Skip to content

Explore the data privacy trends to look out for in 2024: how AI will play a role in the privacy landscape, the effect of the end of third-party cookies on marketers and how to optimize your data strategy with new limitations.

Watch it here Listen on Spotify

What you’ll learn

Who should watch

This webinar can benefit any organization that collects and manages user data for business purposes. The key takeaways are particularly relevant for:

ABOUT THE SERIES

Consented: Privacy and Trust in SaaS Partnerships

Consented: Privacy and Trust in SaaS Partnerships is a captivating webinar podcast series hosted by Usercentrics, industry leader in consent and preference management solutions. In this thought-provoking series, Usercentrics brings together expert guest speakers from various SaaS, legal, and digital agencies to delve into the pressing issues surrounding user privacy and the consent economy.

Explore series

¹the webinar partners are Dorik.ro and matelso GmbH

Introduction to the Delaware Data Privacy Act

Delaware’s was the eighth state-level data privacy law passed in the United States in 2023 from House Bill 154, and the twelfth comprehensive privacy law passed to date. Florida’s Digital Bill of Rights is more narrow in scope and not always included. Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260 are also limited in scope and the original Act was passed in 2018.

The United States does not have a federal data privacy law, though as of July 10, 2023 it does have the new EU-U.S. Data Privacy Framework adequacy agreement with the European Union. The EU and US had been without such an agreement since 2020 when the previous Privacy Shield was struck down.

Signed into law by Governor John Carney on September 11, 2023, the Delaware privacy regulation goes into effect January 1, 2025, the same date as Iowa’s Consumer Data Protection Act (ICDPA). It also provides for an additional year for organizations to begin recognizing universal opt-out mechanisms. Delaware’s Department of Justice (DOJ) plans to initiate an outreach period no later than July 1, 2024 to inform businesses of their obligations and consumers of their rights under the DPDPA.

Delaware’s privacy law is one of the more consumer-friendly state-level data privacy laws, though not quite as strict as California’s Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). It does apply to a broader range of companies of all sizes as well, and doesn’t specifically target large businesses, like Florida’s law, or exclude small ones, like the Texas Data Privacy and Security Act (TDPSA).

What is the Delaware data privacy act?

Delaware’s data privacy law protects the privacy and personal data rights of the state’s one-million residents, i.e. people acting in individual or household contexts, not in any employment capacity. The law also establishes data privacy responsibilities for companies conducting business in the state and/or providing goods and services targeted to Delaware residents.

Privacy notice requirements

Data controllers, defined under the law as “a person that, alone or jointly with others, determines the purpose and means of processing personal data” must provide consumers with a privacy notice that is “accessible, clear, and meaningful”. The notice has to describe the organization’s data processing operations, and include:

Opt-out consent model

Like all other US data privacy laws, the DPDPA uses an opt-out model, so controllers can collect personal data without needing data subjects’ consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”, and must be provided with information about and mechanisms to do so.

The law notes that controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data.”

Additionally, “Not later than [one year following the effective date of this Act], allowing a consumer to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt out of any such processing or sale.”

Definitions in the Delaware Personal Data Privacy Act

Personal data under the DPDPA

Refers to “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.

It should be noted that personal data (also called personal information) and personally identifiable data are not always the same thing, and distinctions are often made in data privacy laws.

Sensitive data under the DPDPA

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the DPDPA cannot be collected or used without prior user consent. Delaware’s privacy law specifically refers to personal data that would reveal any of the following:

Delaware’s law is the second of the US privacy laws, after Oregon’s, to include transgender or nonbinary gender expression as sensitive data.

Consent under the DPDPA

Like many other data privacy laws, the Delaware data privacy law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”

To provide additional clarity, “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.” Under the DPDPA, consent does not include:

Consumer under the DPDPA

Refers to “an individual who is a resident of [Delaware]”.

The definition does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.”

Controller under the DPDPA

Businesses and other organizations that collect and use personal data will likely qualify as controllers, though the law uses the word “person”. Controller is defined as “a person that, alone or jointly with others, determines the purpose and means of processing personal data.”

Processor under the DPDPA

Like controller, while the law references a person, in most cases this is likely to be done by a company or other organization. Processor is defined as “a person that processes personal data on behalf of a controller.” It could include third parties like advertising partners or fulfillment companies.

Profiling under the DPDPA

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The Delaware data protection law defines profiling as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.”

Targeted advertising under the DPDPA

This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools. The Delaware data privacy law defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”

The following are not included in the definition of targeted advertising:

Sale under the DPDPA

Refers to “the exchange or transfer of personal data for monetary or other valuable consideration by the controller to a third party”.

Exclusions to the definition of sale include disclosures of personal data:

What is covered in the Delaware data privacy act?

The DPDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.

Who has to comply with the Delaware data privacy law?

The Delaware privacy law’s compliance thresholds have some smaller numbers than other comparable laws in the US, but this is not surprising given the state’s small population of one million people. California, by comparison, has 40 million. The smaller numbers will also mean that the law will apply to more smaller businesses.

Delaware’s law continues a trend of recent US state-level privacy laws in that it has no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount.

The compliance thresholds are for the preceding calendar year if an organization:

or

Exemptions to Delaware Personal Data Privacy Act compliance

The DPDPA’s exemptions are fairly standard, and include exemptions for data processing governed by federal law, e.g. Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).

Exempted entities and their services/activities include:

Exempted regulations (and data processed relevant to them) include:

Consumers’ rights under the Delaware personal data protection law

Consumers’ rights under the DPDPA are fairly standard compared to other comprehensive privacy laws in the US:

Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the DPDPA includes a requirement for controllers to recognize the universal opt-out signal, which will come into effect a year after the law takes effect.

Coverage for children under the DPDPA

Parents or legal guardians of children can exercise the rights of children, whose data is considered sensitive by default. Because of this designation, consent is required before children’s data can be collected or used. Like a number of the other US data privacy laws, Delaware’s law defers to the federal Children’s Online Privacy Protection Act (COPPA) regarding rights, responsibilities and protections for children and their data online, including for the definition of a child, which is a person under the age of 13.

Consumer requests under the DPDPA

Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”. Reasonable reasons to deny a request could also include if the consumer’s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.

The controller may charge the consumer a reasonable fee to cover the administrative costs of complying with such a request if it’s “manifestly unfounded, excessive or repetitive”. However, in such an instance, the controller is responsible for demonstrating that it is.

An organization has 45 days to respond, though should respond without “undue delay”, though they have the option to extend that by another 45 days if reasonably necessary.

Private right of action under the DPDPA

California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. Delaware’s law does not include private right of action, and enforcement falls under the state’s Department of Justice.

How does the new Delaware data privacy act affect businesses?

The DPDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. Because of the lower threshold numbers for compliance, it will also likely affect more businesses. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers’ requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.

How to comply with the Delaware data privacy act

Notifications defined by the DPDPA

Controllers must provide a privacy notice that is “accessible, clear, and meaningful”, and describes the organization’s data processing activities, including information about the data collected, processing purposes, parties data is shared with, and ways to exercise consumer rights. Companies’ contact method must be secure, reliable, and easy for consumers to use to make requests or appeal controllers’ decisions, and be able to verify their identities as needed.

Purpose limitation defined by the DPDPA

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children’s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.

Data security defined by the DPDPA

Controllers must establish and maintain reasonable administrative, technical, and physical data security practices for personal data under their control, including deidentified data, and “protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue”. Processors working with/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually prior to processing.

Data protection assessments (DPA) defined by the DPDPA

Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for “processing activities that present a heightened risk of harm to a consumer.” Such activities could include:

The DPDPA also generally requires a controller that processes the data of at least 100,000 consumers to perform DPAs.

The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.

Consent requirements defined by the DPDPA

For many circumstances user consent is not required by Delaware’s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children’s data, for example, or if the organization’s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.

In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later. Revoking consent must be as easy to do as giving it. If a consumer does this, data processing should stop immediately, but at most no more than 15 days after receipt of the request.

Nondiscrimination defined by the DPDPA
Like other US privacy laws, Delaware’s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the law. For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions.There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory.

Processing personal data is also prohibited if doing so would violate other state or federal laws governing discrimination.

Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, e.g. newsletter signups, surveys, or loyalty programs. Such offers must be reasonable and proportionate to the request and type and amount of data collected so, though, as not to look like payments for consent, which data protection authorities frown upon. Consumers who decline such offers also cannot be discriminated against, e.g. by not having access to comparable offers or being charged a different price for goods or services.

Third-party contracts defined by the DPDPA

Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments.

There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:

  • duty of confidentiality
  • clear instructions for processing data, including:
    • nature and purpose of the processing
    • type of data that is subject to processing
    • duration of the processing
  • rights and obligations of both parties
  • the processor must delete or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless there are superseding legal requirements for the processor
  • the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller
  • if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller

Universal opt-out mechanism

Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or Global Privacy Control, however it’s becoming more common with some of the more recently passed data privacy laws. The Delaware Personal Data Privacy Act does include this mechanism, though organizations have a year from when the law comes into effect to begin accepting it, beginning in January 2025.

This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they’re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.

What happens if you violate the Delaware data privacy regulation?

Delaware’s enforcement for the DPDPA will be similar to that of other US states in that it is centralize, though there is some coordination with existing consumer protection laws in the state as well.

DPDPA enforcement

Enforcement of the Delaware Personal Data Privacy Act is under the Attorney General and Department of Justice.

Consumer complaints about controllers’ data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of investigation or to ensure they are being done compliantly.

Consumer complaints under the DPDPA

Controllers have to provide information and a process to consumers not only to exercise their rights, but to lodge an appeal if the controller refuses to take action on a request, either within a reasonable amount of time or at all. This appeal process must be similar to the process to make a request and just as easy to do.

If a consumer complains, the controller has 60 days from receiving this appeal to reply to the consumer about any action taken, including written explanation of reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Department of Justice to submit a further complaint if the controller does not resolve issues with the consumer.

The DOJ can decide to issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the DPDPA.

Cure period and sunset provision under the DPDPA

If the Department of Justice determines a violation has occurred, but can be “cured”, in addition to notifying the controller of the violation, they can provide 60 days for the controller to fix the issue and prevent it from recurring.

If the controller fails to cure the violation within 60 days, the DOJ may initiate enforcement proceedings. The DOJ considers the following in determining if enforcement is warranted:

The cure period for the DPDPA sunsets on January 1, 2026, the consideration being that by then organizations should know their responsibilities and be ensuring compliance. The DOJ can still decide to offer a cure period, but it will be entirely at their discretion.

Fines and penalties

The DPDPA doesn’t provide a specific amount for fines, however it does reference Subchapter II of Chapter 25 of Title 29, which states that the Attorney General has standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies on behalf of the state for violations (of a variety of provisions relating to consumer protection).

Entities found to have willfully violated the law can be ordered to pay up to US $10,000 per violation.

The Delaware Personal Data Privacy Act and consent management

Delaware’s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.

Consumers do have to be informed about data collection and use, parties with access, and what their rights are and how to exercise them. This information and a comprehensive privacy notice need to be clear and easily accessible, e.g. on the organization’s website.

Consumers do need to be able to opt out of processing of their data or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like Usercentrics CMP for Website Consent Management or App Consent Management.

As of 2026, organizations must also recognize and respect consumers’ consent preferences as expressed via a universal opt-out signal.

Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. The DPDPA does require providing consumers with clear, granular information about this.

The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.

Learn more: Comparing US state-level data privacy laws

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

Check out our on-demand webinar: US Data Privacy Legislation

Preparing for the Delaware Personal Data Privacy Act

Organizations doing business in Delaware have until January 2025 to prepare for compliance with the DPDPA. The Department of Justice will be conducting educational outreach by July 2024.

Companies that achieve compliance with other state-level regulations, like California’s CCPA/CPRA have done much of the work toward DPDPA compliance. Organizations always need to be clear on specific states’ laws’ unique stipulations and should always consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy by design approach will also benefit an organizations’ operations beyond data privacy compliance.

Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Free trial for web

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Data protection regulations and privacy laws are constantly evolving, and the Digital Markets Act (DMA) brings new considerations to this landscape. Introduced by the European Union, the Digital Markets Act aims to foster a competitive and fair digital market and protect user privacy.

The regulation targets large online platforms, referred to as ‘gatekeepers’, due to their influential role in digital markets. The designated gatekeepers under the DMA are:

However, its ripple effects extend to all layers of web development, affecting how developers approach user data, interoperability, and user consent.

We explore how the DMA impacts web development and how web developers can adapt practices for DMA compliance.

Key provisions of the Digital Markets Act impacting web developers

Integrating privacy laws requirements into website and app designs is a significant part of a web developer’s work, directly affecting the handling and protection of user data. The DMA law introduces critical changes for web developers that place greater emphasis on user rights and open competition.

  1. User consent: Strong emphasis on obtaining explicit consent to collect personal data for any purpose, including serving personalized or targeted ads.
  2. Data portability: Users must be able to easily move their data between different platforms, giving them more control over their data and making it simpler for them to switch between services without losing their information.
  3. Interoperability between platforms: Requires gatekeepers’ to make sure their core platform services can work well with other smaller platforms and services, providing other platforms to make their products fit smoothly with the services of these big platforms.

Adapting web development practices for Digital Markets Act compliance

For transparency and consent in data collection and ad targeting

Under privacy laws like the DMA, you must give users clear information about what data is taken, why it’s used, how long it’s kept for, and who might have access to it.

Users must have the choice to say no to giving consent or to take back their consent if they change their mind. They also shouldn’t be tricked or misled about how their data is used.

Ensuring transparency involves two key areas:

  1. Implementing a consent banner that clearly communicates consent choices to users.
  2. Making privacy policies easily accessible and legible.

Consent banners

A transparent consent banner that gives users an actual choice whether or accept or reject consent must have:

Usercentrics website CMP enables you to fully customize your consent banner to your needs
Usercentrics website CMP enables you to fully customize your consent banner to your needs
Usercentrics website CMP enables you to classify the data processing services used on your website into different purpose-describing categories.
Usercentrics website CMP enables you to classify the data processing services used on your website into different purpose-describing categories.

Privacy policy

Privacy policies are often long and confusing, making it hard for users to understand their rights and the company’s data policies. Legal and compliance teams handle privacy policy writing, but web development teams can help make them user-friendly.

A website’s footer is a common place to include a link to a privacy policy that most users will know, making it easy to find. You can also make the privacy policy easy to digest in how you present it.

Let’s look at some privacy policies with a user-friendly presentation.

Potential challenges in ensuring transparent access

While providing users with transparent access poses challenges, the right tools and collaborations can help you tackle these complexities, enhance the user experience, and obtain legally valid consent.

  1. Dynamic nature of data practices: Web developers must regularly update transparency features to reflect changes in the company’s data practices and maintain compliance with data protection regulations, without disrupting the user experience. Collaborate with legal and compliance teams to help keep the website up to date with changes.
  2. Complexity of consent management: Developing a consent management system that enables users to easily understand and manage their preferences and the website owner to compliantly record consent can be technically challenging. Use a consent management platform (CMP) to save time and effort by streamlining consent management and enabling compliance.
  3. Clear presentation: Designing information to be clear and accessible can be challenging when dealing with diverse user groups who have varying levels of technical understanding. Work with user research and design teams to ensure the information caters to all users, enhancing clarity and accessibility regardless of their technical background.

Internationalization and localization: Adapting transparency features to different languages and cultures while maintaining accuracy and legal compliance is challenging, especially for global brands. Use a CMP that offers multiple language options and can help obtain valid consent from users in diverse regions globally.

For data portability

The DMA requires gatekeepers to enable users to move their data easily from one service to another, empowering them with control over their data and freedom to switch services without losing their information.

Even if a company is not a gatekeeper and therefore not directly under the DMA’s scope, it still needs to be prepared to honor data portability requests if it uses a core platform service that is required to offer this feature under the DMA.

Gatekeepers and core platform services (CPS) according to the Digital Markets Act (DMA)

To create a user-friendly data portability experience, you can consider:

  1. User interface design: Incorporate the data export option within the user account settings to make it easily accessible and user-friendly.
  2. Data format selection: Offer multiple data export formats that are commonly used and can be easily processed, such as CSV, JSON, and XML.
  3. User notification system: Set up notifications to inform users when their data export is ready for download, such as automated emails or in-app notifications.
  4. Timeframe and feedback: Clearly communicate the expected timeframe for data export processing. After the export, provide a way for users to give feedback, helping to continually improve this feature.
  5. Document process: Create step-by-step instructions to help users understand where to find the data export option and how to download their data.

A good example of documentation is from Qualtrics, which has detailed guides for downloading survey response data. While the use case differs from downloading user data, the principles apply to data portability download requests too.

Qualtrics’ documentation includes detailed instructions, screenshots, and FAQs for users across different pages on related topics:

For interoperability

The DMA requires gatekeepers to ensure the core platform services can work together with other platforms, enabling different services and platforms to communicate and share data effectively, fostering a more connected digital environment.

This requirement offers a massive opportunity for smaller businesses to build web services that integrate easily with these large platforms. With interoperability, smaller platforms can reach more people, tap into larger markets, and create new services that work well with other platforms, improving how users experience these digital services.

The Global Partnership for Sustainable Development Data has released a playbook with checklists and key questions to consider that can serve as valuable guidance for you.

This playbook offers specific steps and considerations for building web services that integrate easily with the global developer community, enhancing interoperability. It covers a range of concerns from developing good documentation to building user trust.

The role of web development and digital agencies in ensuring DMA compliance

The DMA’s aim is to develop fair market conditions where businesses of all sizes can compete. This gives smaller web development firms and digital agencies a chance to provide services and solutions to help companies meet DMA requirements.

Key areas of focus include:

  1. Developing compliant solutions: Agencies can build web solutions that adhere to DMA guidelines, ensuring features like data portability, interoperability, and transparency are integrated into web designs and functionalities.
  2. Advisory services: Offering consultancy services to clients on how to align their technologies with DMA regulations and help them understand and implement necessary changes.
  3. User consent management: Managing consent platforms is vital in obtaining proper user consent for data collection and processing. Agencies can implement and oversee these systems to ensure consent meets DMA requirements.
  4. Building trust with compliance: By demonstrating compliance with the DMA, agencies help their clients build trust with users. This approach enhances the reputation and confidence of both the agency and its clients.

Innovative solutions for compliance challenges: Leveraging technology and forming collaborations or partnerships can be an effective way to address complex compliance challenges and help clients stay ahead in a competitive and regulatory landscape.

Tools and technologies for DMA compliance

User consent management

consent management platforms (CMP) simplify the process of managing user consent and form the perfect partner to enable compliance with data protection regulations and laws like the DMA.

Tools such as Usercentrics CMP for web and apps and Cookiebot cookie consent solution aid in handling user consent collection and signaling. These platforms:

Third-party integrations

API management tools like Apigee, Mulesoft, and Kong can help with third-party integrations and cross-platform compatibility, ensuring different services work well together. This supports meeting the DMA’s rules for interoperability.

Marketing tools

Software for marketing teams can come with questions about where the data collected is stored or whether it infringes upon users’ rights under data privacy laws.

Analytics tools like Mapp, etracker and econda enable DMA- and GDPR-compliant data analysis.

Tools like Kameleoon, Dynamic Yield and Optimizely help marketing teams with content and ad personalization, campaign optimization and A/B testing.

See our list of partners for A/B testing, personalization and optimization

Compliance tools

Website owners must not only collect legally valid consent, they must have the tools in place to ensure compliance at all levels when dealing with personal data. This includes monitoring how personal data is accessed and used, identifying privacy-related issues, assessing risks related to data processing activities, and creating compliance reports.

Platforms like LogicGate, NAVEX Global, AuditBoard, IBM OpenPage and RSA Archer can help monitor for compliance under data privacy laws including the GDPR, helping agencies and businesses in meeting DMA requirements and avoiding violations and penalties.

How Usercentrics can help web development and digital agencies enable DMA compliance for clients

Usercentrics equips you with a comprehensive toolkit to guide clients towards DMA compliance. These resources and support streamline the journey to compliance, enabling you to focus on helping your clients achieve their goals without the added worry of compliance complexities.

Comprehensive checklists for compliance with multiple international data privacy laws (including the DMA checklist) make it easy for you to ensure you don’t miss a step.

Learn how an EU-based games developer enabled compliance with new regulations without losing user engagement.

Conclusion

The Digital Markets Act (DMA) presents a significant opportunity for web development and digital agencies. By adapting to its standards, you can guide you clients in creating platforms that prioritize user privacy and data security and give users control over their data. Such an approach centers on user rights, fostering trust as end-users feel confident that their personal information is secure and their preferences respected.

Collaborating with legal and compliance experts is key in this process, ensuring that websites and apps comply with DMA regulations while fostering a secure and transparent online environment. This method of building trust is particularly crucial in a digital market where user confidence can greatly influence a platform’s success.

Free Trial

Artificial intelligence (AI) is at the forefront of the world’s technology evolution and influencing the transformation of the data protection and user privacy landscape. But the application of AI in various industries has also raised important questions about consent and what it means in the context of organizations’ ever-growing need for data, and in increasing applications of AI.

In this article, we delve into the nuances of President Biden’s Executive Order on safer AI and the European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) resolution on generative AI, comparing these two landmark initiatives and their impact on data privacy.

Understanding artificial intelligence

Artificial Intelligence, commonly referred to as AI, is a branch of computer science that simulates human intelligence in machines. These machines are programmed to think like humans and mimic their digital actions and thus be capable of learning, reasoning, problem-solving, perception, and understanding natural language.

Learn more: Artificial intelligence (AI), personal data and consent

AI has immense potential across various industries, from healthcare and education to transportation and entertainment. It can enhance operational efficiency, boost productivity, and drive innovation. AI is steadily becoming an integral part of our everyday life, transforming the way we work, live, and interact.

The intersection of AI and data privacy

While AI promises numerous benefits, it also poses significant challenges, particularly in the realm of data privacy. AI systems typically rely on vast amounts of training data to learn and make decisions. To date, much of this data has been found to have been accessed and used without the consent of those who created or published it, raising critical questions about user privacy and data protection.

The need for consent management in AI

Consent management is crucial in AI as it enables obtaining and managing user consent for data processing, like in training data sets. Given the scale and complexity of data processed by AI systems, consent management plays a pivotal role in ensuring that user data is handled responsibly and ethically.

Consent management solutions, including privacy policies, also help ensure that users who become data subjects are adequately informed about what data of theirs is to be used if they consent, for what purposes, who will have access to it, and other details required by many global data privacy laws.

President Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence

In October 2023, President Biden issued an Executive Order aimed at fostering the safe, secure, and reliable development and use of AI in the United States. This initiative emphasizes the crucial role of federal agencies in setting standards, issuing guidance, and monitoring AI use to safeguard business and societal interests.

Although the Executive Order doesn’t directly regulate the private sector, it influences business processes by setting expectations through federal contracts and standards set by agencies like the National Institute of Standards and Technology (NIST). Therefore, the impact of the Executive Order is likely to be significant and far-reaching.

The European Union and United States have adopted a new Data Privacy Framework (DPF) to govern data privacy and international data transfers. Learn more: The EU-U.S. Data Privacy Framework (DPF)

The European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) Resolution on Generative AI

The GPA resolution on generative AI issued by the EDPS aims to uphold data protection principles in the context of AI. It provides comprehensive guidelines for managing risks associated with AI, ensuring that AI technologies are developed and used in a manner that respects user privacy and data protection and does not violate human rights law in any way that is unfair, unethical or discriminatory.

The GPA resolution is instrumental in shaping AI governance by promoting responsible innovation and ensuring the rights of individuals. It calls for a unified, safe, and reliable approach to AI, emphasizing the importance of transparency, accountability, and fairness. It also requires that AI be designed, developed and deployed in ways that are responsible and trustworthy, based on the principles of transparency, data protection, privacy, human control democratic values.

Legal principles gilding AI development and systems

The resolution also mentions that legal principles are the core elements of consideration for the development, operation and deployment of AI systems. These principles are:

  1. Must have a legal basis that is lawful in accordance with applicable regulation(s), even if the data is publicly available.
  2. Data processing in an AI system shall have a specific, explicit and legitimate purpose.
  3. Data minimization requires limiting the collection, sharing, aggregation, retention and further processing of personal data.
  4. Data processed must be accurate, reliable and representative.
  5. Adequate transparency measures must be implemented to ensure the openness of the generative AI tools.
  6. Reasonable and effective security measures must be implemented and maintained.
  7. Privacy by design and default requires developers, providers and deployers of AI systems to carefully assess the envisaged processing activities, risks they may pose for the data subjects, possible measures available to ensure compliance with data protection principles and the protection of individual rights.
  8. Data subjects must be informed of their rights and how to exercise them.
  9. Those building, running, or using output from AI systems shall be responsible for and must be able to demonstrate compliance with applicable national regulations and international agreements.

Comparing President Biden’s Executive Order and the EDPS’s GPA Resolution

Both President Biden’s Executive Order and the EDPS’s GPA resolution underscore the need for safe and responsible AI. They emphasize the importance of data protection, user privacy, and consent management, highlighting the role of regulatory authorities in ensuring ethical AI practices.

While both initiatives aim to promote responsible AI, they differ in their approach. President Biden’s Executive Order is more focused on setting guidelines and standards for AI development, while the GPA resolution emphasizes the implementation of data protection principles in AI.

Implications of new regulatory initiatives on AI data privacy

Advancements in data privacy

The initiatives by President Biden and the EDPS represent significant advancements in data privacy with regards to AI. They set clear guidelines and standards for AI development and deployment, promoting responsible innovation and safeguarding user privacy.

The role of consent management platforms (CMPs) in AI initiatives

In the context of AI, consent management platforms play a critical role in helping to ensure data privacy. These platforms help manage user consent for data processing, enabling compliance with data protection regulations and fostering trust with users.

Watch replay

Looking ahead: The future of AI and data privacy

As AI continues to evolve, so does the landscape of data privacy. Future advancements in AI will necessitate further enhancements in data protection and user privacy measures, underscoring the importance of consent management.

Regulatory authorities will play an increasingly crucial role in shaping the future of AI and data privacy. Their guidance and regulations will be instrumental in ensuring that AI technologies are developed and used responsibly and ethically.

President Biden’s Executive Order and the EDPS GPA resolution mark significant milestones in the evolution of AI and data privacy. Both initiatives not only underscore the importance of data protection and user privacy in AI but also highlight the critical role of consent management in ensuring ethical AI practices. As we move forward, these initiatives will continue to shape the landscape of AI and data privacy, promoting responsible innovation and safeguarding user interests.

Subscribe to newsletter

A number of new privacy regulations were passed in 2023, and some passed earlier came into effect. Even more will do so in 2024, or enforcement will begin. Possibly even more influential, regulatory requirements for large tech companies will have substantial data privacy trickle-down effects on third parties that rely on their platforms and services for audience, data and revenue.

AI will surely become more regulated, and the focus on it has also further heightened consumers’ awareness of access to and use of their data. Some changes that will be coming as a result of the aforementioned regulations and business requirements will also bring welcome improvements to the consumer landscape, with more transparency, competition, innovation and consumer choice.

Let’s look at some of what we can expect in data privacy in 2024.

2024 in data privacy regulations and business

A number of the laws passed in the US in 2023 will come into effect in 2024, substantially increasing the number of US states with data privacy regulations in place, with their associated requirements for businesses that process personal data.

There are several major data privacy regulations around the world that are expected to be finalized in 2024, bringing new protections to even more people, and adding additional protections in places like the European Union (EU).

Technologies that enable and enhance privacy (privacy-enhancing technologies or PETs) will also likely take center stage, with your website data privacy policy starting to be seen as pillars for building user trust, promoting transparency, and aligning with corporate social responsibilities.

Once regulatory enforcement begins for new laws like the Digital Markets Act, we will likely see rapid and significant changes in the operations of big tech companies, and in smaller companies that rely on those platforms. Data privacy protections are poised to cover more of the world’s population than ever before. Will it be 75% of people by the end of the year, as Gartner has predicted?

Data privacy in the United States

Eight US states passed data privacy legislation in 2023, and laws in five of those states will come into effect in 2024:

14 of the 50 US states now have data privacy regulations in place, though in 2023 40 states tabled privacy legislation, many not for the first time. Expect to see even more data privacy laws make it to governors’ desks in 2024.

Progress remains slow to stalled on federal data privacy legislation in the US. However, developments like generative AI and its uses are getting a lot of attention and scrutiny, including on the data privacy front, so it’s possible peripheral topics like that may provide stronger motivation for a broader federal data privacy law in the US.

Data privacy in Canada

Bill C-27 sets out the Digital Charter Implementation Act, 2022, which would bring a new framework for governing personal information access and use in the private sector. The bill is currently before committee and could be passed in 2024. It would bring the Consumer Privacy Protection Act (CPPA) into effect and replace the PIPEDA regulation, which is over 20 years old.

The Digital Charter Implementation Act would also include the Personal Information and Data Protection Tribunal Act, which would set up an administrative tribunal to review some decisions from Canada’s Privacy Commissioner, and impose penalties for CPPA violations.

The Act would also help to address the expansion of AI influence and applications with the Artificial Intelligence and Data Act (AIDA), which would help to regulate trade and commerce in AI systems using a risk-based approach. Any new AI regulations or frameworks would need to have a focus on data privacy, especially for consumers.

Data privacy in Australia

Federally, Australia has had the Privacy Act since 1988 (with additional state and territory laws). An overhaul has been expected for some time, though it was most recently amended in 2022. The Privacy Act Review Report with 116 recommendations was released in February 2023, and some high profile data breaches in recent years will likely add more pressure to enhance data privacy and protections for the country’s citizens. Look for greater change in 2024.

ePrivacy Regulation in the EU

In the European Union, the ePrivacy Directive (ePD) has been in place since 2018, as long as the General Data Protection Regulation (GDPR). But the ePrivacy Regulation (ePR), which would repeal the ePD, has lagged. The EU has since passed other laws with data privacy elements in recent years, including the Digital Markets Act, and the AI Act is likely to be passed in early 2024.

The ePR would establish, among other things, clearer rules on cookie usage, and regulate newer electronic communications services not covered by the ePD, like WhatsApp or Facebook Messenger. However, with a 24-month transition period, if finalized in 2024, it wouldn’t be fully in effect until 2026.

Find out more

Regulation of artificial intelligence (AI)

The European Union’s AI Act, the first of its kind, is expected to be finalized in early 2024. In addition to providing new rules, guidelines, and prohibitions about the development and application of AI in the EU, it’s likely to have significant influence on similar laws in other countries, just as the GDPR did when it came into effect.

US President Biden also signed an executive order on safer AI in October 2023, which will also influence further developments in the space.

Digital Services Act Package

We covered the Digital Services Act Package and its two laws, the Digital Services Act (DSA) and Digital Markets Act (DMA) in our 2023 recap. Some requirements with the laws were in place in 2023, but enforcement will begin in early 2024.

These laws require compliance from designated big tech companies, and will mean they also need to put compliance pressure on third-party customers and partners, which could have a much greater effect on privacy compliance, especially for smaller organizations — particularly in the EU — than regulations like the GDPR have to date. For example, Google’s requirement for use of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

Watch for substantial changes beginning in 2024 that will affect consumers’ options and affect business operations and competitiveness in digital markets, including the adoption of consent management platforms (CMP) to enable privacy compliance and consent signaling.

Start scan

The future of “pay or ok”?

With ongoing data privacy challenges in the EU, and in response to the Digital Markets Act (DMA) under which it’s been designated as a “gatekeeper”, Facebook and Instagram parent company Meta announced plans for a new subscription model for users to access Facebook and Instagram, nicknamed “pay or ok”.

In the EU, EEA and Switzerland, Facebook and Instagram users would be able to sign up for a paid monthly subscription to these platforms where they won’t receive advertising. Users who choose not to pay will be shown ads, and their personal data will be collected and used, e.g. for ad personalization.

However, in late 2023 multiple groups, including the European Consumer Organisation (BEUC) filed complaint against Meta over the proposed subscription offering, arguing it was unfair and another attempt to circumvent EU laws. Look for this case to evolve in 2024 and to be watched closely by other big tech companies.

Conclusions and how to embrace data privacy

Probably the best keyword for what to expect in data privacy in 2024 is: acceleration. So much was begun in 2023 that will continue to roll out or will influence new legislation, business requirements, technology and consumer expectations.

Data privacy is becoming critical to doing business and protecting both brand reputation and revenue. Companies are waking up not only to the risks of noncompliance but also to the opportunities of protecting data and respecting user privacy. Expect data privacy in the mobile space, for example, to continue to heat up in 2024.

In some regions, businesses are finding it necessary to comply with multiple regulations, which is challenging, especially for SMEs that have limited resources. But this is the new normal, and isn’t as scary as it may seem. Usercentrics is here to help, and our solutions are designed to be user-friendly, reliable, and especially to scale as your company grows, your tech stack changes, and as regulations evolve.

Contact sales

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Data privacy definitely ramped up globally in 2023. More regulations were passed, and consumers continued to become more savvy and concerned about access to and use of their personal data. The app industry started to take notice and realize that privacy compliance wasn’t an onerous legal requirement, but a potentially massive revenue opportunity.

Perhaps most of note, however, is that impetus to achieve privacy compliance has started to shift and a greater push is coming not from governments, but from businesses. Laws like the Digital Markets Act (DMA) will affect big tech companies like Alphabet, Facebook and Amazon.

Millions of businesses use those companies’ platforms and services to sell products, collect user data, advertise, and more. If the big tech companies are required to comply with DMA obligations, they will require third parties that rely on them for reach and revenue to comply as well. This hits a lot closer to home than, for example, headlines about “The Biggest GDPR Fine Ever!”

AI has also been an ever-present topic in 2023, with reactions running the full gamut from giddy excitement to alarmist. It’s been good to see that people seem to be aware of and talking about the data privacy issues of AI training, particularly, and laws to regulate AI development and use are already in the works. The EU should have their AI Act finalized in early 2024.

Let’s have a look at what was new and in the news in data privacy in 2023.

2023 in data privacy regulations and business

This year several long-awaited data privacy regulations came into effect, and many were passed that will come into force in the coming years. 2024 looks to become an even bigger year for regulation and enforcement, accompanied by increasing B2B expectations of businesses for their partners and customers.

Laws targeting big tech also got a lot of attention, and it will be very interesting to see how that plays out in the market and their effects on competition and innovation. Regulation of AI, which also brings significant data privacy concerns, will also continue to grow.

Let’s look at where new privacy laws were passed in 2023.

Data privacy in the United States

The United States passed more data privacy laws than any other country in 2023, but that’s because they are still passed state by state. To date the country still doesn’t have a federal-level data privacy law. 14 states of 50 (there’s also the District of Columbia, Puerto Rico, etc.) have now passed data privacy legislation.

California is the only state with two active laws, the California Consumer Privacy Act (CCPA) having come into effect in 2020 and the California Privacy Rights Act (CPRA) having come into effect in 2023.

40 US states introduced privacy legislation in 2023. In many cases these were repeat attempts. Eight states actually passed new data privacy laws, which their respective governors signed into law:

The laws in Montana, Florida, Texas, Oregon and Delaware come into effect in 2024. Iowa and Tennessee’s laws come into effect in 2025, and Indiana’s doesn’t come into effect until 2026.

*Florida is not always listed among states that passed “comprehensive data privacy laws”, as there are fairly significant restrictions to organizations it affects. It’s also called a “Digital Bill of Rights” and not a “Privacy Act”. For example, only companies with a billion dollars or more in revenue have to comply, and it targets companies operating app stores or digital platforms.

All of the US states that have enacted privacy laws to date have used an opt out consent model, which means that in most cases, users’ data can be collected without having to obtain their consent. This differs from the opt out or “prior consent” model used in many of the world’s data privacy laws.

Data privacy in Canada

Canada has not updated their federal data privacy law recently, as Bill C-11, which would have become the Consumer Privacy Protection Act, did not pass in 2021. PIPEDA, which is over 20 years old, remains in effect. In the province of Québec, however, the majority of the provisions of Law 25, which was passed in 2021, came into effect in September 2023. The law brings a variety of data privacy and protection requirements for organizations. A number of its provisions resemble privacy laws in Europe more than those in the US.

Data privacy in Switzerland

Switzerland already had a data privacy law, but it was 30 years old, so the Swiss Federal Data Protection Act (FADP), which came into effect in September, is a much needed update. The FADP has some differences from the General Data Protection Regulation (GDPR). For example, consent or a legal basis is required in fewer instances. But the two laws largely align, as a major goal of the FADP is enabling the flow of business between Switzerland and the European Union, as Switzerland is not a member of the EU.

Data privacy in Saudi Arabia

The Saudi Arabia Personal Data Protection Law (PDPL) came into force after an amendment in September 2023. Compliance enforcement will begin in September 2024. The PDPL follows a prior consent model, and organizations that have achieved GDPR compliance will have done most of the work necessary to comply with the Saudi law.

Data privacy in India

India enacted the Digital Personal Data Protection Act (DPDP Act) in August 2023, replacing relevant provisions from existing laws from 2000, 2008 and 2011. The DPDP Act generally follows laws like the EU’s GDPR, and requires prior user consent for data collection in many cases, though “legitimate use” exceptions can be invoked.

EU-U.S. Data Privacy Framework

After being without an adequacy agreement since 2020, the EU and US came to agreement on the EU-U.S. Data Privacy Framework in July. This framework helps to ensure data protection with international data transfers between the two regions. It brings seven core principles:

Digital Services Act Package

The European Commission enacted the Digital Services Act (DSA) and Digital Markets Act (DMA), with some designations and provisions coming into effect in 2023, and more to come in 2024.

Digital Services Act (DSA)

The Digital Services Act (DSA) targets a wide array of digital intermediary services, particularly designated very large online platforms (VLOPs) and very large online search engines (VLOSEs) with 45 million or more monthly active users in the EU. The law imposes a number of strict requirements to address societal risks associated with the operation of these platforms. The Act aims to create safer digital spaces and protect users’ rights. It also assigns new responsibilities to VLOPs and VLOSEs for content published and protection and respect for user data.

Digital Markets Act (DMA)

The Digital Markets Act (DMA) primarily focuses on fostering a fair and competitive digital market in the EU, “leveling the playing field” so to speak. It includes provisions to enable smaller companies to better compete against dominant tech players, which it designates as “gatekeepers”: Alphabet, Amazon, Apple, Bytedance, Meta and Microsoft.

The law requires more openness and transparency from the gatekeepers, giving smaller players access to more data about audiences and algorithms. Data portability requirements will also benefit consumers and be one of the changes that may help spur competition and innovation.

The DMA also introduces additional data privacy requirements. Some gatekeepers have already begun passing down privacy compliance requirements to third parties that use their platforms and services, e.g. Google requiring implementation of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

Google’s certified CMP requirements

In 2023 Google initiated changes and made several announcements that will have significant effects on its customers’ operations. Beginning in January 2024, publishers and developers using Google AdSense, Ad Manager or AdMob must use a Consent Management Platform (CMP) partner that’s Google-certified and integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF).

This is required if they want to continue serving ads to users in the European Union (EU), European Economic Area (EEA) and/or the United Kingdom (UK). Usercentrics CMP is Google-certified and integrates the TCF 2.2 as well as Consent Mode v2.

What is a Google-certified consent management platform and why do you need one? Ad compliance requirements simplified

Conclusions and what’s to come in 2024

A number of the laws passed in 2023 will come into effect in 2024, or enforcement will begin. This will no doubt cause a privacy compliance scramble for some organizations. Other companies will continue to evolve their data privacy strategies and solutions to maintain compliance as their tech stacks change and their businesses grow.

Several countries have been working toward updating or passing data privacy legislation, and it is likely that will conclude in 2024, in Australia, for example. It’s increasingly likely the ePrivacy Regulation will come into force next year as well in the EU. The United States gained momentum with state-level privacy laws this year, which we expect to continue, especially as more states table updated legislation.

The EU’s AI Act should be finalized by January 2024, and will be the first of its kind, likely to have significant influence on future similar regulations, much as the GDPR has had since coming into effect in 2018.

Business-centered laws like the Digital Services Act and especially the Digital Markets Act are expected to catalyze significant changes in European digital markets, which may well have strong global ripple effects on data privacy, but also in transparency, competition and innovation.

Sign up

The way we travel has changed dramatically in recent years. Traveling is an offline experience, but the business of travel has increasingly become digital. The global online travel market is projected to reach close to US $1,464 billion by 2027, up from US $800.72 billion in 2021.

Booking flights and hotels through websites and apps is just one way the travel and tourism industry has gone online. We use digital tools like search engines and social media networks to look for the perfect holiday destinations while sharing our travel experiences on blogs and social media platforms. The data we create has become essential for the travel and tourism industry to tailor services, deliver exceptional experiences and reach potential customers through targeted online marketing efforts.

The increase in data creation — and collection by companies — in all industries over the years has resulted in data privacy laws being enacted around the world to safeguard user privacy. Among these is the Digital Markets Act (DMA), which aims to regulate large tech platforms and tackle concerns around competition, consumer protection, and user privacy. The regulation impacts users in the European Union (EU) and European Economic Area (EEA), as well as businesses that collect data from users in these regions. For the travel industry, the Digital Markets Act means new opportunities to attract and retain customers, and changes in how companies handle user data.

We explore how the travel industry uses customer data, the impact of the Digital Markets Act on the industry, and how travel companies can get ready to comply with the DMA regulation’s requirements.

Build user trust and meet Digital Markets Act privacy compliance requirements with Usercentrics

Travel industry bouncing back to pre-pandemic levels

The travel industry, severely impacted by the COVID-19 pandemic, is projected to bounce back with a strong resurgence in domestic leisure travel by 2024, according to the U.S. Travel Association. Air travel in many regions had already returned to pre-pandemic levels by fall 2023. The World Tourism Organization reports the first quarter of 2023 already saw international arrivals reach 80% of pre-pandemic levels worldwide.

Both the industry and travelers are eagerly trying to make up for lost time. Europe saw a resurgence of 90% of pre-pandemic travel levels, with strong demand from travelers within the region itself. Travel and tourism are forecasted to directly contribute to 17.4 million jobs in Europe by 2028.

The industry spans a range of businesses that impact every aspect of travel for consumers:

The role of data in the travel industry

Travel companies gather and use data at every stage of the customer journey, from researching destinations to leaving reviews when the trip is done.

Flight choices, favorite destinations, hotel preferences, what they like to eat when they travel, and even the devices they use to book their trips are all valuable information into what makes each traveler unique.

This amount of knowledge enables companies to build travel experiences that meet customers’ preferences and needs.

Customer data makes a real impact on travel companies’ operations and revenue streams.

Enhancing customer experience and improving loyalty

Knowing a customer’s preferences can help companies proactively offer upgrades, amenities or services that appeal to the customer. When data reveals a guest often chooses rooms with a view or special services, a hotel might offer a complimentary upgrade to a scenic suite or include a spa package to personalize the stay. This targeted approach can make guests feel valued and foster loyalty.

Forecasting demand

Businesses can analyze booking records and current search trends to predict upcoming surges in interest for specific destinations or types of travel and plan accordingly. For example, if an airline notices a consistent increase in bookings for seaside destinations during certain months, they can anticipate this demand and adjust prices early to balance customer interest and price sensitivity with profitability. Forecasting demand can also help marketing teams adjust their strategies on account of fluctuations based on seasonal travel trends.

Targeted marketing and promotions

Access to detailed customer data enables companies to create focused marketing campaigns. For example, if a travel agency identifies customers who frequently book adventure travel packages, they can specifically target these customers with promotions for upcoming trekking expeditions or off-the-beaten-path travel deals.

The impact of the Digital Markets Act on the travel industry

Data helps travel businesses personalize and connect with customers effectively. As travel companies suggest destinations and create custom itineraries, they rely on insights from this data to advertise effectively and make offers that stand out.

However, with enforcement of the Digital Markets Act in the European Union and European Economic Area, the rules of the game are about to change.

The DMA introduces a set of rules and obligations for large online platforms, which the European Commission has designated as gatekeepers under the regulation, and which act as intermediaries between businesses and consumers. While travel businesses may not directly fall under its scope, many rely on the gatekeepers’ platforms for data, analytics, advertising, audience access, and more, so requirements of gatekeepers become requirements of these third parties. There are several key provisions of the DMA that will have a direct impact on their operations.

Read about DMA consent now

Data transparency in digital markets and platforms

The Digital Markets Act’s emphasis on transparency is set to have a great impact on how travel services are marketed and delivered. Gatekeepers are now required to share information about their ranking systems as well as ad performance data, enabling businesses that advertise to carry out their own independent verification of the ads’ performance.

This shift provides a number of opportunities to travel businesses.

The DMA’s transparency requirements also extend to data practices, and gatekeepers must clearly communicate how they gather data and why they use it. Travel businesses that use gatekeepers’ platforms will also have to examine their data practices and introduce a clear, transparent privacy policy that details their use of cookies. Such clarity can foster trust with customers, with the added benefit of potentially deepening customer loyalty for platforms that handle data responsibly.

Transparency challenges for the travel industry

The requirement for transparency brings its own set of challenges, particularly for smaller travel companies, which may find it daunting to interpret the detailed information available from gatekeepers. Adapting to transparent ad performance data could require additional resources in the form of tools or staff to stay on top of campaign analysis and optimization. The need to stay competitive might lead to a rapid change in offers and services, demanding agility and flexibility from travel businesses. This could require additional resource investments by small businesses, which could create a financial burden.

Impact of data access and portability for travel companies

Under the Digital Markets Act, there are specific provisions that reinforce users’ rights to access and move their data (aka data portability). While travel businesses themselves may not be directly regulated by the DMA, their interactions with regulated gatekeepers might require them to adopt similar data portability functionalities. This may compel travel companies to make changes to their technical infrastructure that enable customers to transfer their personal and preference data to competing services.

For instance, a travel business that tracks website performance through Google Analytics 4 or advertises on Meta’s platforms may find that customers, using their new rights under the DMA, request their data profiles to move to a competitor’s service. Although the travel company isn’t a gatekeeper and thus not directly subject to the DMA, it must still be capable of honoring such requests since it uses a core platform service that is mandated to provide portability.

For travelers, the ease of data transfer could simplify a decision to switch services, which may drive travel companies to offer more functions, more competitive pricing, better customer service, and overall enhanced experiences in an effort to retain loyalty.

Mobile app data portability challenges for the travel industry

Travel businesses must be proactive in developing or adopting technology that can handle these data movements and comply with broader DMA-inspired expectations, regardless of whether they are immediately subject to the regulation’s rules.

The data portability requirement of the Digital Markets Act extends to mobile applications as well, impacting how travel companies manage user data on these platforms. Adapting to data portability for mobile apps means ensuring that users can easily transfer their data, such as travel preferences, reviews, or booking history, from the app to other services. This could involve implementing features that enable users to download their data in a user-friendly format or establishing secure protocols for transferring data to another service upon user request.

Moreover, as app users become more aware of their data rights, they might increasingly expect such functionality. Travel businesses that proactively upgrade their mobile apps to facilitate data portability can therefore not only comply with the DMA but also position themselves as customer-centric, potentially leading to higher user retention and loyalty.

Developing and maintaining these tech systems can be complex and costly, especially for smaller businesses. There’s also the chance that customers may not be as dependable as repeat customers if it becomes easier for them to switch to different services. This means travel companies may have to find more innovative ways to improve the customer experience to retain customers.

Impact of data privacy and user rights provisions on travel businesses

The Digital Markets Act requires gatekeepers to obtain explicit consent from users before processing their personal data. They must also disclose what the data will be used for, how long it will be stored, and how it may be shared. Generic consent is not enough. Consent must be obtained for each specific use. These requirements are in line with the provisions of the General Data Protection Regulation (GDPR), which travel companies must comply with when it comes to data from users in the EU.

One of the big changes with the DMA is that businesses can’t combine customer data from different platforms to create customer profiles without customers’ specific consent. Travel businesses might collect user data — with valid, explicit consent — from multiple digital platforms. For example, an airline may use its own website and an online booking platform to issue tickets, as well as Google Ads for pay-per-click advertising campaigns and YouTube or social networks for destination marketing campaigns. All these platforms generate data, whether that’s search and browsing history or booking details.

The DMA’s restriction on combining user data from different platforms gives travelers more power over their data, which should lead to better privacy and fewer unwanted sales emails. When travelers do get offers from companies, they’re more likely to be about something they’re actually interested in.

Data privacy challenges for the travel industry

For the travel industry, the challenges are tangible. Failure to comply won’t result in fines or penalties under the DMA for companies that are not designated gatekeepers, but it can result in penalties under the GDPR and restriction from accessing gatekeepers’ platforms. The loss of ad revenue, for example, could be as bad as a hefty fine.

Businesses will also have to adopt data management strategies to ensure that data from different platforms is not combined for profiling without explicit user consent, and that some is not combined — or even collected — at all, like that belonging to minors. In addition, if third-party vendors or partners handle data that originates from the business’s platform, they must vet these companies’ data policies to ensure they align with the DMA’s requirements.

It is increasingly common under data privacy laws that data controllers and any third-party data processors they work with must have contractual agreements in place about processing operations and data security and privacy activities.Companies will also have to rethink their marketing strategies, which have traditionally leaned on extensive data analytics and customer profiling, and find new ways to give travelers the personal touch without stepping on their privacy. Increasingly, “zero-party” data is the gold standard, as this information comes directly from consumers, and includes their expressed preferences, interests, and consent choices.

Consented data helps travel and tourism businesses make better decisions and plan more effectively. The relationship between consent rates and business performance is straightforward. Higher consent rates result in richer, more valuable data for analysis.

Consented data not only enables businesses to tailor their services to individual preferences, but it also signals to customers that their preferences are valued and taken into account. This can lead to higher customer satisfaction rates, stronger customer loyalty, and more repeat business.

Marketing campaigns also benefit substantially from consented data. When travelers agree to share their data, travel companies can create offers that match what they know travelers are interested in and can afford. With more travelers giving consent, companies can plan their online ads and social media activities to connect with the right people on the right platforms, which can lead to spending their marketing budget more wisely.

Leveraging different consent rate levels from travelers

Travel businesses can strategically adapt to varying consent rates, tailoring their data usage and marketing strategies accordingly.

High consent rates

With more data, travel websites and apps can achieve deep personalization in their customer acquisition strategies.

For example, when a user consents to share their data with an online travel agent, they can track the user’s search patterns, such as the destinations they search for or the type of accommodations they prefer. This information can be used to display tailored pay-per-click (PPC) ads.

The campaign might also use retargeting strategies. If a user visited the online travel agent’s website and looked at a beach retreat but did not book, they could be shown a PPC ad saying, “Still Thinking About the Beach? Click for an Exclusive Winter Wellness Package.”

With higher consent rates, the travel company can continuously gather and analyze user data, which enables optimization of keywords, ad copy and bidding strategies, resulting in ads that resonate more with potential customers.

Moderate consent rates

At moderate consent levels, segmentation becomes key. Although the level of personalization may not be as deep as with high consent rates, travel businesses can still segment their audience based on available demographic information, location and observed behavior, and then tailor their marketing to these segments to acquire new customers.

For example, if a hotel identifies a segment interested in local culture and events, it can create content like a “Cultural Weekend Getaway” package that includes accommodation and tickets to a local museum. This targeted approach would place the hotel’s promotional content on the feeds of those whose social media behavior aligns with an interest in cultural activities and encourage bookings from individuals looking for a culturally enriched stay.

Low consent rates

Even with minimal consent, travel companies can analyze aggregated and anonymized data for broad data trends without knowing personal details.

For example, if the aggregated data for an airline shows that a significant number of users access the website via mobile, they can optimize their website for mobile usage, which is a critical SEO factor. This could include creating a responsive design, ensuring fast page load times, and providing sophisticated search functionalities to ensure users can easily find flight options, increasing the site’s usability and search engine ranking.

Strategies to optimize consent rates

Travel companies can make their consent process transparent and straightforward to foster trust and encourage more customers to share their data.

Demonstrate value: Travel businesses should be transparent and share information with customers about how their data will be used. They can explain how it makes it easier for them to share flight deals or hotel stays that are relevant for the customer, which can encourage customers to share more.

Improve the consent experience: Make the process of giving valid consent as easy as possible, which can help increase the number of customers who agree to share their data. This could involve using consent mechanisms that are user-friendly and easy to understand, such as a well-designed cookie consent banner that’s written in simple language.

Gain trust: Use design principles that give users a real choice in whether to give or decline consent. Doing so can demonstrate that you value their data and don’t use dark patterns or manipulative tactics to coerce them into sharing their personal information with you.

Read about wordpress cookie consent now

How travel businesses can get ready for the Digital Markets Act

Follow updates to gatekeepers requirements

Some of the gatekeeper companies — including Alphabet (Google) — have begun to require businesses using their platforms to make certain changes or updates that focus on user privacy in line with the DMA’s provisions.

Google, for example, requires companies that collect data from users in the EU, EEA and/or UK and use its platforms to comply with its EU User Consent Policy or find themselves suspended from the platforms. Companies that use Google’s ad platforms to serve ads to traffic from the EU, EEA and/or UK must specifically use a Google-certified CMP as of January 16, 2024 if they want to continue serving personalized ads to visitors in these regions. As a result of both these requirements, travel companies will have to obtain explicit user consent under the GDPR to collect personal data, which is also the standard of consent under the Digital Markets Act.

Meta has added a paywall for users in the EU, EEA and Switzerland, with the option to pay a monthly fee so their personal data isn’t used for advertising. Users who choose not to pay will have their data collected and processed for personal ads. Travel companies that advertise on Meta’s platforms (Facebook and Instagram) will have to alter their paid marketing strategies to reach a relevant audience.

As communication around DMA requirements is an ongoing process, travel companies should regularly monitor news and updates from gatekeepers and regulatory bodies to stay updated on the steps they’re required to take. They can get ready for the DMA by implementing the changes required by the gatekeeper platforms to continue using the platforms without interruption.

Use a consent management platform to obtain valid consent

Travel businesses preparing for the Digital Markets Act should prioritize securing valid consent under the regulation. The DMA’s transparency obligations means travel companies need clear privacy policies and easy to understand cookie consent banners. These banners should be straightforward, informing customers about the data being collected and how it will be used, to ensure that any consent given is informed and voluntary.

Using a consent management platform (CMP) like Usercentrics CMP makes collecting valid consent easy for businesses. Usercentrics simplifies the process by providing customizable consent banners that adjust to the user’s location, adhering to local data privacy regulations. It integrates seamlessly with popular content management systems (CMS) such as Adobe Experience Manager, Shopify, WordPress, Duda, BigCommerce and PrestaShop. It also integrates with popular services such as Adobe, Microsoft, HubSpot, and Google’s suite of services to ensure seamless compliance across platforms.

Read about shopify cookie banner now

Read about hubspot cookie banner now

In addition to collecting consent on web browsers, Usercentrics App CMP fully supports your travel booking mobile apps built on iOS, Android, React and Flutter.

Conduct regular data privacy audits

Companies should establish periodic internal audits concentrating on data protection impact assessments (DPIA). These audits serve to scrutinize how the company handles user data, checking that storage, processing, and sharing procedures comply with the current standards set by the Digital Markets Act at the time.

By routinely evaluating these practices, travel businesses can adapt to any changes in the regulation, or the advent of future regulations, so that it aligns with its requirements at all audit points.

Get started with your data privacy audit using Usercentrics’ free website audit tool

Enhance data management processes

Travel companies managing customer data across various platforms must develop a meticulous data management approach. This strategy should be capable of handling information across different systems while prioritizing the privacy of travelers and adhering to legal standards. User data must remain confidential and secure at each stage of the process, from collection to storage to use.

Seek legal expertise

Businesses should enlist the help of legal professionals and/or privacy experts well-versed in data protection laws, such as a Data Protection Officer (DPO), to navigate privacy regulations effectively. These experts are adept at identifying specific risk areas within a company’s data handling processes and providing concrete recommendations to enhance compliance in strict accordance with evolving privacy laws including DMA privacy compliance.

Sign up for a 14-day free trial

With Consent Mode, Google has provided a solution for businesses to customize how Google tags behave on their website related to ads and analytics cookies based on users’ consent status.

How does Google Consent Mode work?

By pairing the Consent Mode API with the Usercentrics Consent Management Platform (CMP), advertisers can indicate if the user has given consent for cookie usage related to ads and/or advertising.

The supported Google tags will respect this signal and adjust their behavior accordingly, only using cookies if consent was granted for the specific purposes.

Learn more: Google Consent Mode: everything you need to know in 5 minutes

Google Consent Mode

Tag behavior based on consent (Source: Google)

Which Google services support Consent Mode?

The following tools and services currently support Consent Mode. As this list will change over time, it’s important to regularly review website infrastructure, marketing tools, and data processing operations to ensure all functions and data privacy compliance activities are kept up to date.

✔ Google Analytics
✔ Google Analytics 4
✔ Google Ads (Google Ads Conversion Tracking and Remarketing)
✔ Floodlight
✔ Conversion Linker

Google’s support documentation provides more information about Consent Mode for websites and apps.

Google also supports the IAB TCF v2.2 framework with its ad systems. Consent Mode is meant to be used by advertisers that are not using a consent management platform implementation integrated with and supporting the TCF v2.2. Usercentrics CMP is a Google-certified CMP, which is a requirement to serve ads with Google services in the EU/EEA and UK.

Google Consent Mode with Usercentrics CMP: Implementation example

Implementing Google Consent Mode with the Usercentrics CMP solution as alternative to prior blocking requires just two steps:

Read Usercentrics’ full Google Consent Mode documentation for more information.

Learn more
Google CMP Partner

Conclusions and the future of Google Consent Mode

As more data privacy regulations are passed around the world and as consumers only become more aware of their rights and the use of their data, smart solutions for consent will become ever more important.

Google continues to build on, evolve and integrate products and services to enable privacy compliance and consent management. Companies using their products for advertising, analytics, and more should be sure to regularly review their operations and ensure their implementations are up to date. This will help enable continued privacy compliance with regulations, get the valuable data companies need for marketing operations, and build trust and engagement with users.As more data privacy regulations are passed around the world and as consumers only become more aware of their rights and the use of their data, smart solutions for consent will become ever more important.

Contact sales

The Digital Markets Act (DMA) is a regulation aimed at protecting user privacy and creating fair competition among digital companies. While the act primarily applies to users in the European Union (EU) and/or European Economic Area (EEA), its influence promises to be felt worldwide. Any global enterprise brand with a user base in these regions from whom it collects personal data must pay close attention to the Digital Markets Act. It presents both challenges and new avenues for growth and competitive differentiation.

We explore the implications of the Digital Markets Act for global enterprise brands, the role of consent in gathering compliant data, and the concrete steps enterprises should take to get ready for the regulation.

Read about DMA consent now

The Digital Markets Act and gatekeepers

Gatekeepers under the Digital Markets Act are companies that meet certain financial and audience thresholds laid out by the European Commission (EC). They also own and operate what have been designated as core platform services that businesses use to reach their audiences. These large tech companies must fulfill these criteria for three successive financial years.

Companies that meet these requirements don’t automatically become gatekeepers. They are designated as such by the EC, which named six companies as gatekeepers in September 2023, added another in May 2024, and may add more over time.

Learn more: The role of gatekeepers under the Digital Markets Act

The DMA’s compliance rules and potential penalties specifically target gatekeepers. Global brands and enterprise companies, however large, don’t fall under the purview of the Digital Markets Act if they aren’t designated gatekeepers.

However, this doesn’t mean they can disregard the regulation, as inevitable changes in the digital marketplace will affect all businesses that rely on the gatekeepers’ core platform services.

The seven gatekeepers and 23 core platform services (CPS) designated by the European Commission. (Source: European Commission)

Potential impact of the Digital Markets Act (DMA) on global enterprise companies

The regulatory changes aimed at gatekeepers will potentially echo through global digital markets, potentially reshaping business models, partnerships, consumer spending, and competitive dynamics.

Impact of data portability

The DMA’s emphasis on data portability may require global enterprise brands to be more flexible in enabling customers to move data to other platforms. Even if these brands aren’t directly regulated by the Digital Markets Act, their interfaces with gatekeepers might necessitate this functionality, affecting their technical and compliance requirements. Data portability is also a key user right under many other data privacy regulations around the world.

The data portability requirement also presents opportunities, as it removes some of the friction that keeps users tied to one service. This makes it easier to attract consumers who want to move to another platform. It also incentivizes companies to improve their products, pricing, and customer care to keep customers happy and prevent churn.

Impact of interoperability

The Digital Markets Act encourages gatekeepers to ensure their systems and data are interoperable with those of competitors and business partners. One of the most immediate benefits is that non-gatekeepers could face fewer technical barriers, resource commitments, and costs to integrating their services or apps with those of gatekeeper platforms.

Interoperability can also be a catalyst for innovation. If a company knows that it can easily integrate with another platform, it might be more willing to invest in new, innovative features, knowing that these can be readily adopted at scale. Not to mention significantly expanding offerings to attract new customers with less investment up front.

Impact of transparency

The mandate for gatekeepers to offer transparent information about ad performance metrics could significantly influence decision-making for global enterprise brands. With more transparent data, these brands can make informed choices about how and where to allocate resources to their advertising and overall business strategies.

Further, the open sharing of ad performance metrics can offer enterprises real-time insights into the effectiveness of their campaigns, enabling brands to optimize their strategies quickly, without resorting to a trial-and-error approach.

Impact of restrictions on combining user data

Gatekeepers are restricted from combining users’ personal data from a core platform service with personal data from any other service, whether operated by the gatekeeper or a third party, unless they have obtained explicit consent from users. (This is still prohibited for minors and if it would involve sensitive personal data.) This can significantly affect the business operations of global enterprise brands, particularly in how they analyze customer behavior, personalize marketing strategies, and optimize products.

These constraints limit the capacity to aggregate data across different touchpoints, such as mobile apps, websites, and third-party platforms, to create a comprehensive customer profile.

Despite the challenges, these restrictions can also serve as an opportunity for brands to reassess and bolster their data privacy and data governance policies. Brands might turn to data minimization strategies, focusing only on the most essential pieces of data needed to achieve their goals. They might also look at new approaches to reaching their audience, including adopting consent-based marketing techniques.

Impact of consent requirements

Using a core platform service to reach an audience may require global enterprise brands to obtain explicit user consent more frequently. This necessitates robust mechanisms to acquire and store consent in a verifiable manner, as well as to be able to signal it to gatekeepers.

However, upholding consent requirements also offers benefits. One notable advantage is improved customer trust. When a brand clearly states how it uses customer data and secures explicit consent, it sends a powerful signal to its customer base that it values and respects their privacy. Enabling granular consent makes consumers feel like they have control over how their data is used. This can be a distinguishing factor that sets a brand apart in crowded markets.

Collecting data based on explicit user consent can also result in higher quality data because users who opt in are more engaged and interested in the brand’s products or services and having input into their offerings and communications, leading to more effective marketing campaigns.

When it comes to data collection, the Digital Markets Act — via gatekeepers’ likely requirements of third parties relying on their platforms — requires a level of responsibility from businesses. One area that demands attention is user consent, which defines the legality and can influence the quality of data gathered. It also sets the tone for user/enterprise interactions. The most desirable and potentially valuable data is consented, granular, high quality, and aligned with privacy regulations.

Under the Digital Markets Act, consent is valid per the GDPR’s specifications when it is freely given, specific, informed, and unambiguous. Global enterprise brands must obtain explicit or opt-in consent from users in the EU/EEA prior to collecting and processing personal data.

The varying levels of opt-in consent rates have distinct implications for business performance and marketing personalization, each offering its unique set of opportunities and challenges.

Low opt-in rates

When fewer people opt to have their data collected, the amount of consented data available is limited. This creates a bottleneck for marketing teams. They have fewer opportunities to segment their audience, which makes it challenging to offer many personalized experiences.

The result is generic marketing messages, lower click-through rates on ad campaigns, and low engagement and high unsubscribe rates from email campaigns.

But while the dataset may be small, it’s not irrelevant. Businesses can still analyze this data and identify any commonalities among the users who have opted in to get value out of the limited dataset.

For instance, if most opt-ins for a global enterprise brand are from a particular country, they can consider geo-targeted promotions to this interested audience, while simultaneously taking steps to improve their overall opt-in rates in other markets.

Medium opt-in rates

When opt-in rates are at a moderate level, businesses find themselves with a valuable middle ground. They possess a larger dataset that is both compliant with privacy regulations and rich enough to begin nuanced marketing initiatives. Since a larger number of people have agreed to share their data, businesses can better tailor their ads, messages, and offerings.

For example, a multinational media streaming service could analyze viewing history data from its opted-in user base to identify preferences for certain types of shows or genres. Using this information, the service could create custom playlists or featured content sections that reflect these preferences, enriching the user experience and increasing content consumption rates.

This type of personalization moves beyond general recommendations, offering a more targeted approach that speaks to individual tastes.

High opt-in rates

A high level of opt-in consent gives a business an expansive, high-quality dataset to work from. Businesses can implement AI and machine learning algorithms that consider hundreds of customer attributes. For instance, a global retailer could use AI to predict stock needs based on historical trends and real-time sales data from various locations around the world, offering location-specific promotions or flash sales.

Businesses can also identify cross-selling or upselling opportunities by analyzing purchase histories and customer interactions. A global software company could recognize that customers who purchased a basic software package often upgrade to a premium service after six months. Accordingly, they can send targeted promotional material for the premium service at the five-month mark.

Ways to gather high quality data while complying with the Digital Markets Act

Under the Digital Markets Act, gatekeepers and global enterprise brands can’t adopt a “growth at all costs” mentality. Instead, they need to align their data collection methods with the regulation to protect user privacy while also maintaining data quality.

Use a consent management platform to obtain compliant consent

To streamline the process of collecting user consent across multiple languages and locations, global brands can implement a website consent management platform (CMP) like Usercentrics CMP. It not only simplifies data management for websites with multi-language and multi-regulation requirements. It also offers integrations with major enterprise software, such as Adobe, Microsoft, HubSpot, and Google products, including Google Ads, Google Analytics, Google Search Console, and Google Tag Manager. This built-in compatibility enables a seamless compliance process across technology platforms.

Read about hubspot cookie banner now

Usercentrics CMP also comes equipped with a geolocation feature that automatically displays region-specific consent banners, thereby aligning with local data protection laws around the world.

Companies looking to set up or switch to a CMP to get ready for the Digital Markets Act get a 14-day free trial of the Usercentrics CMP.

Be transparent about data practices

People are more willing to give their consent if they know exactly how their data will be used. Global enterprise brands should regularly evaluate their privacy and cookie policies, and, if necessary, update them. The policies should be easy to find, both on the website and within or via the consent banner. They should be written in comprehensive and simple language and must clearly specify the types of data being gathered, the purposes for its collection, the duration of its storage, and the parties that may have access to it.

Perform regular data privacy audits

Data privacy laws and regulations are always evolving, and the Digital Markets Act is no exception. In fact, the European Commission has publicized the DMA timeline well beyond the date it came into effect. Article 53 (1) states that by 2026 — and every three years thereafter — the EC will evaluate the DMA regulation and determine whether it needs to modify its rules and obligations. As noted, the list of gatekeepers will also be reviewed.

Global enterprise brands should schedule regular internal audits that focus on data protection impact assessments (DPIA) to evaluate how user data is processed, stored, and shared. This will help ensure that data practices are aligned with the DMA’s rules, even if they change.

Consult legal and data protection professionals

No enterprise should do it alone. Professional advice is indispensable when it comes to interpreting complex laws and developing a sound readiness plan, especially for a global enterprise company that must adhere to data protection laws around the world. Companies should consult qualified legal counsel, and employ a Data Protection Officer (required by law in some regions) to oversee data protection and privacy compliance operations.

Sign up for a 14-day free trial

The Digital Services Act package was developed by the European Commission to address an array of concerns about the dominance and influence of big tech companies, the competitive landscape and data privacy. The Digital Services Act and Digital Markets Act, two regulations included in the Digital Services Act package, came into effect in November 2022. These Acts cover digital platforms and services, and the markets they power, in the European Union and European Economic Area. It does not matter if the companies affected are headquartered elsewhere if they have operations and users in the EU.

European companies are familiar with digital regulation and data privacy initiatives by now, with the General Data Protection Regulation (GDPR) in force since 2018, along with additional regional and national laws that have been passed.

But the digital landscape, especially for businesses, is different in the US. There is no federal-level data privacy law and the first state-level law was only implemented in California in 2020. Over a dozen more states have followed since, but US data privacy laws have, to date, followed a different model than is used in Europe and many other countries. US laws tend to use an “opt out” model, where user consent to collect and process personal data is not required in many cases. Consumers’ consent only needs to be obtained to share, sell or use personal data for other business purposes, or, in some cases, to collect specific kinds of data.

So what do the Digital Services Act (DSA) and Digital Markets Act (DMA) mean for US companies? For businesses that don’t have European operations, use the identified core platform services, and collect and process the personal data of EU residents, it may not apply to them directly with regards to factors like consent management.

However, there could be plenty of indirect effects, including influence on pricing of services or imports as EU companies work to manage and recoup the cost of compliance requirements, like investment in IT and staffing.

Additionally, in digital markets, users and customers can be anywhere in the world, as more companies than ever before are global, and the gatekeepers, VLOPs and VLOSEs most certainly have global reach. So there is a strong likelihood that many companies will need to be prepared for DSA and/or DMA compliance by March 6, 2024, when enforcement begins, or before, depending on requirements handed down by gatekeepers to third parties using their platforms.

What are digital services and markets?

For the purposes of these regulations, digital services include large categories of services online that companies and consumers access. They range from basic websites, to tools like search engines, to massive online platforms for social networking, ecommerce, and more. They also include the infrastructure services that help drive the digital ecosystem.

Many of these platforms and services function as intermediaries between consumers and companies. Consumers use these platforms for everything from posting photos and listening to music, to selling crafts, buying clothes, or booking travel. Many companies around the world use these platforms to access these audiences, to sell them products and services, show them ads, to access their personal data, and for other reasons.

Digitals markets are the commerce-centric side of this ecosystem, centered around businesses that are dominated by the largest players with enormous audiences, reach, data processing operations and revenues.

Companies that want to advertise with Google or Facebook, sell on Amazon, get their apps into Apple’s App Store, etc. want access to digital markets, which are to a considerable degree controlled by gatekeeper companies today. The Digital Markets Act aims to address concerns with the control these companies have in the EU and EEA and potential effects on stifling competition and innovation.

What is the Digital Services Act (DSA)?

The Digital Services Act—the regulation that lends its name to the Digital Services Act package— focuses on a wider range of digital intermediary services than the Digital Markets Act does (that law primarily targets only six influential “gatekeepers”). The DSA is aimed at very large online platforms (VLOPs) and very large online search engines (VLOSEs). The law imposes strict requirements on them, aiming to address risks to consumers and society posed by their operations, as well as protect and enhance consumers’ rights, including those of minors and with particular regard for data privacy.

Beyond the VLOPs and VLOSEs, the DSA applies to all digital services that connect consumers to content, goods and services online. Digital platforms have new obligations to assess and counter risks, reduce harms, protect users’ rights online, and meet broader transparency and accountability responsibilities in their European operations. These rules are meant to be uniform across the EU and provide new and additional protections to users and clear responsibilities and legal certainties to companies.

There have been growing concerns in the EU regarding the size and influence of online platforms at a societal level, particularly with regards to political discussions and election information, disinformation and the dissemination of fake news, and the spread of hate speech.

The goal of the DSA is to make online spaces safer and protect consumers’ and users’ rights by making VLOPs and VLOSEs more responsible for content published and shared via their platforms and services. While requirements of the law are only applicable in the EU and EEA at present, as most of the companies affected are US-based, it’s possible for required changes to influence operations more globally over time, especially as data protection and privacy laws are passed in more countries.

Which companies were designated as Very Large Online Platforms (VLOPs) under the Digital Services Act?

On April 25, 2023, the European Commission designated the following 17 companies as VLOPs under the DSA, companies with more than 45 million monthly active users. Zalando is based in Germany. Alibaba’s AliExpress and TikTok (parent company ByteDance) are Chinese-based. The other 14 companies are based in the United States, but with global reach. These US companies are significantly affected by the DSA and/or DMA.

Facebook and Instagram are both owned by Meta, and Google Play, Google Maps, Google Shopping and YouTube are all owned by Alphabet. LinkedIn is owned by Microsoft. Wikipedia is the only organization on the list of VLOPs that is a nonprofit. Apple, Alphabet and Microsoft are, as of 2023, the three most profitable companies in the world. While the regulations are European, their effects will be felt by the largest and most influential tech companies in the world, based in the United States.

All seven of the companies designated as gatekeepers to date under the Digital Markets Act are included in the VLOPs list: Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft. Booking.com was designated a VLOP under the DSA before it was designated a gatekeeper under the DMA.

Which companies were designated as Very Large Online Search Engines (VLOSEs) under the Digital Services Act?

Also on April 25, 2023, the European Commission designated two search engines, also with at least 45 million monthly active users, as Very Large Online Search Engines (VLOSEs):

Both these products come from US-based companies as well. Google Search is another Alphabet product, and Bing is owned by Microsoft. Google has by far the largest global share of the search market, between 80%+ to 90%+, depending on the reporting source. Bing, by contrast, tends to be reported as having, at most, a little over 9% of the market. Yahoo and Baidu come in as number 3 and 4, swapping places depending on the source. Baidu is the most popular search engine in China. Of the four, Baidu is the only non-American offering.

Digital Services Act (DSA): Companies targeted and compliance requirements

The companies with the targeted online platforms were required to publish their active user numbers by February 17, 2023. User numbers are a key metric to determine digital platforms’ reach and VLOP/VLOSE designation — more than 45 million active monthly users, or 10% of Europe’s population.

Those companies had four months to comply with DSA obligations. One of those included carrying out the first annual risk assessment and providing the European Commission with the information.

This involved identifying, analyzing and working to mitigate a wide variety of systemic risks. Such risks included amplification of disinformation on their platforms and services, the presence and dissemination of illegal content, as well as impacts on media freedom and freedom of expression. There are also concerns about more specific risks online, which is where the mitigation requirements are focused. These include groups and areas like the protection of minors and especially their mental health, and addressing gender-based violence.

Designated platforms and search engines are also required to have risk mitigation plans, which are subject to European Commission oversight and independent auditing.

These issues continue to grow around the world, not just in Europe, so there would be significant future value to expanding the mitigation requirements for digital platforms in the EU to the US and elsewhere where these companies operate.

Which undesignated companies are affected by the Digital Services Act?

Under the DSA, companies in the US need to be familiar with and prepared to meet compliance requirements if they:

How are undesignated companies affected by the Digital Services Act?

Companies affected by the DSA need to invest in and have processes in place for functions like:

These functions can be very challenging, especially at scale, and can require significant financial, legal and resource investment. So it makes sense, once built out and maintained, to leverage the investment more broadly internationally. Especially as these efforts can also increase user trust and safety, safeguard against violating other laws and drawing authorities’ scrutiny, and ultimately benefit businesses as they create a more secure online environment for their users and the growth of their business.

How are consumers affected by the Digital Services Act?

The DSA will affect pretty much anyone active online in the EU/EEA, and the implications are generally considered positive.

Empowering users

Users will gain a better understanding of why certain content is suggested to them, and they can opt out of profiling. This shift toward centering users’ rights enables individuals to challenge platform decisions on the content they serve and service access.

Online safety

The DSA places a strong focus on ensuring online safety for users. Digital service providers are responsible for preventing illegal content from being published and disseminated on their platforms, and illegal products or services from being sold. Hate speech, misinformation and promotion of illegal products or services need to be removed and prevented from spreading. Users can expect safer digital environments and less exposure to harmful content.

Accountability and transparency

Users get clearer policies from platforms and for their services, including information on AI and human roles. Platforms also have to notify users of significant changes in terms and apply rules fairly, and respect users’ rights and freedom of expression in content moderation (while still controlling for hate speech, misinformation, etc.)

More transparent and user-centric advertising

The DSA strengthens user rights with regards to digital advertising. Under the DSA, companies are restricted from targeted ads based on sensitive data, or toward minors. It requires clear labeling, disclosure of promoting companies, and explanations for ad targeting. Users need to be able to clearly distinguish between sponsored and regular content.

Reduction in illegal content

The DSA’s main objective is to reduce illegal content online, ranging from threats and hate speech to sale of counterfeit goods and unlawful materials. The law aims to make digital platforms safer and curtail harmful textual content or products.

How will the Digital Services Act be enforced?

Multiple entities will be involved in DSA enforcement, what is being referred to as a pan-European supervisory architecture. The European Commission is the competent authority for supervision of the designated platforms and services. The Commission will also work closely within the supervisory framework with the Digital Services Coordinators. The national authorities are responsible for supervising smaller platforms, search engines, etc., and need to be ready to do so by February 17, 2024 (the same date as for compliance obligations).

The Commission has launched the European Centre for Algorithmic Transparency (ECAT), which will provide assessment support like whether algorithmic systems are meeting risk management obligations. The Commission is also bringing together expertise from a number of relevant sections to create a digital enforcement ecosystem to address evolving challenges. Should the US decide to enact comparable laws in the future, by then the Commission and EU authorities will have built out a robust and replicable model of enforcement and management.

What is the Digital Markets Act?

The Digital Markets Act is a regulation that applies to large tech companies operating in the European Union and European Economic Area. It aims to improve fairness, innovation, and foster competition with smaller digital companies. It requires increased transparency, data sharing, and platform interoperability. It also increases user choice and data privacy.

Seven companies have been designated as gatekeepers by the European Commission, with specific obligations under the law. Five of the seven are US-based. Booking.com has already been added to the original list of six companies, and more changes are likely over time. The Commission has also identified 23 core platform services (CPS) owned and operated by these companies, including search engines, social networking platforms, advertising services, and more. These services have millions of third-party business customers in the EU and globally that rely on them for advertising, analytics, audience access, ecommerce, etc.

The DMA law creates new responsibilities for the gatekeepers to enable greater transparency and a more competitive landscape with smaller companies using their platforms and services, and that collect and process user data in the EU. DMA enforcement began on March 6, 2024 for the original six designated gatekeepers. Booking.com was added in May 2024, and will have until November 2024 to comply with the law. The gatekeepers also have to provide better access to data generated on their platforms and enable better portability and interoperability, which will benefit both third-party companies and consumers. The DMA also has provisions for data protection and user privacy, which include and extend requirements of the GDPR.

What are the requirements of the Digital Markets Act?

The Digital Markets Act levies a variety of requirements on the gatekeepers, some of which will directly affect third parties, and some of which will have more relevance to consumers.

Interoperability and non-discrimination

Gatekeepers will have to ensure greater interoperability of their platforms and services with those of smaller third-parties, including integrations, communications, and data flow. Gatekeepers can’t favor their services or those of preferred partners over other companies. Non-discrimination obligations require all companies doing business with gatekeepers to be treated fairly, with equal access to services, data, and not limited by algorithms, etc. All of these requirements are to foster greater innovation and competition.

Data access and portability

Data generated and stored on gatekeepers’ platforms must not only be more accessible to third parties in real-time, but users must have access to their data, by request, in a portable format to enable transferring it from one platform to another.

Profiling and transparency

There are new restrictions and prohibitions on profiling on gatekeepers’ platforms. This is the practice of compiling data on consumers — often from multiple sources — to more accurately categorize them by demographic information, interests, and other factors that better enable companies to target specific audience segments.

Gatekeepers must provide clear, audited descriptions of profile techniques used on consumers. This includes purpose, duration, and potential impacts of profiling. Data from multiple gatekeepers’ platforms cannot be combined for profiling purposes, however.

Steps taken to obtain user consent and options to deny or withdraw consent must also be included. These requirements help to ensure that consumers are educated about how their data is used, and know what their rights are and how they can control access to it. Profiling of minors, or by using sensitive data, are prohibited under the Digital Markets Act.

Because of consent requirements, gatekeepers will have requirements for third parties using their platforms to obtain valid consent from users and provide them with information about data processing.

Privacy and consent

The Digital Markets Act introduces restrictions on the legal bases that gatekeepers can use to process personal data — these are also required by the GDPR — and puts a focus on the legal basis of obtaining explicit user consent in many cases. This aligns with the evolution of consent marketing.

Since user data, once collected, usually becomes part of an ecosystem, gatekeepers not only need to obtain consent, but ensure that companies using their platforms and services do as well, and that they’re able to signal consent to the gatekeepers.

Learn more: How important is consent management under the Digital Markets Act (DMA)?

Which companies are designated gatekeepers by the Digital Markets Act?

As of May 2024, the seven gatekeeper companies as designated by the European Commission are:

Of these companies, only two are not American: ByteDance, which is based in China, and Booking.com, which is based in the Netherlands. While the US operations of these companies may be reluctant to adopt the DMA requirements with US business operations, it’s not hard to see why doing so would be an attractive prospect for US-based third-party companies using their platforms, as it could provide significant competitive advantages. Also for US-based online consumers, who would benefit from greater control over their online activities, better privacy protections, and access to innovative new products and services and lower prices.

Learn more: The role of gatekeepers under the Digital Markets Act

Which non-gatekeeper companies are affected by the Digital Markets Act?

While not all of the gatekeepers have announced measures or requirements of third parties, the DMA effect will be on companies that:

While some of these affected companies may be EU-based only, it’s quite likely that the new rules will affect the EU operations of many US-based companies with EU operations and customers.

How are non-gatekeeper companies affected by the Digital Markets Act?

Again, while not all of the gatekeepers have announced new requirements for companies that rely on their platforms and services, changes are likely. While relevant third-party companies should already have consent management solutions in place to comply with the GDPR and/or other laws, not all of them will yet, and so this is likely to be a significant requirement.

Affected companies will need to be up to date on their data processing activities, including what data is collected, where, and by what means. This is an important step for all companies, even separate from privacy law compliance. They’ll need to ensure that they provide the required notifications to users and mechanisms to exercise their rights, whether that’s consenting to data use, or changing, withdrawing, or rejecting it.

Companies will need to be careful how they use data, to ensure they do not use sensitive data, data from minors, or data from multiple platforms for prohibited purposes, like potentially profiling or retargeting. Similar requirements apply under a number of US privacy laws as well, so companies can benefit from looking into global compliance with stricter laws that may then protect them from other international laws that get passed.

Companies may also need to ensure their own interoperability with other platforms and services, and ensure that users can transfer their data to and from them. A particular consideration here is where data gets stored, as there are concerns under a number of laws about international data transfers, and with many of these US-based large tech companies, data centers may be located outside of the EU.

Learn more: The EU-U.S. Data Privacy Framework

Most excitingly, third-party companies need to be ready to take advantage of the requirements for increased transparency and competitive opportunities with the gatekeepers, and to embrace the access to data, operating information, and potential access to smarter strategies and even larger audiences to spur innovation and competitive advantages in digital markets. It’s entirely possible new strategies and tactics that benefit these companies in the EU could be rolled out in the US and elsewhere to spur further growth.

How are consumers affected by the Digital Markets Act?

From a data privacy perspective, the GDPR should already be providing many of the protections and options consumers get under the DMA. But the new regulation strengthens consumers’ rights to privacy and to controlling use of their data online. Consumers have the right to consent to data use broadly or at a granular level, to deny consent, withdraw it in the future, or change the uses to which they consent. These options must be provided by all companies wanting to use personal data online that belongs to users in the EU.

The DMA provides for fewer legal bases for access to consumers’ data, so consent becomes even more important. There are also more restrictions on the ways that companies can use data to target users for advertising and other sales or marketing purposes.

EU consumers will see more options and freedom in their use of digital platforms and services, and more control over their experiences with them, e.g. the ability to remove pre-installed software. They’ll also be able to port their data to different services and apps more easily, making it easier to move one’s profiles and user history to new platforms or tools.

Users should also see more innovation in the platforms they use, and better prices, as innovation helps to lower costs, and increased competition forces companies to cater more to their audiences in order to retain them and grow. Consumers in other markets, particularly one the size of the US, may put pressure on tech companies for access to similar advantages once they become aware of benefits EU users have.

Learn more: Monetization tips and opportunities for startups and SMEs under the Digital Markets Act (DMA)

Conclusions and future implications of the Digital Services Act package for US businesses

The Digital Services Act and Digital Markets Act are still being figured out in terms of application, enforcement, and other considerations. Change is likely, and could include the lists of affected companies growing or changing, as well as the affected platforms and services and downstream effects on users.

We do know that the Digital Services Act package laws will affect US-based companies, even if they don’t affect US operations today. However, it would be reasonable to expect benefits from the investments to comply with these laws to trickle down, especially if they’re seen to benefit audience growth, competitive advantages, and revenue.

As we have seen with the GDPR and other laws, there are likely to be significant fines and penalties for companies that violate these laws, and over time affected companies will fall in line more to achieve compliance with the DMA and DSA. Companies will need to prioritize data protection, user privacy and consent-based marketing can be expected to continue to grow in prominence and importance for companies that want to grow and maintain good relationships with their customers.

Read about DMA consent now

It may take time, but change in digital markets should come with increased transparency and encouragement of competition and innovation, which will benefit consumers and smaller companies, and force gatekeepers to work harder to provide platform and services that people want, and not just rely on their size, revenues, lobbying power, and market dominance to stay on top. These changes are likely to have global effects, especially with the continued expansion of privacy law coverage.

As the GDPR has been influential on other data privacy laws around the world, it will be interesting to see what influence the Digital Services Act package has on digital markets and their regulation in the coming years.

The US is still significantly behind many other countries when it comes to data privacy and consumer protection. Companies adopting compliant consent management practices will also benefit from improved brand reputation and increased trust with their users, which will help to increase engagement and revenue long-term.

Start trial