Web development in the era of the Digital Markets Act (DMA): Adapting to changing privacy regulations

Data protection regulations and privacy laws are constantly evolving, and the Digital Markets Act (DMA) brings new considerations to this landscape. Introduced by the European Union, the Digital Markets Act aims to foster a competitive and fair digital market and protect user privacy.

The regulation targets large online platforms, referred to as ‘gatekeepers’, due to their influential role in digital markets. The designated gatekeepers under the DMA are:

• Alphabet (Google, YouTube, Android)
• Amazon
• Apple (iOS, App Store)
• ByteDance (TikTok)
• Meta (Facebook, Instagram, WhatsApp)
• Microsoft (LinkedIn, Windows PC OS)

However, its ripple effects extend to all layers of web development, affecting how developers approach user data, interoperability, and user consent.

We explore how the DMA impacts web development and how web developers can adapt practices for DMA compliance.

Integrating privacy laws requirements into website and app designs is a significant part of a web developer’s work, directly affecting the handling and protection of user data. The DMA law introduces critical changes for web developers that place greater emphasis on user rights and open competition.

1. User consent: Strong emphasis on obtaining explicit consent to collect personal data for any purpose, including serving personalized or targeted ads.
2. Data portability: Users must be able to easily move their data between different platforms, giving them more control over their data and making it simpler for them to switch between services without losing their information.
3. Interoperability between platforms: Requires gatekeepers’ to make sure their core platform services can work well with other smaller platforms and services, providing other platforms to make their products fit smoothly with the services of these big platforms.

Under privacy laws like the DMA, you must give users clear information about what data is taken, why it’s used, how long it’s kept for, and who might have access to it.

Users must have the choice to say no to giving consent or to take back their consent if they change their mind. They also shouldn’t be tricked or misled about how their data is used.

Ensuring transparency involves two key areas:

1. Implementing a consent banner that clearly communicates consent choices to users.
2. Making privacy policies easily accessible and legible.

A transparent consent banner that gives users an actual choice whether or accept or reject consent must have:

• a clear structure, with visual cues such as contrasting colors to highlight consent options
• universally recognizable icons for quick understanding
• interface that is accessible to all users, including those with disabilities.

Usercentrics website CMP enables you to fully customize your consent banner to your needs

Usercentrics website CMP enables you to classify the data processing services used on your website into different purpose-describing categories.

Privacy policies are often long and confusing, making it hard for users to understand their rights and the company’s data policies. Legal and compliance teams handle privacy policy writing, but web development teams can help make them user-friendly.

A website’s footer is a common place to include a link to a privacy policy that most users will know, making it easy to find. You can also make the privacy policy easy to digest in how you present it.

Let’s look at some privacy policies with a user-friendly presentation.

• Airbnb uses one landing page that links out to the different privacy policies for various regions. There are also direct links to other important documents such as the cookies policy and terms for enterprise customers.
• Slack uses a table of contents that links to each separate section of the privacy policy for users to jump to. It also includes external links to information about Data Protection Authorities in the EU and UK for people to contact if they have complaints.
• Uber uses lots of bullet points and lists, making it scannable and easy to read.
• Facebook uses a menu in the sidebar so visitors can go to a new section without scrolling up and down. There is also a link to a printable version of the cookies policy, as well as a link to previous versions for users to see the changes.
• Usercentrics uses an accordion menu for each section, making it easy for users to find the section they’re looking for and collapse sections they aren’t reading so they can focus on the one that’s expanded.

While providing users with transparent access poses challenges, the right tools and collaborations can help you tackle these complexities, enhance the user experience, and obtain legally valid consent.

1. Dynamic nature of data practices: Web developers must regularly update transparency features to reflect changes in the company’s data practices and maintain compliance with data protection regulations, without disrupting the user experience. Collaborate with legal and compliance teams to help keep the website up to date with changes.
2. Complexity of consent management: Developing a consent management system that enables users to easily understand and manage their preferences and the website owner to compliantly record consent can be technically challenging. Use a consent management platform (CMP) to save time and effort by streamlining consent management and enabling compliance.
3. Clear presentation: Designing information to be clear and accessible can be challenging when dealing with diverse user groups who have varying levels of technical understanding. Work with user research and design teams to ensure the information caters to all users, enhancing clarity and accessibility regardless of their technical background.

Internationalization and localization: Adapting transparency features to different languages and cultures while maintaining accuracy and legal compliance is challenging, especially for global brands. Use a CMP that offers multiple language options and can help obtain valid consent from users in diverse regions globally.

The DMA requires gatekeepers to enable users to move their data easily from one service to another, empowering them with control over their data and freedom to switch services without losing their information.

Even if a company is not a gatekeeper and therefore not directly under the DMA’s scope, it still needs to be prepared to honor data portability requests if it uses a core platform service that is required to offer this feature under the DMA.

Gatekeepers and core platform services (CPS) according to the Digital Markets Act (DMA)

To create a user-friendly data portability experience, you can consider:

1. User interface design: Incorporate the data export option within the user account settings to make it easily accessible and user-friendly.
2. Data format selection: Offer multiple data export formats that are commonly used and can be easily processed, such as CSV, JSON, and XML.
3. User notification system: Set up notifications to inform users when their data export is ready for download, such as automated emails or in-app notifications.
4. Timeframe and feedback: Clearly communicate the expected timeframe for data export processing. After the export, provide a way for users to give feedback, helping to continually improve this feature.
5. Document process: Create step-by-step instructions to help users understand where to find the data export option and how to download their data.

A good example of documentation is from Qualtrics, which has detailed guides for downloading survey response data. While the use case differs from downloading user data, the principles apply to data portability download requests too.

Qualtrics’ documentation includes detailed instructions, screenshots, and FAQs for users across different pages on related topics:

• Exporting Response Data
• Data Export Options
• Data Export Formats
• Exporting Response Data to Google Drive

The DMA requires gatekeepers to ensure the core platform services can work together with other platforms, enabling different services and platforms to communicate and share data effectively, fostering a more connected digital environment.

This requirement offers a massive opportunity for smaller businesses to build web services that integrate easily with these large platforms. With interoperability, smaller platforms can reach more people, tap into larger markets, and create new services that work well with other platforms, improving how users experience these digital services.

The Global Partnership for Sustainable Development Data has released a playbook with checklists and key questions to consider that can serve as valuable guidance for you.

This playbook offers specific steps and considerations for building web services that integrate easily with the global developer community, enhancing interoperability. It covers a range of concerns from developing good documentation to building user trust.

The DMA’s aim is to develop fair market conditions where businesses of all sizes can compete. This gives smaller web development firms and digital agencies a chance to provide services and solutions to help companies meet DMA requirements.

Key areas of focus include:

1. Developing compliant solutions: Agencies can build web solutions that adhere to DMA guidelines, ensuring features like data portability, interoperability, and transparency are integrated into web designs and functionalities.
2. Advisory services: Offering consultancy services to clients on how to align their technologies with DMA regulations and help them understand and implement necessary changes.
3. User consent management: Managing consent platforms is vital in obtaining proper user consent for data collection and processing. Agencies can implement and oversee these systems to ensure consent meets DMA requirements.
4. Building trust with compliance: By demonstrating compliance with the DMA, agencies help their clients build trust with users. This approach enhances the reputation and confidence of both the agency and its clients.

Innovative solutions for compliance challenges: Leveraging technology and forming collaborations or partnerships can be an effective way to address complex compliance challenges and help clients stay ahead in a competitive and regulatory landscape.

consent management platforms (CMP) simplify the process of managing user consent and form the perfect partner to enable compliance with data protection regulations and laws like the DMA.

Tools such as Usercentrics CMP for web and apps and Cookiebot cookie consent solution aid in handling user consent collection and signaling. These platforms:

• enable compliance with the opt-in consent model required by the Digital Markets Act and the General Data Protection Regulation (GDPR)
• enable users to change or withdraw their consent at any time, aligning with the DMA’s requirements
• record consent in compliance with various privacy laws
• are compatible with the Interactive Advertising Bureau’s Transparency and Consent Framework (TCF) v2.2 that helps advertisers comply with GDPR and ePrivacy Directive requirements and are Google-certified CMPs

API management tools like Apigee, Mulesoft, and Kong can help with third-party integrations and cross-platform compatibility, ensuring different services work well together. This supports meeting the DMA’s rules for interoperability.

Software for marketing teams can come with questions about where the data collected is stored or whether it infringes upon users’ rights under data privacy laws.

Analytics tools like Mapp, etracker and econda enable DMA- and GDPR-compliant data analysis.

Tools like Kameleoon, Dynamic Yield and Optimizely help marketing teams with content and ad personalization, campaign optimization and A/B testing.

Website owners must not only collect legally valid consent, they must have the tools in place to ensure compliance at all levels when dealing with personal data. This includes monitoring how personal data is accessed and used, identifying privacy-related issues, assessing risks related to data processing activities, and creating compliance reports.

Platforms like LogicGate, NAVEX Global, AuditBoard, IBM OpenPage and RSA Archer can help monitor for compliance under data privacy laws including the GDPR, helping agencies and businesses in meeting DMA requirements and avoiding violations and penalties.

Usercentrics equips you with a comprehensive toolkit to guide clients towards DMA compliance. These resources and support streamline the journey to compliance, enabling you to focus on helping your clients achieve their goals without the added worry of compliance complexities.

• You can integrate customizable interfaces into applications, making it easier for users to manage consent preferences.
• Our detailed developer documentation for web and app CMPs and technical support means you have all the technical information you need at your fingertips.
• Our strong network of service and integration partners provides you with resources and solutions to help meet customers’ needs and become the go-to person for clients looking to achieve compliance across data processing activities.
• Our knowledge hub keeps you up to date with regulatory requirements so you can focus on helping clients enable compliance instead of worrying about changing laws and regulations.

Comprehensive checklists for compliance with multiple international data privacy laws (including the DMA checklist) make it easy for you to ensure you don’t miss a step.

The Digital Markets Act (DMA) presents a significant opportunity for web development and digital agencies. By adapting to its standards, you can guide you clients in creating platforms that prioritize user privacy and data security and give users control over their data. Such an approach centers on user rights, fostering trust as end-users feel confident that their personal information is secure and their preferences respected.

Collaborating with legal and compliance experts is key in this process, ensuring that websites and apps comply with DMA regulations while fostering a secure and transparent online environment. This method of building trust is particularly crucial in a digital market where user confidence can greatly influence a platform’s success.