What you need to know to comply with the Digital Markets Act (DMA)

The DMA came into force in November 2022 and has been applicable since May 2023. Designated gatekeepers have until March 6, 2024 to comply with the Act’s requirements. This means that the companies that do business in the EU/EEA and UK and use the gatekeepers’ platforms and services also need to comply. Gatekeepers in violation of the DMA can be fined up to 10% of annual global turnover, or up to 20% for repeated infringements.

The DMA’s requirements are similar in many respects to those of the GDPR, but are broader in some ways, addressing additional access to and uses of end users’ personal data. The DMA aims to help ensure healthy competition from smaller, non-gatekeeper companies, and more open digital markets.

• designated gatekeepers
• core platform services (CPS)
• whether your company needs to comply with the DMA
• how the DMA impacts user privacy and consent
• how to obtain and store valid consent
• how to implement a CMP to be ready for the DMA
• and more…

In the DMA, the European Commission (EC) designated six “gatekeeper” organizations: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.

The gatekeepers have to ensure that their platforms comply with the DMA by March 6, 2024, else they risk substantial fines. By extension, these requirements also mean that the many companies that use the core platform services from these entities must comply if they want to keep using the platforms and services.

This includes companies that collect and process user data for their own operations, or access data collected by the gatekeepers.

Companies that collect and use the personal data of users in the European Union must ensure they obtain valid prior consent (opt-in) from online users of these platforms and services. This includes gatekeepers and third parties that use their platforms, services, and data. If your organization is one of these, e.g. advertising on one or more of the platforms, you need to comply with the DMA. Companies operating in the EU may also need to comply with additional data privacy regulations, like the GDPR.

That means you need a consent management solution to ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data.

The gatekeepers provide 22 identified core platform services (CPS) that are required to comply with the DMA due to their enormous reach, audience, and data generated:

• 3 operating systems (Google Android, iOS, Windows PC OS)
• 2 web browsers (Chrome and Safari)
• 1 search engine (Google)
• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 1 video sharing platform (YouTube)
• 3 online advertising services (Amazon, Google, and Meta)
• 2 large communication services (Facebook Messenger and WhatsApp)
• 6 intermediation platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)

Third parties that use these CPS also need to comply with the DMA or risk losing access to gatekeepers, their platforms and services, and the data and revenue they generate.

User privacy and consent under the DMA follow the same requirements as the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before any personal data is collected.

Users must also be able to change their consent preferences or withdraw consent at any time, and companies must be able to prove consent in the event of an audit by data protection authorities.

To achieve this, a consent management platform (CMP) enables companies to notify users about the collection and use of their data, provide consent options, and store this information securely. Companies using Google services must also support the most up-to-date version of Google Consent Mode.

The DMA requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:

• process personal data for providing advertising services using CPS
• combine personal data from CPS with data from other CPS or services provided by the gatekeepers
• cross-use personal data from CPS in other services provided by the gatekeeper or CPSand/or
• sign end users in to other services in order to combine personal data

In addition to the DMA’s requirements regarding the rights and protections afforded to end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.

Some of the key requirements are:

• allow the use of third-party apps on gatekeepers’ operating system(s)
• allow access to data generated on CPS
• do not allow gatekeepers’ services to be more favorably ranked
• do not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
• enable pre-installed apps to be uninstalled
• enable settings to be changed on operating systems or browsers that lead to the gatekeepers’ products and services
• allow business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
• provide advertisers and publishers information about advertisements placed, remuneration and fees, and metrics free of charge

See the EC’s published list of “do’s and don’ts” for gatekeepers

Per the DMA’s requirements, conditions for valid consent are:

Explicit: Active acceptance required, e.g. ticking a box or clicking a link.

Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?

Documented: You have the burden of proof of consent in the case of an audit.

In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.

Granular: Individual consent for individual purposes, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.

Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.

Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

On websites, in apps, and on other connected platforms, the GDPR requires consent to be obtained for the use of cookies and other tracking technologies. This has made cookie banners or similar consent management tools a common sight. But many companies with EU users are still not compliant with the GDPR. This also means they won’t be compliant with the Digital Markets Act, and risk access to the gatekeepers’ platforms and services, including advertising with Google.

A consent management platform can be implemented on websites, apps, and other platforms in minutes, and customized for your company branding, the cookies and other tracking technologies you use, and more.

Usercentrics has Europe’s leading CMP that enables stringent regulatory compliance, including with the Digital Markets Act, right out of the box. It’s built on state-of-the-art technology that scans deeper for cookies and has automated functionality to help you maintain compliance without having to dedicate a lot of tech or legal resources. It also enables companies to meet consent management requirements to maintain access to the gatekeepers’ platforms and services without disruption.

European authorities have shown they are serious about data privacy compliance and regulatory enforcement, and the DMA will extend that commitment. The European Commission can impose fines for Digital Markets Act violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated infringement. The Commission can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.

Third-party companies using gatekeepers’ services can lose access to the platforms, data, customers, and revenue if they are found to be noncompliant with the Digital Markets Act. Additionally, Digital Markets Act violations would also quite possibly violate other privacy laws, like the GDPR, which come with a whole additional set of penalties. The likely result would be a serious hit to brand reputation and customer trust, which would negatively affect revenues and future growth.

Your implementation will depend on your platform, CMS, and tools used, e.g. GTAG, Google Tag Manager, etc. However, Usercentrics CMP integrates into all the leading web and app platforms, like WordPress, Magento, Wix, Squarespace, Shopify, Prestashop, and more.

1. Select a flexible, reliable consent management platform that can be customized to your needs and will be easy to maintain by technical or non-technical staff
2. Implement the CMP according to your website setup—via direct integration, head tag, Google Tag Manager, etc.—and the tools you have integrated, including those of the designated gatekeepers under the Digital Markets Act
3. Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
4. Activate Google Consent Mode signaling
5. Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
6. Start collecting Digital Markets Act-compliant consent from users

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.