMA) requirements

Because full privacy compliance in digital ecosystems where the gatekeepers’ platforms are dominant is pretty much the requirement, third-party companies that rely on gatekeepers’ platforms and services to do business in the EU/EEA and UK pretty much also have to comply with the DMA.

Fortunately, due to their existing adherence to the GDPR’s provisions, many companies that attract users from within the EU, EEA and UK already meet the DMA’s guidelines. However, many organizations with users in these regions still don’t comply with GDPR and therefore won’t comply with the DMA.

Companies that want to ensure their digital practices are in line with both of these digital privacy laws, and that are concerned with protecting revenues, can do so by following a few simple steps.

Step 1: Implement a Consent Management Platform (CMP)

UC Signup

One of the key DMA requirements is obtaining and managing user consent for data processing activities.

Here, it makes things much easier to have a CMP to help you collect, store, and signal user consent in a way that meets the Act’s trickle-down requirements.

Learn more about how the DMA law affects user privacy and consent management.

A high performance CMP will enable you to obtain informed consent from your users by notifying them about what data is being collected, for what purposes, as well as how it will be stored and whether third parties — like the gatekeepers — will have access to it.

You want to be able to quickly and easily implement and customize your CMP for your websites, apps, and other platforms.

In addition to customizing the data processing services in use on your sites and apps, as well as the regulations covered that are relevant to your company’s operations, you want to ensure the look and feel of your data privacy notices are aligned with your company branding, hence the importance of robust customization features.

Usercentrics is a market-leading web consent management platform (CMP) offering seamless integration with the most popular web content management systems (CMS) and other website builder platforms. It’s designed for technical and non-technical teams, so setup and customization are user-friendly and save you time and resources.

Usercentrics CMP enables stringent regulatory compliance with the DMA and other data privacy regulations to help ensure that you are able to maintain access to gatekeepers’ platforms and services without disruption.

To integrate Usercentrics into your website, follow these steps:

  1. Sign up for a Usercentrics account and enjoy a 30-day free trial.
  2. Generate the CMP script and privacy policy text tailored to your website.
  3. Paste the Usercentrics CMP script into the source code of your website. The designated area for this depends on the CMS you use.
  4. Save the changes and publish your website.

By integrating Usercentrics CMP, you can easily manage user consent preferences, provide transparent information about data processing activities, signal consent information to third-party services, and achieve and maintain compliance with the DMA and GDPR without the need for considerable tech or legal resources.

Improve user experience and support compliance by integrating our in-app SDK for smooth and transparent consent processes.

Learn more

Step 2: Customize your consent banner

To enhance user experience and comply with DMA requirements, it’s important to customize the cookie consent banner on your website.

Usercentrics provides full customization options to optimize your user interface and messaging while matching the design and branding of your website. Follow these steps to customize the cookie consent banner.

  1. Access your Usercentrics account and navigate to the customization settings.
  2. Customize the banner appearance, including colors, fonts, logo, and layout.
  3. Add a clear and concise message explaining the purpose of DMA cookies and other data processing activities.
  4. Specify the different types of cookies used on your website and their respective purposes.
  5. Ensure Google Consent Mode is switched on to optimize your opt-in rates and gain Google ad conversion insights. On Usercentrics CMP, it’s switched on by default for new installations.
  6. Enable the necessary controls for users to manage their consent preferences easily.

By providing a user-friendly and informative cookie consent banner, you can demonstrate your commitment to user privacy and compliance with the DMA privacy law.

Did you know Cookiebot™ predates the GDPR? Get the most established and trusted privacy compliance solution. Protect your business, customers, and revenue.

Start 14-day free trial

Step 3: Optimize user experience for consent management

Consent management should be a seamless and intuitive process for your website visitors. Here are some tips to optimize the user experience (UX) for consent management:

  • Prominent placement: Display the cookie consent banner in a prominent location when users arrive on your website. Note: You can’t block website access and make users’ access to your site dependent on their acceptance of cookies.
  • Simple communication: Use clear and concise language to explain the purpose and implications of data processing activities.
  • Equal representation: Ensure that “accept” and “deny” options are equally accessible, no dark patterns or hidden options.
  • Granular control: Provide granular consent options for users to choose their consent preferences, such as allowing or denying specific categories of cookies.
  • Flexible interface: Implement an easy to access and use interface for users to change their consent preferences at any time.
  • Regular revisions: Regularly review and update your privacy policy to ensure it accurately reflects your data processing practices. You can use Usercentrics privacy policy generator for this.

By prioritizing UX in consent management, you can foster trust with your users and encourage them to engage with your website while complying with the DMA, which also helps boost your consent rates over time

Step 4: Monitor and audit Digital Markets Act compliance

Compliance with the DMA’s requirements is an ongoing process that requires continuous monitoring and auditing. Here are some best practices to help ensure ongoing compliance.

  • Conduct periodic audits to ensure that your website accurately reflects your current data processing activities and requirements of relevant regulations and guidelines.
  • Regularly review and update your consent management settings based on changes in regulations or your data processing practices.
  • Maintain secure, detailed records of user consent and be prepared to provide proof of compliance if requested.
  • Stay informed about any updates or guidance from regulatory authorities regarding the DMA, other relevant laws, and consent management.

By proactively monitoring and auditing your privacy compliance efforts, you can address any potential issues promptly and demonstrate your commitment to data protection.

Compliance with the Digital Markets Act’s privacy requirements is essential for any company that makes use of services provided by the EC’s designated gatekeepers. Given the dominance and reach of these platforms, failure to do so can result in the significant loss of data, audience, and revenue.

Fortunately, complying with the DMA is made easier with a robust and scalable CMP. These platforms help third-party companies obtain the necessary consent from their users and signal it to companies like Google for advertising and other services.

This helps organizations to maintain access to gatekeeper services, grow revenue with successful and data-driven campaigns, and build trust with customers as a result of their data privacy practices.

We strongly recommend consulting with legal and data privacy experts for your privacy compliance operations. However, implementing Usercentrics CMP helps to greatly reduce the resource needs and complexities of meeting the DMA’s and gatekeepers’ requirements.

Our out of the box solution is Europe’s leading CMP. Our state of the art technology scans for and detects all cookies and other trackers in use on your website, enables collection, storage and signaling of valid user consent, and automates processes to enable ongoing compliance with the DMA and GDPR. All this helps to ensure that you can maintain access to gatekeepers’ platforms and services without disruption.

Start your 30-day free trial to help you achieve data privacy compliance with regulations like the GDPR, ePrivacy, and DMA.

Get started

Frequently asked questions

What is the DMA?

The Digital Markets Act (DMA) is a European Union (EU) regulation designed to create an open and fair digital market with strong protections for consumers’ personal data.

It targets large online actors — or gatekeepers — that have a significant impact on the market due to their size and reach, as well as the nature of their businesses.

The Act aims to provide better services and more choice for consumers while also creating a more equitable environment for smaller businesses and startups. It does this by setting clear rules that prevent gatekeepers from engaging in unfair practices that could stifle competition and innovation.

Where does the DMA apply?

The Digital Markets Act (DMA) applies within the European Union (EU), European Economic Area, and United Kingdom.

It targets gatekeepers, which are large digital platforms with a significant reach, like Google, Amazon, and Apple, that have a presence in countries throughout the region.

Although the provisions of the Act are only applicable in the EU/EEA and UK, it’s likely that regulators from other countries and regions will use the DMA as a jumping-off point for formulating additional data privacy laws and guidelines.

As such, it’s possible that the spirit of the DMA — creating a more even playing field within digital markets — as well as the repercussions for going against it, will be relevant across the world.

What is DMA compliance?

Digital Markets Act (DMA) compliance refers to the adherence of gatekeeper companies and their platforms to the requirements and prohibitions set out in this regulation.

This includes allowing interoperability with third-party services, giving business users access to specific data, and disallowing gatekeepers from favoring their own services over those of third parties.

To be compliant, gatekeepers are required to submit reports demonstrating their adherence to the Act within six months of being designated as a gatekeeper and provide updates at regular intervals set by the European Commission (EC).

Failure to do so may result in fines of up to 20 percent of these businesses’ global revenue or even divestitures.

Who does the Digital Markets Act apply to?

The Digital Markets Act (DMA) applies to seven large digital platforms identified as gatekeepers by the European Commission (EC).

These are global companies with significant economic power, extensive user bases, and established market positions. Their activities are being regulated in order to prevent abuse, as well as to help ensure fair competition and innovation in the digital market, along with maintaining high standards for data privacy.

To qualify, a platform must have an annual turnover of at least EUR 7.5 billion in the EU, a market capitalization of at least EUR 75 billion, provide services in at least three EU countries, and have more than 45 million monthly active users.

The EC has designated seven gatekeepers: Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft.

Who enforces the Digital Markets Act?

The European Commission (EC), the politically independent arm of the European Union (EU), is responsible for enforcing the provisions of the Digital Markets Act (DMA).

The implementation of the Act is specifically overseen by joint teams from the Directorate-General for Competition (DG COMP) and the Directorate-General for Communications Networks, Content and Technology (DG CONNECT).

In addition to being tasked with ensuring that gatekeepers comply with the DMA’s rules and regulations, these bodies are empowered to investigate gatekeepers’ business practices and are responsible for making recommendations to the EC about penalties for noncompliance as well as the designation of new gatekeepers.

What rights does my company have under the DMA?

The Digital Markets Act (DMA) aims to create a fairer competitive environment that will enable smaller businesses to innovate and compete in the digital market without facing discriminatory practices.

In line with this, third-party companies interacting with gatekeepers have several important rights under the DMA. These include the right to access data generated through the use of the gatekeeper’s platform; the ability to promote offers and conclude contracts with users outside of the gatekeeper’s platform; and the right to interoperability with the gatekeeper’s services.

By providing third-party companies with these rights, the DMA aims to create a more dynamic and open digital market that will benefit both businesses and consumers.

If my business is GDPR-compliant is it also DMA-compliant?

Being compliant with the General Data Protection Regulation (GDPR) does not mean that your business will automatically be compliant with the Digital Markets Act (DMA). The DMA targets gatekeepers or large businesses with extensive user bases and market power, while the GDPR focuses on regulating data privacy for individual users of digital services.

Although the DMA’s requirements are more extensive, much of the Act is only applicable to gatekeepers. However, many of the data privacy requirements created by this regulation are passed down to third-party companies that use gatekeepers’ services. The rules around this use, for example, those set out requiring the use of Google Consent Mode v2, will vary depending on the gatekeeper with which a third-party is interacting and which of their services are in use.

Golden Gate Bridge
Sep 19, 2024
In effect since January 1, 2020, the California Consumer Privacy Act (CCPA) was the first US state-level consumer privacy law. It established consumers’ rights, set obligations for businesses, and influenced subsequent privacy regulations in other states.
Utah Consumer Privacy Act
Sep 17, 2024
The UCPA provides rights to consumers and places responsibilities on businesses to protect consumer data and use it compliantly. We explore its key provisions and what they mean for both consumers and companies.
Aug 29, 2024
Understanding the distinctions between PII, PI, and sensitive data is essential for effective data protection and regulatory compliance. By properly classifying and safeguarding these data types, organizations can mitigate risks and build stronger trust with their customers.