Skip to content

The European Digital Markets Act (DMA) is a landmark piece of legislation aimed at promoting fair and competitive digital markets in the European Union. The DMA law sets out a framework for regulating large tech companies, known as gatekeepers, to ensure they do not abuse their market power and to protect user privacy and consent online.

This framework will impose a significant shift for key players in ad tech – the gatekeepers – who will now be accountable to ensure the data they collect has proper user consent, whereas in the past this was the responsibility of the websites that used the gatekeepers’ services.

In this article, we’ll provide a Digital Markets Act summary, exploring the key provisions and the DMA’s impact on organizations and users in the digital space.

What is the Digital Markets Act or DMA law?

The Digital Markets Act (DMA), which came into force on November 1, 2022, is designed to impact competition – namely antitrust issues – consumer protection, and privacy in the digital sector by regulating large online platforms – the gatekeepers.

The DMA imposes restrictions on social networks, search engines, video-sharing platforms, operating systems, cloud computing services, and online advertising services owned by large digital corporations. Because they have a significant impact on the market, these gatekeepers are subject to specific obligations and restrictions to level the playing field for smaller businesses and protect user rights.

For users, it enhances privacy by imposing new data restrictions and allowing them to uninstall preloaded applications.

Benefits of the Digital Market Act (DMA)

Innovators and technology start-ups will have new opportunities to compete and innovate in the online platform environment without having to comply with unfair terms and conditions limiting their development.

Consumers will have more and better services to choose from, more opportunities to switch their provider if they wish so, direct access to services, and fairer prices.

Businesses who depend on gatekeepers to offer their services in the single market will have a fairer business environment.

Gatekeepers will keep all opportunities to innovate and offer new services. They will simply not be allowed to use unfair practices towards the business users and customers.

Who are the gatekeepers under the DMA privacy law

So, who exactly are the gatekeepers? The term gatekeepers refers to the big players in the digital market, such as online platforms and search engines, that have a significant impact on the market and act as intermediaries between businesses and consumers.

The seven gatekeepers designated by the European Commission (EC) under the DMA law are:

In its press release, the EC identifies ‌23 core platform services overseen by these gatekeepers:

DMA law: Gatekeepers’ obligations

Under the DMA, original gatekeepers had until March 6, 2024, to comply with the full list of do’s and don’ts to ensure fair competition and protect user privacy. As Booking.com was not designated until May 2024, it has until November 2024 to comply. These include avoiding unfair practices, providing transparent access to services, and sharing data with business users.

Gatekeepers’ reactions to the EC nomination

Google has already mentioned they plan to make changes, saying,

“Our goal is to implement modifications that align with the new regulations, while preserving the user experience and delivering valuable, innovative, and secure products for European users” (source: blog.google).

Microsoft accepted its gatekeeper designation, but requested to initiate an investigation into potentially exempting Microsoft’s services such as Bing, Edge, and Microsoft Ads from the DMA.

Apple and TikTok were less welcoming. Apple expressed ongoing concerns regarding DMA privacy and security risks associated with the DMA law (source: Reuters). In a statement, Apple emphasized its commitment to “mitigate these impacts and continue to deliver the very best products and services to our European customers.” TikTok said it “fundamentally disagreed with this decision” and was “disappointed that no market investigation was conducted prior to this decision,” adding it was considering its next steps.

Meanwhile, Meta, the parent company of Facebook and Instagram, launched in October a subscription model for no ads in Europe, “in response to a number of evolving and emerging regulatory requirements in the EU/EEA region”.

Interoperability and non-discrimination

Gatekeepers must ensure interoperability with third-party services, allowing them to communicate and integrate with the gatekeeper’s platform. This promotes competition and prevents gatekeepers from favoring their own services over those of competitors. Non-discrimination obligations ensure that gatekeepers treat all businesses and users fairly, without giving preferential treatment to their own products or services.

Data portability and access

Gatekeepers must enable users to transfer their personal data from one service to another, known as data portability. This allows users to switch between platforms and maintain control over their data. Gatekeepers are also required to provide real-time access to the data generated by users on their platform to businesses and third parties, upon request.

Transparency and profiling

Gatekeepers must provide a clear and audited description of the techniques used for profiling consumers on their platform. This includes information about the purpose, duration, and impact of profiling, as well as steps taken to seek user consent or provide options for denying or withdrawing consent. Transparency ensures that users are aware of how their data is being used and gives them greater control over their privacy.

DMA advertising: Pricing and measurement tools for advertisers and publishers

In addition to its focus on fair competition and user privacy, the DMA law also includes provisions related to DMA advertising. These provisions aim to ensure transparency and accountability in the advertising ecosystem. Two key articles in the DMA address the needs of advertisers and publishers:

Pricing information for advertisers and publishers

Under this article, gatekeepers are required to provide clear and transparent pricing information to advertisers and publishers. This ensures that all stakeholders have access to relevant information about advertising costs, allowing for informed decision-making and fair competition. Advertisers and publishers can rely on this information to plan and optimize their advertising strategies effectively. (Source: DMA recital 45; article 5.9)

Measuring and verification tools for advertisers and publishers

Article 6(g) of the DMA focuses on measurement and verification tools. Gatekeepers are mandated to provide advertisers and publishers with access to reliable and independent tools for measuring and verifying the performance of their advertising campaigns. This helps to establish trust and accountability in the advertising ecosystem, allowing stakeholders to assess the effectiveness and impact of their advertising efforts accurately. (Sources: DMA article 6.8; Annex A.1)

DMA advertising: impact beyond gatekeepers

While the Digital Markets Act (DMA) primarily targets the seven designated “gatekeeper” companies, it’s important to recognize that the impact extends beyond them. All companies operating digitally within the EU and relying on the platforms and services of these tech giants will also be affected.

For these companies, the DMA represents a significant wake-up call. It introduces the fundamental principle: no consent, no revenue. Compliance entails obtaining explicit consent from users before processing their personal data. However, the requirements go further. Gatekeepers are likely to demand that companies utilizing their services for advertising, e-commerce, analytics, and more adopt consent management processes that align with DMA regulations.

Non-compliance with the DMA poses a substantial financial risk for gatekeepers. Yet, third-party companies face equally significant consequences. Failing to comply could result in the loss of valuable data, audience, revenue, and brand reputation. Access to the user base, data, and services provided by gatekeepers such as Google, Meta, and others would be at stake.

The DMA has significant implications for user privacy and consent management. It introduces restrictions on the legal bases gatekeepers can rely on to process personal data, limiting them to specific legal grounds such as user consent, legal obligations, vital interests, or tasks in the public interest.

The DMA’s focus on obtaining explicit consent aligns with the principles of consent marketing, which emphasizes obtaining permission from individuals before using their personal information for marketing purposes. By requiring explicit user consent when processing personal data, the DMA safeguards user privacy and ensures that individuals have the power to decide how their data is used.

Video Preview
Video Preview

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

powered by Usercentrics Consent Management Platform

Relying on user consent

Gatekeepers must obtain user consent for processing personal data in certain cases, such as for online advertising purposes or combining personal data from different services.

The DMA law outlines requirements for obtaining valid consent, including informing users of the consequences of not giving consent and prohibiting deceptive practices (dark patterns) that manipulate users into giving consent.

Sharing personal data

The DMA mandates that gatekeepers share personal data with businesses operating on their platform and with advertising companies, upon request. This allows businesses to access and use user data to provide personalized services and targeted advertising.

However, gatekeepers must ensure that data sharing is done on fair, reasonable, and non-discriminatory terms, protecting user privacy and preventing misuse of personal data.

Data portability rights

One of the key provisions of the DMA law is the requirement for gatekeepers to enable data portability, allowing users to transfer their personal data to other platforms or services. This empowers users to exercise greater control over their data and facilitates competition by enabling users to switch between platforms without losing their data.

Transparency and user control

Transparency is a fundamental aspect of the DMA, ensuring that users are informed about how their data is processed and giving them the ability to make informed choices.

Gatekeepers must provide clear information about their profiling techniques and obtain user consent for targeted advertising. Users should have the option to deny or withdraw consent and should not be subjected to deceptive practices.

 

The DMA law mandates gatekeepers to ensure websites and/or companies using their services to collect, manage, and record user consent in a transparent and user-friendly manner. How gatekeepers will achieve this and which legal and technical requirements they will define for advertisers is yet to be determined.

However, we can already understand that users of gatekeepers’ services (e.g. websites, apps and the companies behind those) will play a pivotal role in collecting appropriate consents, even if they’re not the ones ultimately liable for DMA privacy compliance.

Consent management platforms (CMP) like Usercentrics CMP or Cookiebot™ consent solution are already indispensable for businesses to collect appropriate consents for data collection.

As an important part of the DMA privacy ecosystem and the owner of both consent management solutions mentioned earlier, Usercentrics will closely monitor future developments and work to ensure that our solutions remain in line with the implications of the Digital Markets Act (DMA) and other relevant legislation that may emerge or evolve.

Challenges and future implications

While the DMA law aims to protect user privacy and promote fair competition, it also presents challenges for gatekeepers and regulators. Gatekeepers will need to adapt their data processing practices, implement technical changes, and ensure compliance with the DMA’s provisions. Regulators will play a crucial role in enforcing the DMA and ensuring that gatekeepers adhere to their obligations.

Final thoughts: Digital Markets Act and the digital ecosystem

The Digital Markets Act represents a significant step towards protecting user privacy and promoting fair competition in the digital sector. By imposing obligations on gatekeepers and enhancing user control over personal data, the DMA law aims to create a more transparent and user-centric digital ecosystem.

As gatekeepers and regulators navigate the implementation of the DMA privacy law, it’s essential to strike a balance between competition, innovation, and user privacy rights.

We’ll make sure to keep you informed about DMA privacy changes as they happen. If you want to receive digital markets act summary updates on matters of consent management straight to your inbox, make sure to subscribe to our newsletter.

Read about DMA consent now

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The Google EU user consent policy is a component of online data privacy compliance requirements for businesses that use Google’s services in the European Union and European Economic Area. The policy aligns with the requirements set forth by two significant European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Additionally, the policy takes the Data Protection Act into account, which is the UK’s equivalent regulatory implementation to the GDPR.

Google introduced the EU user consent policy in 2015, with a significant update on May 25, 2018 when the GDPR came into force.

This policy is especially significant in digital advertising. For marketers and pay-per-click specialists, it sets the foundation for responsible data handling, ethical marketing practices, respect for user privacy, and building trust in digital markets.

We explore who the EU user consent policy applies to, what its requirements are, and how to take corrective steps if you’ve received a notice of noncompliance from Google.

Read about wordpress cookie consent now

The Google EU user consent policy applies specifically to data collected from end users located in the European Union (EU), European Economic Area (EEA), and/or the United Kingdom (UK), if the business collecting the data:

A common misconception is that businesses outside the EU, EEA and/or UK don’t need to comply with the policy. The EU user consent policy applies to end users located in these regions, regardless of where the business aiming to collect their data is based.

Google’s advertising and measurement products and services, including AdSense, AdManager, AdMob and Google Analytics Advertising Features, require businesses to meet the specifications of this policy.

Other Google products that come under the scope of this policy are Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.

The EU user consent policy impacts websites and apps that meet two specific criteria:

Google defines ads as personalized when they rely on previously collected or historical data to influence ad selection. This encompasses factors like a user’s past search queries, online activity, site or app visits, demographic details, and location.

If a website or app serves non-personalized ads using only contextual information, but uses cookies or mobile identifiers where legally required, this policy still applies.

Google CMP Partner

Google has separate requirements under the policy based on who is collecting the data, which it defines as “properties under your control” and “properties under a third party’s control”.

If you use a Google product and this results in the sharing of a third party’s end-user personal data with Google, you must employ “commercially reasonable efforts” to ensure that the third party adheres to this policy.

For properties that are under your control, or under the control of an affiliate or client, Google has laid out several requirements.

1. Obtaining legally valid consent

Legally valid consent under the GDPR (Art. 7) means users must actively agree to the collection and use of their personal data. Under both the GDPR and the Data Protection Act, consent should be freely given, specific, informed and unambiguous (Recital 32). Explicit consent is valid consent under the applicable data privacy laws.

Learn how to obtain GDPR-compliant consent from users on our blog: 7 Criteria for a GDPR-compliant Consent

2. Retaining consent records

Businesses must keep detailed records of how and when consent was obtained from users. Google has specified that, at a minimum, this includes documenting the text and consent choices presented to users, and the date and time when users gave their consent.

3. Providing clear instructions for revocation of consent

Users must be informed about how they can withdraw their consent to receive personalized ads. Minimum expectations include having easy access to ad controls on the website or app, or through general settings provided by Google or on their device.

4. Identifying each party involved in data handling

The user consent policy mandates the identification of every party that has access to the user’s personal data as a result of using a Google product, including in the collection, reception, or use of personal data.

There must also be transparent and accessible information regarding how each party uses personal data.

Noncompliance with Google’s EU user consent policy carries significant consequences that affect both the operation of websites and apps and their broader legal standing.

Suspension of Google services or termination of agreement

Google reviewers regularly visit websites and apps that use its advertising services to assess whether they are providing clear information and obtaining proper consent as per the policy guidelines. If a website or app is found to be noncompliant, it will receive a notification from Google with a deadline to rectify these issues.

Failing to address the concerns within this period can lead to more severe measures. Google may suspend the noncompliant entity from using its advertising services, which can significantly affect its ability to generate revenue through these channels.

Websites or apps that have received a noncompliance notice must take corrective measures to comply with the policy. Among these measures is using a consent management platform (CMP), which can help you:

Legal and financial ramifications of noncompliance

Noncompliance with the EU user consent policy also poses a significant risk under the GDPR and/or Data Protection Act, including incurring substantial penalties for not obtaining compliant consent.

For first-time or less severe infractions, penalties can be as high as 10 million or 2% of the company’s global annual revenue for the preceding financial year. For repeat violations or more severe breaches, penalties may escalate to 20 million or 4% of global annual revenue, whichever is higher.

Google CMP Partner

In a move that specifically impacts digital advertising, Google announced on May 16, 2023 that publishers and advertisers using Google AdSense, Ad Manager, or AdMob must use a certified consent management platform that integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) v2.2 as of January 16, 2024 to serve ads to end users in the EU/EEA and UK.

A Google-certified CMP enables websites and apps to comply with the EU user consent policy’s requirements, including obtaining legally valid user consent, enabling revocation of consent, and disclosure about collection and use of personal data.

Usercentrics’ consent management platform (CMP) was among the first certified CMPs when Google launched its CMP Partner Program for Google Consent Mode in September 2022. All our CMP products—Usercentrics Web and App CMPs and Cookiebot CMP—are certified by Google for this purpose.

Here’s how Usercentrics CMP makes Google consent compliance simpler and more effective.

1. Simplifying consent collection

Usercentrics CMP streamlines securing legally valid end-user consent. It enables obtaining GDPR-compliant consent with explicit opt-in and granular consent mechanisms, and full consent banner customization.

2. Easy consent withdrawal options

Usercentrics CMP enables your website or app users to update or revoke their consent just as easily as they gave it. This aligns with the user consent policy’s specific requirement of consent withdrawal options for users.

3. Transparent data usage information

With Usercentrics CMP, you can identify, for each of your websites and apps, all parties that may collect, receive, or use personal data, and lay out how and why data is being used as per the policy’s requirements for sharing clear information about the use of personal data.

4. WordPress plugin and content management system (CMS) integrations

Usercentrics CMP offers seamless integrations, including a dedicated WordPress Plugin, which simplifies implementation and consent management for WordPress-powered websites.

Other CMS and ecommerce platform integrations include Adobe Experience Manager, Shopify, Typo3, among others.

Besides CMS systems, Usercentrics integrates with a variety of ecommerce marketing tools, like Stripe, Zapier or HubSpot. This simplifies managing consent across different websites and online services.

5. Google platform integrations

For businesses using Google products and services, such as AdSense, AdManager, AdMob, Google Analytics 4 (GA4), Google Consent Mode, and Google Tag Manager, Usercentrics CMP seamlessly integrates with these platforms. This makes it easy to set up and use without disrupting advertising campaigns and analytics.

Read about consent mode GA4 now

6. Access to a partner network

For additional support, Usercentrics offers a global partner network that serves as a valuable resource for prospects and customers.

Connect with marketing agencies and legal service providers that implement, maintain, optimize and support the Usercentrics Web and App CMPs. This network provides an extra layer of support for navigating the complexities of data privacy compliance.

7. Free trial option

Curious about how Usercentrics CMP can help you continue using the Google products you love and depend on, while maintaining compliance with privacy regulations and Google’s own consent policy? What better way to explore our platform capabilities than through a free trial?

This 30-day trial period will grant you full access to all advanced features in the Starter Plan, as well as full access to ticket support, guides, and documentation. The trial expires automatically after 30 days so there’s zero risk and no commitment required from your side upfront.

8. Demos and consultations

If you’re looking for more in-depth information or personalized guidance, you can choose to book a demo or an expert consultation and have all your consent management questions answered. We want you to have a better understanding of how Usercentrics CMP can be tailored to your specific data privacy compliance and business requirements.

The easiest way to comply with the Google EU user consent policy, GDPR, and other privacy regulations is through a consent management platform. Use Usercentrics consent management platform (CMP) with your website or app to enable:

You can also create a privacy policy for your website or app easily through our dynamic privacy policy generator. With this integration with Termageddon, you’re able to set up your Privacy Policy, Terms of Service, and other policies in less than 30 minutes.

For more on how to generate comprehensive and easy to understand policies, check these additional resources:

For more support resources and implementation documentation, check our support page.

Explore the data privacy trends to look out for in 2024: how AI will play a role in the privacy landscape, the effect of the end of third-party cookies on marketers and how to optimize your data strategy with new limitations.

Watch it here Listen on Spotify

What you’ll learn

Who should watch

This webinar can benefit any organization that collects and manages user data for business purposes. The key takeaways are particularly relevant for:

ABOUT THE SERIES

Consented: Privacy and Trust in SaaS Partnerships

Consented: Privacy and Trust in SaaS Partnerships is a captivating webinar podcast series hosted by Usercentrics, industry leader in consent and preference management solutions. In this thought-provoking series, Usercentrics brings together expert guest speakers from various SaaS, legal, and digital agencies to delve into the pressing issues surrounding user privacy and the consent economy.

Explore series

¹the webinar partners are Dorik.ro and matelso GmbH

Introduction to the Delaware Data Privacy Act

Delaware’s was the eighth state-level data privacy law passed in the United States in 2023 from House Bill 154, and the twelfth comprehensive privacy law passed to date. Florida’s Digital Bill of Rights is more narrow in scope and not always included. Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260 are also limited in scope and the original Act was passed in 2018.

The United States does not have a federal data privacy law, though as of July 10, 2023 it does have the new EU-U.S. Data Privacy Framework adequacy agreement with the European Union. The EU and US had been without such an agreement since 2020 when the previous Privacy Shield was struck down.

Signed into law by Governor John Carney on September 11, 2023, the Delaware privacy regulation goes into effect January 1, 2025, the same date as Iowa’s Consumer Data Protection Act (ICDPA). It also provides for an additional year for organizations to begin recognizing universal opt-out mechanisms. Delaware’s Department of Justice (DOJ) plans to initiate an outreach period no later than July 1, 2024 to inform businesses of their obligations and consumers of their rights under the DPDPA.

Delaware’s privacy law is one of the more consumer-friendly state-level data privacy laws, though not quite as strict as California’s Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). It does apply to a broader range of companies of all sizes as well, and doesn’t specifically target large businesses, like Florida’s law, or exclude small ones, like the Texas Data Privacy and Security Act (TDPSA).

What is the Delaware data privacy act?

Delaware’s data privacy law protects the privacy and personal data rights of the state’s one-million residents, i.e. people acting in individual or household contexts, not in any employment capacity. The law also establishes data privacy responsibilities for companies conducting business in the state and/or providing goods and services targeted to Delaware residents.

Privacy notice requirements

Data controllers, defined under the law as “a person that, alone or jointly with others, determines the purpose and means of processing personal data” must provide consumers with a privacy notice that is “accessible, clear, and meaningful”. The notice has to describe the organization’s data processing operations, and include:

Opt-out consent model

Like all other US data privacy laws, the DPDPA uses an opt-out model, so controllers can collect personal data without needing data subjects’ consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”, and must be provided with information about and mechanisms to do so.

The law notes that controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data.”

Additionally, “Not later than [one year following the effective date of this Act], allowing a consumer to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt out of any such processing or sale.”

Definitions in the Delaware Personal Data Privacy Act

Personal data under the DPDPA

Refers to “any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information”.

It should be noted that personal data (also called personal information) and personally identifiable data are not always the same thing, and distinctions are often made in data privacy laws.

Sensitive data under the DPDPA

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the DPDPA cannot be collected or used without prior user consent. Delaware’s privacy law specifically refers to personal data that would reveal any of the following:

Delaware’s law is the second of the US privacy laws, after Oregon’s, to include transgender or nonbinary gender expression as sensitive data.

Consent under the DPDPA

Like many other data privacy laws, the Delaware data privacy law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”

To provide additional clarity, “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.” Under the DPDPA, consent does not include:

Consumer under the DPDPA

Refers to “an individual who is a resident of [Delaware]”.

The definition does not include “an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.”

Controller under the DPDPA

Businesses and other organizations that collect and use personal data will likely qualify as controllers, though the law uses the word “person”. Controller is defined as “a person that, alone or jointly with others, determines the purpose and means of processing personal data.”

Processor under the DPDPA

Like controller, while the law references a person, in most cases this is likely to be done by a company or other organization. Processor is defined as “a person that processes personal data on behalf of a controller.” It could include third parties like advertising partners or fulfillment companies.

Profiling under the DPDPA

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The Delaware data protection law defines profiling as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.”

Targeted advertising under the DPDPA

This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools. The Delaware data privacy law defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.”

The following are not included in the definition of targeted advertising:

Sale under the DPDPA

Refers to “the exchange or transfer of personal data for monetary or other valuable consideration by the controller to a third party”.

Exclusions to the definition of sale include disclosures of personal data:

What is covered in the Delaware data privacy act?

The DPDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.

Who has to comply with the Delaware data privacy law?

The Delaware privacy law’s compliance thresholds have some smaller numbers than other comparable laws in the US, but this is not surprising given the state’s small population of one million people. California, by comparison, has 40 million. The smaller numbers will also mean that the law will apply to more smaller businesses.

Delaware’s law continues a trend of recent US state-level privacy laws in that it has no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount.

The compliance thresholds are for the preceding calendar year if an organization:

or

Exemptions to Delaware Personal Data Privacy Act compliance

The DPDPA’s exemptions are fairly standard, and include exemptions for data processing governed by federal law, e.g. Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).

Exempted entities and their services/activities include:

Exempted regulations (and data processed relevant to them) include:

Consumers’ rights under the Delaware personal data protection law

Consumers’ rights under the DPDPA are fairly standard compared to other comprehensive privacy laws in the US:

Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the DPDPA includes a requirement for controllers to recognize the universal opt-out signal, which will come into effect a year after the law takes effect.

Coverage for children under the DPDPA

Parents or legal guardians of children can exercise the rights of children, whose data is considered sensitive by default. Because of this designation, consent is required before children’s data can be collected or used. Like a number of the other US data privacy laws, Delaware’s law defers to the federal Children’s Online Privacy Protection Act (COPPA) regarding rights, responsibilities and protections for children and their data online, including for the definition of a child, which is a person under the age of 13.

Consumer requests under the DPDPA

Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”. Reasonable reasons to deny a request could also include if the consumer’s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.

The controller may charge the consumer a reasonable fee to cover the administrative costs of complying with such a request if it’s “manifestly unfounded, excessive or repetitive”. However, in such an instance, the controller is responsible for demonstrating that it is.

An organization has 45 days to respond, though should respond without “undue delay”, though they have the option to extend that by another 45 days if reasonably necessary.

Private right of action under the DPDPA

California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. Delaware’s law does not include private right of action, and enforcement falls under the state’s Department of Justice.

How does the new Delaware data privacy act affect businesses?

The DPDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. Because of the lower threshold numbers for compliance, it will also likely affect more businesses. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers’ requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.

How to comply with the Delaware data privacy act

Notifications defined by the DPDPA

Controllers must provide a privacy notice that is “accessible, clear, and meaningful”, and describes the organization’s data processing activities, including information about the data collected, processing purposes, parties data is shared with, and ways to exercise consumer rights. Companies’ contact method must be secure, reliable, and easy for consumers to use to make requests or appeal controllers’ decisions, and be able to verify their identities as needed.

Purpose limitation defined by the DPDPA

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children’s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.

Data security defined by the DPDPA

Controllers must establish and maintain reasonable administrative, technical, and physical data security practices for personal data under their control, including deidentified data, and “protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue”. Processors working with/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually prior to processing.

Data protection assessments (DPA) defined by the DPDPA

Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for “processing activities that present a heightened risk of harm to a consumer.” Such activities could include:

The DPDPA also generally requires a controller that processes the data of at least 100,000 consumers to perform DPAs.

The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.

Consent requirements defined by the DPDPA

For many circumstances user consent is not required by Delaware’s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children’s data, for example, or if the organization’s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.

In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later. Revoking consent must be as easy to do as giving it. If a consumer does this, data processing should stop immediately, but at most no more than 15 days after receipt of the request.

Nondiscrimination defined by the DPDPA
Like other US privacy laws, Delaware’s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the law. For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions.There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory.

Processing personal data is also prohibited if doing so would violate other state or federal laws governing discrimination.

Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, e.g. newsletter signups, surveys, or loyalty programs. Such offers must be reasonable and proportionate to the request and type and amount of data collected so, though, as not to look like payments for consent, which data protection authorities frown upon. Consumers who decline such offers also cannot be discriminated against, e.g. by not having access to comparable offers or being charged a different price for goods or services.

Third-party contracts defined by the DPDPA

Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments.

There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:

  • duty of confidentiality
  • clear instructions for processing data, including:
    • nature and purpose of the processing
    • type of data that is subject to processing
    • duration of the processing
  • rights and obligations of both parties
  • the processor must delete or return the personal data to the controller at the controller’s direction or at the end of the provision of services, unless there are superseding legal requirements for the processor
  • the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller
  • if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller

Universal opt-out mechanism

Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or Global Privacy Control, however it’s becoming more common with some of the more recently passed data privacy laws. The Delaware Personal Data Privacy Act does include this mechanism, though organizations have a year from when the law comes into effect to begin accepting it, beginning in January 2025.

This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they’re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.

What happens if you violate the Delaware data privacy regulation?

Delaware’s enforcement for the DPDPA will be similar to that of other US states in that it is centralize, though there is some coordination with existing consumer protection laws in the state as well.

DPDPA enforcement

Enforcement of the Delaware Personal Data Privacy Act is under the Attorney General and Department of Justice.

Consumer complaints about controllers’ data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of investigation or to ensure they are being done compliantly.

Consumer complaints under the DPDPA

Controllers have to provide information and a process to consumers not only to exercise their rights, but to lodge an appeal if the controller refuses to take action on a request, either within a reasonable amount of time or at all. This appeal process must be similar to the process to make a request and just as easy to do.

If a consumer complains, the controller has 60 days from receiving this appeal to reply to the consumer about any action taken, including written explanation of reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Department of Justice to submit a further complaint if the controller does not resolve issues with the consumer.

The DOJ can decide to issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the DPDPA.

Cure period and sunset provision under the DPDPA

If the Department of Justice determines a violation has occurred, but can be “cured”, in addition to notifying the controller of the violation, they can provide 60 days for the controller to fix the issue and prevent it from recurring.

If the controller fails to cure the violation within 60 days, the DOJ may initiate enforcement proceedings. The DOJ considers the following in determining if enforcement is warranted:

The cure period for the DPDPA sunsets on January 1, 2026, the consideration being that by then organizations should know their responsibilities and be ensuring compliance. The DOJ can still decide to offer a cure period, but it will be entirely at their discretion.

Fines and penalties

The DPDPA doesn’t provide a specific amount for fines, however it does reference Subchapter II of Chapter 25 of Title 29, which states that the Attorney General has standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies on behalf of the state for violations (of a variety of provisions relating to consumer protection).

Entities found to have willfully violated the law can be ordered to pay up to US $10,000 per violation.

The Delaware Personal Data Privacy Act and consent management

Delaware’s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.

Consumers do have to be informed about data collection and use, parties with access, and what their rights are and how to exercise them. This information and a comprehensive privacy notice need to be clear and easily accessible, e.g. on the organization’s website.

Consumers do need to be able to opt out of processing of their data or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like Usercentrics CMP for Website Consent Management or App Consent Management.

As of 2026, organizations must also recognize and respect consumers’ consent preferences as expressed via a universal opt-out signal.

Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. The DPDPA does require providing consumers with clear, granular information about this.

The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

Check out our on-demand webinar: US Data Privacy Legislation

Preparing for the Delaware Personal Data Privacy Act

Organizations doing business in Delaware have until January 2025 to prepare for compliance with the DPDPA. The Department of Justice will be conducting educational outreach by July 2024.

Companies that achieve compliance with other state-level regulations, like California’s CCPA/CPRA have done much of the work toward DPDPA compliance. Organizations always need to be clear on specific states’ laws’ unique stipulations and should always consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy by design approach will also benefit an organizations’ operations beyond data privacy compliance.

Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Data protection regulations and privacy laws are constantly evolving, and the Digital Markets Act (DMA) brings new considerations to this landscape. Introduced by the European Union, the Digital Markets Act aims to foster a competitive and fair digital market and protect user privacy.

The regulation targets large online platforms, referred to as ‘gatekeepers’, due to their influential role in digital markets. The designated gatekeepers under the DMA are:

However, its ripple effects extend to all layers of web development, affecting how developers approach user data, interoperability, and user consent.

We explore how the DMA impacts web development and how web developers can adapt practices for DMA compliance.

Key provisions of the Digital Markets Act impacting web developers

Integrating privacy laws requirements into website and app designs is a significant part of a web developer’s work, directly affecting the handling and protection of user data. The DMA law introduces critical changes for web developers that place greater emphasis on user rights and open competition.

  1. User consent: Strong emphasis on obtaining explicit consent to collect personal data for any purpose, including serving personalized or targeted ads.
  2. Data portability: Users must be able to easily move their data between different platforms, giving them more control over their data and making it simpler for them to switch between services without losing their information.
  3. Interoperability between platforms: Requires gatekeepers’ to make sure their core platform services can work well with other smaller platforms and services, providing other platforms to make their products fit smoothly with the services of these big platforms.

Adapting web development practices for Digital Markets Act compliance

For transparency and consent in data collection and ad targeting

Under privacy laws like the DMA, you must give users clear information about what data is taken, why it’s used, how long it’s kept for, and who might have access to it.

Users must have the choice to say no to giving consent or to take back their consent if they change their mind. They also shouldn’t be tricked or misled about how their data is used.

Ensuring transparency involves two key areas:

  1. Implementing a consent banner that clearly communicates consent choices to users.
  2. Making privacy policies easily accessible and legible.

Consent banners

A transparent consent banner that gives users an actual choice whether or accept or reject consent must have:

Usercentrics website CMP enables you to fully customize your consent banner to your needs
Usercentrics website CMP enables you to fully customize your consent banner to your needs
Usercentrics website CMP enables you to classify the data processing services used on your website into different purpose-describing categories.
Usercentrics website CMP enables you to classify the data processing services used on your website into different purpose-describing categories.

Privacy policy

Privacy policies are often long and confusing, making it hard for users to understand their rights and the company’s data policies. Legal and compliance teams handle privacy policy writing, but web development teams can help make them user-friendly.

A website’s footer is a common place to include a link to a privacy policy that most users will know, making it easy to find. You can also make the privacy policy easy to digest in how you present it.

Let’s look at some privacy policies with a user-friendly presentation.

Potential challenges in ensuring transparent access

While providing users with transparent access poses challenges, the right tools and collaborations can help you tackle these complexities, enhance the user experience, and obtain legally valid consent.

  1. Dynamic nature of data practices: Web developers must regularly update transparency features to reflect changes in the company’s data practices and maintain compliance with data protection regulations, without disrupting the user experience. Collaborate with legal and compliance teams to help keep the website up to date with changes.
  2. Complexity of consent management: Developing a consent management system that enables users to easily understand and manage their preferences and the website owner to compliantly record consent can be technically challenging. Use a consent management platform (CMP) to save time and effort by streamlining consent management and enabling compliance.
  3. Clear presentation: Designing information to be clear and accessible can be challenging when dealing with diverse user groups who have varying levels of technical understanding. Work with user research and design teams to ensure the information caters to all users, enhancing clarity and accessibility regardless of their technical background.

Internationalization and localization: Adapting transparency features to different languages and cultures while maintaining accuracy and legal compliance is challenging, especially for global brands. Use a CMP that offers multiple language options and can help obtain valid consent from users in diverse regions globally.

For data portability

The DMA requires gatekeepers to enable users to move their data easily from one service to another, empowering them with control over their data and freedom to switch services without losing their information.

Even if a company is not a gatekeeper and therefore not directly under the DMA’s scope, it still needs to be prepared to honor data portability requests if it uses a core platform service that is required to offer this feature under the DMA.

Gatekeepers and core platform services (CPS) according to the Digital Markets Act (DMA)

To create a user-friendly data portability experience, you can consider:

  1. User interface design: Incorporate the data export option within the user account settings to make it easily accessible and user-friendly.
  2. Data format selection: Offer multiple data export formats that are commonly used and can be easily processed, such as CSV, JSON, and XML.
  3. User notification system: Set up notifications to inform users when their data export is ready for download, such as automated emails or in-app notifications.
  4. Timeframe and feedback: Clearly communicate the expected timeframe for data export processing. After the export, provide a way for users to give feedback, helping to continually improve this feature.
  5. Document process: Create step-by-step instructions to help users understand where to find the data export option and how to download their data.

A good example of documentation is from Qualtrics, which has detailed guides for downloading survey response data. While the use case differs from downloading user data, the principles apply to data portability download requests too.

Qualtrics’ documentation includes detailed instructions, screenshots, and FAQs for users across different pages on related topics:

For interoperability

The DMA requires gatekeepers to ensure the core platform services can work together with other platforms, enabling different services and platforms to communicate and share data effectively, fostering a more connected digital environment.

This requirement offers a massive opportunity for smaller businesses to build web services that integrate easily with these large platforms. With interoperability, smaller platforms can reach more people, tap into larger markets, and create new services that work well with other platforms, improving how users experience these digital services.

The Global Partnership for Sustainable Development Data has released a playbook with checklists and key questions to consider that can serve as valuable guidance for you.

This playbook offers specific steps and considerations for building web services that integrate easily with the global developer community, enhancing interoperability. It covers a range of concerns from developing good documentation to building user trust.

The role of web development and digital agencies in ensuring DMA compliance

The DMA’s aim is to develop fair market conditions where businesses of all sizes can compete. This gives smaller web development firms and digital agencies a chance to provide services and solutions to help companies meet DMA requirements.

Key areas of focus include:

  1. Developing compliant solutions: Agencies can build web solutions that adhere to DMA guidelines, ensuring features like data portability, interoperability, and transparency are integrated into web designs and functionalities.
  2. Advisory services: Offering consultancy services to clients on how to align their technologies with DMA regulations and help them understand and implement necessary changes.
  3. User consent management: Managing consent platforms is vital in obtaining proper user consent for data collection and processing. Agencies can implement and oversee these systems to ensure consent meets DMA requirements.
  4. Building trust with compliance: By demonstrating compliance with the DMA, agencies help their clients build trust with users. This approach enhances the reputation and confidence of both the agency and its clients.

Innovative solutions for compliance challenges: Leveraging technology and forming collaborations or partnerships can be an effective way to address complex compliance challenges and help clients stay ahead in a competitive and regulatory landscape.

Tools and technologies for DMA compliance

User consent management

consent management platforms (CMP) simplify the process of managing user consent and form the perfect partner to enable compliance with data protection regulations and laws like the DMA.

Tools such as Usercentrics CMP for web and apps and Cookiebot cookie consent solution aid in handling user consent collection and signaling. These platforms:

Third-party integrations

API management tools like Apigee, Mulesoft, and Kong can help with third-party integrations and cross-platform compatibility, ensuring different services work well together. This supports meeting the DMA’s rules for interoperability.

Marketing tools

Software for marketing teams can come with questions about where the data collected is stored or whether it infringes upon users’ rights under data privacy laws.

Analytics tools like Mapp, etracker and econda enable DMA- and GDPR-compliant data analysis.

Tools like Kameleoon, Dynamic Yield and Optimizely help marketing teams with content and ad personalization, campaign optimization and A/B testing.

Compliance tools

Website owners must not only collect legally valid consent, they must have the tools in place to ensure compliance at all levels when dealing with personal data. This includes monitoring how personal data is accessed and used, identifying privacy-related issues, assessing risks related to data processing activities, and creating compliance reports.

Platforms like LogicGate, NAVEX Global, AuditBoard, IBM OpenPage and RSA Archer can help monitor for compliance under data privacy laws including the GDPR, helping agencies and businesses in meeting DMA requirements and avoiding violations and penalties.

How Usercentrics can help web development and digital agencies enable DMA compliance for clients

Usercentrics equips you with a comprehensive toolkit to guide clients towards DMA compliance. These resources and support streamline the journey to compliance, enabling you to focus on helping your clients achieve their goals without the added worry of compliance complexities.

Comprehensive checklists for compliance with multiple international data privacy laws (including the DMA checklist) make it easy for you to ensure you don’t miss a step.

Conclusion

The Digital Markets Act (DMA) presents a significant opportunity for web development and digital agencies. By adapting to its standards, you can guide you clients in creating platforms that prioritize user privacy and data security and give users control over their data. Such an approach centers on user rights, fostering trust as end-users feel confident that their personal information is secure and their preferences respected.

Collaborating with legal and compliance experts is key in this process, ensuring that websites and apps comply with DMA regulations while fostering a secure and transparent online environment. This method of building trust is particularly crucial in a digital market where user confidence can greatly influence a platform’s success.

Artificial intelligence (AI) is at the forefront of the world’s technology evolution and influencing the transformation of the data protection and user privacy landscape. But the application of AI in various industries has also raised important questions about consent and what it means in the context of organizations’ ever-growing need for data, and in increasing applications of AI.

In this article, we delve into the nuances of President Biden’s Executive Order on safer AI and the European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) resolution on generative AI, comparing these two landmark initiatives and their impact on data privacy.

Understanding artificial intelligence

Artificial Intelligence, commonly referred to as AI, is a branch of computer science that simulates human intelligence in machines. These machines are programmed to think like humans and mimic their digital actions and thus be capable of learning, reasoning, problem-solving, perception, and understanding natural language.

AI has immense potential across various industries, from healthcare and education to transportation and entertainment. It can enhance operational efficiency, boost productivity, and drive innovation. AI is steadily becoming an integral part of our everyday life, transforming the way we work, live, and interact.

The intersection of AI and data privacy

While AI promises numerous benefits, it also poses significant challenges, particularly in the realm of data privacy. AI systems typically rely on vast amounts of training data to learn and make decisions. To date, much of this data has been found to have been accessed and used without the consent of those who created or published it, raising critical questions about user privacy and data protection.

The need for consent management in AI

Consent management is crucial in AI as it enables obtaining and managing user consent for data processing, like in training data sets. Given the scale and complexity of data processed by AI systems, consent management plays a pivotal role in ensuring that user data is handled responsibly and ethically.

Consent management solutions, including privacy policies, also help ensure that users who become data subjects are adequately informed about what data of theirs is to be used if they consent, for what purposes, who will have access to it, and other details required by many global data privacy laws.

President Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence

In October 2023, President Biden issued an Executive Order aimed at fostering the safe, secure, and reliable development and use of AI in the United States. This initiative emphasizes the crucial role of federal agencies in setting standards, issuing guidance, and monitoring AI use to safeguard business and societal interests.

Although the Executive Order doesn’t directly regulate the private sector, it influences business processes by setting expectations through federal contracts and standards set by agencies like the National Institute of Standards and Technology (NIST). Therefore, the impact of the Executive Order is likely to be significant and far-reaching.

The European Union and United States have adopted a new Data Privacy Framework (DPF) to govern data privacy and international data transfers. Learn more: The EU-U.S. Data Privacy Framework (DPF)

The European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) Resolution on Generative AI

The GPA resolution on generative AI issued by the EDPS aims to uphold data protection principles in the context of AI. It provides comprehensive guidelines for managing risks associated with AI, ensuring that AI technologies are developed and used in a manner that respects user privacy and data protection and does not violate human rights law in any way that is unfair, unethical or discriminatory.

The GPA resolution is instrumental in shaping AI governance by promoting responsible innovation and ensuring the rights of individuals. It calls for a unified, safe, and reliable approach to AI, emphasizing the importance of transparency, accountability, and fairness. It also requires that AI be designed, developed and deployed in ways that are responsible and trustworthy, based on the principles of transparency, data protection, privacy, human control democratic values.

Legal principles gilding AI development and systems

The resolution also mentions that legal principles are the core elements of consideration for the development, operation and deployment of AI systems. These principles are:

  1. Must have a legal basis that is lawful in accordance with applicable regulation(s), even if the data is publicly available.
  2. Data processing in an AI system shall have a specific, explicit and legitimate purpose.
  3. Data minimization requires limiting the collection, sharing, aggregation, retention and further processing of personal data.
  4. Data processed must be accurate, reliable and representative.
  5. Adequate transparency measures must be implemented to ensure the openness of the generative AI tools.
  6. Reasonable and effective security measures must be implemented and maintained.
  7. Privacy by design and default requires developers, providers and deployers of AI systems to carefully assess the envisaged processing activities, risks they may pose for the data subjects, possible measures available to ensure compliance with data protection principles and the protection of individual rights.
  8. Data subjects must be informed of their rights and how to exercise them.
  9. Those building, running, or using output from AI systems shall be responsible for and must be able to demonstrate compliance with applicable national regulations and international agreements.

Comparing President Biden’s Executive Order and the EDPS’s GPA Resolution

Both President Biden’s Executive Order and the EDPS’s GPA resolution underscore the need for safe and responsible AI. They emphasize the importance of data protection, user privacy, and consent management, highlighting the role of regulatory authorities in ensuring ethical AI practices.

While both initiatives aim to promote responsible AI, they differ in their approach. President Biden’s Executive Order is more focused on setting guidelines and standards for AI development, while the GPA resolution emphasizes the implementation of data protection principles in AI.

Implications of new regulatory initiatives on AI data privacy

Advancements in data privacy

The initiatives by President Biden and the EDPS represent significant advancements in data privacy with regards to AI. They set clear guidelines and standards for AI development and deployment, promoting responsible innovation and safeguarding user privacy.

The role of consent management platforms (CMPs) in AI initiatives

In the context of AI, consent management platforms play a critical role in helping to ensure data privacy. These platforms help manage user consent for data processing, enabling compliance with data protection regulations and fostering trust with users.

Looking ahead: The future of AI and data privacy

As AI continues to evolve, so does the landscape of data privacy. Future advancements in AI will necessitate further enhancements in data protection and user privacy measures, underscoring the importance of consent management.

Regulatory authorities will play an increasingly crucial role in shaping the future of AI and data privacy. Their guidance and regulations will be instrumental in ensuring that AI technologies are developed and used responsibly and ethically.

President Biden’s Executive Order and the EDPS GPA resolution mark significant milestones in the evolution of AI and data privacy. Both initiatives not only underscore the importance of data protection and user privacy in AI but also highlight the critical role of consent management in ensuring ethical AI practices. As we move forward, these initiatives will continue to shape the landscape of AI and data privacy, promoting responsible innovation and safeguarding user interests.

A number of new privacy regulations were passed in 2023, and some passed earlier came into effect. Even more will do so in 2024, or enforcement will begin. Possibly even more influential, regulatory requirements for large tech companies will have substantial data privacy trickle-down effects on third parties that rely on their platforms and services for audience, data and revenue.

AI will surely become more regulated, and the focus on it has also further heightened consumers’ awareness of access to and use of their data. Some changes that will be coming as a result of the aforementioned regulations and business requirements will also bring welcome improvements to the consumer landscape, with more transparency, competition, innovation and consumer choice.

Let’s look at some of what we can expect in data privacy in 2024.

2024 in data privacy regulations and business

A number of the laws passed in the US in 2023 will come into effect in 2024, substantially increasing the number of US states with data privacy regulations in place, with their associated requirements for businesses that process personal data.

There are several major data privacy regulations around the world that are expected to be finalized in 2024, bringing new protections to even more people, and adding additional protections in places like the European Union (EU).

Technologies that enable and enhance privacy (privacy-enhancing technologies or PETs) will also likely take center stage, with your website data privacy policy starting to be seen as pillars for building user trust, promoting transparency, and aligning with corporate social responsibilities.

Once regulatory enforcement begins for new laws like the Digital Markets Act, we will likely see rapid and significant changes in the operations of big tech companies, and in smaller companies that rely on those platforms. Data privacy protections are poised to cover more of the world’s population than ever before. Will it be 75% of people by the end of the year, as Gartner has predicted?

Data privacy in the United States

Eight US states passed data privacy legislation in 2023, and laws in five of those states will come into effect in 2024:

14 of the 50 US states now have data privacy regulations in place, though in 2023 40 states tabled privacy legislation, many not for the first time. Expect to see even more data privacy laws make it to governors’ desks in 2024.

Progress remains slow to stalled on federal data privacy legislation in the US. However, developments like generative AI and its uses are getting a lot of attention and scrutiny, including on the data privacy front, so it’s possible peripheral topics like that may provide stronger motivation for a broader federal data privacy law in the US.

Data privacy in Canada

Bill C-27 sets out the Digital Charter Implementation Act, 2022, which would bring a new framework for governing personal information access and use in the private sector. The bill is currently before committee and could be passed in 2024. It would bring the Consumer Privacy Protection Act (CPPA) into effect and replace the PIPEDA regulation, which is over 20 years old.

The Digital Charter Implementation Act would also include the Personal Information and Data Protection Tribunal Act, which would set up an administrative tribunal to review some decisions from Canada’s Privacy Commissioner, and impose penalties for CPPA violations.

The Act would also help to address the expansion of AI influence and applications with the Artificial Intelligence and Data Act (AIDA), which would help to regulate trade and commerce in AI systems using a risk-based approach. Any new AI regulations or frameworks would need to have a focus on data privacy, especially for consumers.

Data privacy in Australia

Federally, Australia has had the Privacy Act since 1988 (with additional state and territory laws). An overhaul has been expected for some time, though it was most recently amended in 2022. The Privacy Act Review Report with 116 recommendations was released in February 2023, and some high profile data breaches in recent years will likely add more pressure to enhance data privacy and protections for the country’s citizens. Look for greater change in 2024.

ePrivacy Regulation in the EU

In the European Union, the ePrivacy Directive (ePD) has been in place since 2018, as long as the General Data Protection Regulation (GDPR). But the ePrivacy Regulation (ePR), which would repeal the ePD, has lagged. The EU has since passed other laws with data privacy elements in recent years, including the Digital Markets Act, and the AI Act is likely to be passed in early 2024.

The ePR would establish, among other things, clearer rules on cookie usage, and regulate newer electronic communications services not covered by the ePD, like WhatsApp or Facebook Messenger. However, with a 24-month transition period, if finalized in 2024, it wouldn’t be fully in effect until 2026.

Regulation of artificial intelligence (AI)

The European Union’s AI Act, the first of its kind, is expected to be finalized in early 2024. In addition to providing new rules, guidelines, and prohibitions about the development and application of AI in the EU, it’s likely to have significant influence on similar laws in other countries, just as the GDPR did when it came into effect.

US President Biden also signed an executive order on safer AI in October 2023, which will also influence further developments in the space.

Digital Services Act Package

We covered the Digital Services Act Package and its two laws, the Digital Services Act (DSA) and Digital Markets Act (DMA) in our 2023 recap. Some requirements with the laws were in place in 2023, but enforcement will begin in early 2024.

These laws require compliance from designated big tech companies, and will mean they also need to put compliance pressure on third-party customers and partners, which could have a much greater effect on privacy compliance, especially for smaller organizations — particularly in the EU — than regulations like the GDPR have to date. For example, Google’s requirement for use of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

Watch for substantial changes beginning in 2024 that will affect consumers’ options and affect business operations and competitiveness in digital markets, including the adoption of consent management platforms (CMP) to enable privacy compliance and consent signaling.

The future of “pay or ok”?

With ongoing data privacy challenges in the EU, and in response to the Digital Markets Act (DMA) under which it’s been designated as a “gatekeeper”, Facebook and Instagram parent company Meta announced plans for a new subscription model for users to access Facebook and Instagram, nicknamed “pay or ok”.

In the EU, EEA and Switzerland, Facebook and Instagram users would be able to sign up for a paid monthly subscription to these platforms where they won’t receive advertising. Users who choose not to pay will be shown ads, and their personal data will be collected and used, e.g. for ad personalization.

However, in late 2023 multiple groups, including the European Consumer Organisation (BEUC) filed complaint against Meta over the proposed subscription offering, arguing it was unfair and another attempt to circumvent EU laws. Look for this case to evolve in 2024 and to be watched closely by other big tech companies.

Conclusions and how to embrace data privacy

Probably the best keyword for what to expect in data privacy in 2024 is: acceleration. So much was begun in 2023 that will continue to roll out or will influence new legislation, business requirements, technology and consumer expectations.

Data privacy is becoming critical to doing business and protecting both brand reputation and revenue. Companies are waking up not only to the risks of noncompliance but also to the opportunities of protecting data and respecting user privacy. Expect data privacy in the mobile space, for example, to continue to heat up in 2024.

In some regions, businesses are finding it necessary to comply with multiple regulations, which is challenging, especially for SMEs that have limited resources. But this is the new normal, and isn’t as scary as it may seem. Usercentrics is here to help, and our solutions are designed to be user-friendly, reliable, and especially to scale as your company grows, your tech stack changes, and as regulations evolve.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Data privacy definitely ramped up globally in 2023. More regulations were passed, and consumers continued to become more savvy and concerned about access to and use of their personal data. The app industry started to take notice and realize that privacy compliance wasn’t an onerous legal requirement, but a potentially massive revenue opportunity.

Perhaps most of note, however, is that impetus to achieve privacy compliance has started to shift and a greater push is coming not from governments, but from businesses. Laws like the Digital Markets Act (DMA) will affect big tech companies like Alphabet, Facebook and Amazon.

Millions of businesses use those companies’ platforms and services to sell products, collect user data, advertise, and more. If the big tech companies are required to comply with DMA obligations, they will require third parties that rely on them for reach and revenue to comply as well. This hits a lot closer to home than, for example, headlines about “The Biggest GDPR Fine Ever!”

AI has also been an ever-present topic in 2023, with reactions running the full gamut from giddy excitement to alarmist. It’s been good to see that people seem to be aware of and talking about the data privacy issues of AI training, particularly, and laws to regulate AI development and use are already in the works. The EU should have their AI Act finalized in early 2024.

Let’s have a look at what was new and in the news in data privacy in 2023.

2023 in data privacy regulations and business

This year several long-awaited data privacy regulations came into effect, and many were passed that will come into force in the coming years. 2024 looks to become an even bigger year for regulation and enforcement, accompanied by increasing B2B expectations of businesses for their partners and customers.

Laws targeting big tech also got a lot of attention, and it will be very interesting to see how that plays out in the market and their effects on competition and innovation. Regulation of AI, which also brings significant data privacy concerns, will also continue to grow.

Let’s look at where new privacy laws were passed in 2023.

Data privacy in the United States

The United States passed more data privacy laws than any other country in 2023, but that’s because they are still passed state by state. To date the country still doesn’t have a federal-level data privacy law. 14 states of 50 (there’s also the District of Columbia, Puerto Rico, etc.) have now passed data privacy legislation.

California is the only state with two active laws, the California Consumer Privacy Act (CCPA) having come into effect in 2020 and the California Privacy Rights Act (CPRA) having come into effect in 2023.

40 US states introduced privacy legislation in 2023. In many cases these were repeat attempts. Eight states actually passed new data privacy laws, which their respective governors signed into law:

The laws in Montana, Florida, Texas, Oregon and Delaware come into effect in 2024. Iowa and Tennessee’s laws come into effect in 2025, and Indiana’s doesn’t come into effect until 2026.

*Florida is not always listed among states that passed “comprehensive data privacy laws”, as there are fairly significant restrictions to organizations it affects. It’s also called a “Digital Bill of Rights” and not a “Privacy Act”. For example, only companies with a billion dollars or more in revenue have to comply, and it targets companies operating app stores or digital platforms.

All of the US states that have enacted privacy laws to date have used an opt out consent model, which means that in most cases, users’ data can be collected without having to obtain their consent. This differs from the opt out or “prior consent” model used in many of the world’s data privacy laws.

Data privacy in Canada

Canada has not updated their federal data privacy law recently, as Bill C-11, which would have become the Consumer Privacy Protection Act, did not pass in 2021. PIPEDA, which is over 20 years old, remains in effect. In the province of Québec, however, the majority of the provisions of Law 25, which was passed in 2021, came into effect in September 2023. The law brings a variety of data privacy and protection requirements for organizations. A number of its provisions resemble privacy laws in Europe more than those in the US.

Data privacy in Switzerland

Switzerland already had a data privacy law, but it was 30 years old, so the Swiss Federal Data Protection Act (FADP), which came into effect in September, is a much needed update. The FADP has some differences from the General Data Protection Regulation (GDPR). For example, consent or a legal basis is required in fewer instances. But the two laws largely align, as a major goal of the FADP is enabling the flow of business between Switzerland and the European Union, as Switzerland is not a member of the EU.

Data privacy in Saudi Arabia

The Saudi Arabia Personal Data Protection Law (PDPL) came into force after an amendment in September 2023. Compliance enforcement will begin in September 2024. The PDPL follows a prior consent model, and organizations that have achieved GDPR compliance will have done most of the work necessary to comply with the Saudi law.

Data privacy in India

India enacted the Digital Personal Data Protection Act (DPDP Act) in August 2023, replacing relevant provisions from existing laws from 2000, 2008 and 2011. The DPDP Act generally follows laws like the EU’s GDPR, and requires prior user consent for data collection in many cases, though “legitimate use” exceptions can be invoked.

EU-U.S. Data Privacy Framework

After being without an adequacy agreement since 2020, the EU and US came to agreement on the EU-U.S. Data Privacy Framework in July. This framework helps to ensure data protection with international data transfers between the two regions. It brings seven core principles:

Digital Services Act Package

The European Commission enacted the Digital Services Act (DSA) and Digital Markets Act (DMA), with some designations and provisions coming into effect in 2023, and more to come in 2024.

Digital Services Act (DSA)

The Digital Services Act (DSA) targets a wide array of digital intermediary services, particularly designated very large online platforms (VLOPs) and very large online search engines (VLOSEs) with 45 million or more monthly active users in the EU. The law imposes a number of strict requirements to address societal risks associated with the operation of these platforms. The Act aims to create safer digital spaces and protect users’ rights. It also assigns new responsibilities to VLOPs and VLOSEs for content published and protection and respect for user data.

Digital Markets Act (DMA)

The Digital Markets Act (DMA) primarily focuses on fostering a fair and competitive digital market in the EU, “leveling the playing field” so to speak. It includes provisions to enable smaller companies to better compete against dominant tech players, which it designates as “gatekeepers”: Alphabet, Amazon, Apple, Bytedance, Meta and Microsoft.

The law requires more openness and transparency from the gatekeepers, giving smaller players access to more data about audiences and algorithms. Data portability requirements will also benefit consumers and be one of the changes that may help spur competition and innovation.

The DMA also introduces additional data privacy requirements. Some gatekeepers have already begun passing down privacy compliance requirements to third parties that use their platforms and services, e.g. Google requiring implementation of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

Google’s certified CMP requirements

In 2023 Google initiated changes and made several announcements that will have significant effects on its customers’ operations. Beginning in January 2024, publishers and developers using Google AdSense, Ad Manager or AdMob must use a Consent Management Platform (CMP) partner that’s Google-certified and integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF).

This is required if they want to continue serving ads to users in the European Union (EU), European Economic Area (EEA) and/or the United Kingdom (UK). Usercentrics CMP is Google-certified and integrates the TCF 2.2 as well as Consent Mode v2.

Conclusions and what’s to come in 2024

A number of the laws passed in 2023 will come into effect in 2024, or enforcement will begin. This will no doubt cause a privacy compliance scramble for some organizations. Other companies will continue to evolve their data privacy strategies and solutions to maintain compliance as their tech stacks change and their businesses grow.

Several countries have been working toward updating or passing data privacy legislation, and it is likely that will conclude in 2024, in Australia, for example. It’s increasingly likely the ePrivacy Regulation will come into force next year as well in the EU. The United States gained momentum with state-level privacy laws this year, which we expect to continue, especially as more states table updated legislation.

The EU’s AI Act should be finalized by January 2024, and will be the first of its kind, likely to have significant influence on future similar regulations, much as the GDPR has had since coming into effect in 2018.

Business-centered laws like the Digital Services Act and especially the Digital Markets Act are expected to catalyze significant changes in European digital markets, which may well have strong global ripple effects on data privacy, but also in transparency, competition and innovation.

The way we travel has changed dramatically in recent years. Traveling is an offline experience, but the business of travel has increasingly become digital. The global online travel market is projected to reach close to US $1,464 billion by 2027, up from US $800.72 billion in 2021.

Booking flights and hotels through websites and apps is just one way the travel and tourism industry has gone online. We use digital tools like search engines and social media networks to look for the perfect holiday destinations while sharing our travel experiences on blogs and social media platforms. The data we create has become essential for the travel and tourism industry to tailor services, deliver exceptional experiences and reach potential customers through targeted online marketing efforts.

The increase in data creation — and collection by companies — in all industries over the years has resulted in data privacy laws being enacted around the world to safeguard user privacy. Among these is the Digital Markets Act (DMA), which aims to regulate large tech platforms and tackle concerns around competition, consumer protection, and user privacy. The regulation impacts users in the European Union (EU) and European Economic Area (EEA), as well as businesses that collect data from users in these regions. For the travel industry, the Digital Markets Act means new opportunities to attract and retain customers, and changes in how companies handle user data.

We explore how the travel industry uses customer data, the impact of the Digital Markets Act on the industry, and how travel companies can get ready to comply with the DMA regulation’s requirements.

Travel industry bouncing back to pre-pandemic levels

The travel industry, severely impacted by the COVID-19 pandemic, is projected to bounce back with a strong resurgence in domestic leisure travel by 2024, according to the U.S. Travel Association. Air travel in many regions had already returned to pre-pandemic levels by fall 2023. The World Tourism Organization reports the first quarter of 2023 already saw international arrivals reach 80% of pre-pandemic levels worldwide.

Both the industry and travelers are eagerly trying to make up for lost time. Europe saw a resurgence of 90% of pre-pandemic travel levels, with strong demand from travelers within the region itself. Travel and tourism are forecasted to directly contribute to 17.4 million jobs in Europe by 2028.

The industry spans a range of businesses that impact every aspect of travel for consumers:

The role of data in the travel industry

Travel companies gather and use data at every stage of the customer journey, from researching destinations to leaving reviews when the trip is done.

Flight choices, favorite destinations, hotel preferences, what they like to eat when they travel, and even the devices they use to book their trips are all valuable information into what makes each traveler unique.

This amount of knowledge enables companies to build travel experiences that meet customers’ preferences and needs.

Customer data makes a real impact on travel companies’ operations and revenue streams.

Enhancing customer experience and improving loyalty

Knowing a customer’s preferences can help companies proactively offer upgrades, amenities or services that appeal to the customer. When data reveals a guest often chooses rooms with a view or special services, a hotel might offer a complimentary upgrade to a scenic suite or include a spa package to personalize the stay. This targeted approach can make guests feel valued and foster loyalty.

Forecasting demand

Businesses can analyze booking records and current search trends to predict upcoming surges in interest for specific destinations or types of travel and plan accordingly. For example, if an airline notices a consistent increase in bookings for seaside destinations during certain months, they can anticipate this demand and adjust prices early to balance customer interest and price sensitivity with profitability. Forecasting demand can also help marketing teams adjust their strategies on account of fluctuations based on seasonal travel trends.

Targeted marketing and promotions

Access to detailed customer data enables companies to create focused marketing campaigns. For example, if a travel agency identifies customers who frequently book adventure travel packages, they can specifically target these customers with promotions for upcoming trekking expeditions or off-the-beaten-path travel deals.

The impact of the Digital Markets Act on the travel industry

Data helps travel businesses personalize and connect with customers effectively. As travel companies suggest destinations and create custom itineraries, they rely on insights from this data to advertise effectively and make offers that stand out.

However, with enforcement of the Digital Markets Act in the European Union and European Economic Area, the rules of the game are about to change.

The DMA introduces a set of rules and obligations for large online platforms, which the European Commission has designated as gatekeepers under the regulation, and which act as intermediaries between businesses and consumers. While travel businesses may not directly fall under its scope, many rely on the gatekeepers’ platforms for data, analytics, advertising, audience access, and more, so requirements of gatekeepers become requirements of these third parties. There are several key provisions of the DMA that will have a direct impact on their operations.

Read about DMA consent now

Data transparency in digital markets and platforms

The Digital Markets Act’s emphasis on transparency is set to have a great impact on how travel services are marketed and delivered. Gatekeepers are now required to share information about their ranking systems as well as ad performance data, enabling businesses that advertise to carry out their own independent verification of the ads’ performance.

This shift provides a number of opportunities to travel businesses.

The DMA’s transparency requirements also extend to data practices, and gatekeepers must clearly communicate how they gather data and why they use it. Travel businesses that use gatekeepers’ platforms will also have to examine their data practices and introduce a clear, transparent privacy policy that details their use of cookies. Such clarity can foster trust with customers, with the added benefit of potentially deepening customer loyalty for platforms that handle data responsibly.

Transparency challenges for the travel industry

The requirement for transparency brings its own set of challenges, particularly for smaller travel companies, which may find it daunting to interpret the detailed information available from gatekeepers. Adapting to transparent ad performance data could require additional resources in the form of tools or staff to stay on top of campaign analysis and optimization. The need to stay competitive might lead to a rapid change in offers and services, demanding agility and flexibility from travel businesses. This could require additional resource investments by small businesses, which could create a financial burden.

Impact of data access and portability for travel companies

Under the Digital Markets Act, there are specific provisions that reinforce users’ rights to access and move their data (aka data portability). While travel businesses themselves may not be directly regulated by the DMA, their interactions with regulated gatekeepers might require them to adopt similar data portability functionalities. This may compel travel companies to make changes to their technical infrastructure that enable customers to transfer their personal and preference data to competing services.

For instance, a travel business that tracks website performance through Google Analytics 4 or advertises on Meta’s platforms may find that customers, using their new rights under the DMA, request their data profiles to move to a competitor’s service. Although the travel company isn’t a gatekeeper and thus not directly subject to the DMA, it must still be capable of honoring such requests since it uses a core platform service that is mandated to provide portability.

For travelers, the ease of data transfer could simplify a decision to switch services, which may drive travel companies to offer more functions, more competitive pricing, better customer service, and overall enhanced experiences in an effort to retain loyalty.

Mobile app data portability challenges for the travel industry

Travel businesses must be proactive in developing or adopting technology that can handle these data movements and comply with broader DMA-inspired expectations, regardless of whether they are immediately subject to the regulation’s rules.

The data portability requirement of the Digital Markets Act extends to mobile applications as well, impacting how travel companies manage user data on these platforms. Adapting to data portability for mobile apps means ensuring that users can easily transfer their data, such as travel preferences, reviews, or booking history, from the app to other services. This could involve implementing features that enable users to download their data in a user-friendly format or establishing secure protocols for transferring data to another service upon user request.

Moreover, as app users become more aware of their data rights, they might increasingly expect such functionality. Travel businesses that proactively upgrade their mobile apps to facilitate data portability can therefore not only comply with the DMA but also position themselves as customer-centric, potentially leading to higher user retention and loyalty.

Developing and maintaining these tech systems can be complex and costly, especially for smaller businesses. There’s also the chance that customers may not be as dependable as repeat customers if it becomes easier for them to switch to different services. This means travel companies may have to find more innovative ways to improve the customer experience to retain customers.

Impact of data privacy and user rights provisions on travel businesses

The Digital Markets Act requires gatekeepers to obtain explicit consent from users before processing their personal data. They must also disclose what the data will be used for, how long it will be stored, and how it may be shared. Generic consent is not enough. Consent must be obtained for each specific use. These requirements are in line with the provisions of the General Data Protection Regulation (GDPR), which travel companies must comply with when it comes to data from users in the EU.

One of the big changes with the DMA is that businesses can’t combine customer data from different platforms to create customer profiles without customers’ specific consent. Travel businesses might collect user data — with valid, explicit consent — from multiple digital platforms. For example, an airline may use its own website and an online booking platform to issue tickets, as well as Google Ads for pay-per-click advertising campaigns and YouTube or social networks for destination marketing campaigns. All these platforms generate data, whether that’s search and browsing history or booking details.

The DMA’s restriction on combining user data from different platforms gives travelers more power over their data, which should lead to better privacy and fewer unwanted sales emails. When travelers do get offers from companies, they’re more likely to be about something they’re actually interested in.

Data privacy challenges for the travel industry

For the travel industry, the challenges are tangible. Failure to comply won’t result in fines or penalties under the DMA for companies that are not designated gatekeepers, but it can result in penalties under the GDPR and restriction from accessing gatekeepers’ platforms. The loss of ad revenue, for example, could be as bad as a hefty fine.

Businesses will also have to adopt data management strategies to ensure that data from different platforms is not combined for profiling without explicit user consent, and that some is not combined — or even collected — at all, like that belonging to minors. In addition, if third-party vendors or partners handle data that originates from the business’s platform, they must vet these companies’ data policies to ensure they align with the DMA’s requirements.

It is increasingly common under data privacy laws that data controllers and any third-party data processors they work with must have contractual agreements in place about processing operations and data security and privacy activities.Companies will also have to rethink their marketing strategies, which have traditionally leaned on extensive data analytics and customer profiling, and find new ways to give travelers the personal touch without stepping on their privacy. Increasingly, “zero-party” data is the gold standard, as this information comes directly from consumers, and includes their expressed preferences, interests, and consent choices.

Consented data helps travel and tourism businesses make better decisions and plan more effectively. The relationship between consent rates and business performance is straightforward. Higher consent rates result in richer, more valuable data for analysis.

Consented data not only enables businesses to tailor their services to individual preferences, but it also signals to customers that their preferences are valued and taken into account. This can lead to higher customer satisfaction rates, stronger customer loyalty, and more repeat business.

Marketing campaigns also benefit substantially from consented data. When travelers agree to share their data, travel companies can create offers that match what they know travelers are interested in and can afford. With more travelers giving consent, companies can plan their online ads and social media activities to connect with the right people on the right platforms, which can lead to spending their marketing budget more wisely.

Leveraging different consent rate levels from travelers

Travel businesses can strategically adapt to varying consent rates, tailoring their data usage and marketing strategies accordingly.

High consent rates

With more data, travel websites and apps can achieve deep personalization in their customer acquisition strategies.

For example, when a user consents to share their data with an online travel agent, they can track the user’s search patterns, such as the destinations they search for or the type of accommodations they prefer. This information can be used to display tailored pay-per-click (PPC) ads.

The campaign might also use retargeting strategies. If a user visited the online travel agent’s website and looked at a beach retreat but did not book, they could be shown a PPC ad saying, “Still Thinking About the Beach? Click for an Exclusive Winter Wellness Package.”

With higher consent rates, the travel company can continuously gather and analyze user data, which enables optimization of keywords, ad copy and bidding strategies, resulting in ads that resonate more with potential customers.

Moderate consent rates

At moderate consent levels, segmentation becomes key. Although the level of personalization may not be as deep as with high consent rates, travel businesses can still segment their audience based on available demographic information, location and observed behavior, and then tailor their marketing to these segments to acquire new customers.

For example, if a hotel identifies a segment interested in local culture and events, it can create content like a “Cultural Weekend Getaway” package that includes accommodation and tickets to a local museum. This targeted approach would place the hotel’s promotional content on the feeds of those whose social media behavior aligns with an interest in cultural activities and encourage bookings from individuals looking for a culturally enriched stay.

Low consent rates

Even with minimal consent, travel companies can analyze aggregated and anonymized data for broad data trends without knowing personal details.

For example, if the aggregated data for an airline shows that a significant number of users access the website via mobile, they can optimize their website for mobile usage, which is a critical SEO factor. This could include creating a responsive design, ensuring fast page load times, and providing sophisticated search functionalities to ensure users can easily find flight options, increasing the site’s usability and search engine ranking.

Strategies to optimize consent rates

Travel companies can make their consent process transparent and straightforward to foster trust and encourage more customers to share their data.

Demonstrate value: Travel businesses should be transparent and share information with customers about how their data will be used. They can explain how it makes it easier for them to share flight deals or hotel stays that are relevant for the customer, which can encourage customers to share more.

Improve the consent experience: Make the process of giving valid consent as easy as possible, which can help increase the number of customers who agree to share their data. This could involve using consent mechanisms that are user-friendly and easy to understand, such as a well-designed cookie consent banner that’s written in simple language.

Gain trust: Use design principles that give users a real choice in whether to give or decline consent. Doing so can demonstrate that you value their data and don’t use dark patterns or manipulative tactics to coerce them into sharing their personal information with you.

Read about wordpress cookie consent now

How travel businesses can get ready for the Digital Markets Act

Follow updates to gatekeepers requirements

Some of the gatekeeper companies — including Alphabet (Google) — have begun to require businesses using their platforms to make certain changes or updates that focus on user privacy in line with the DMA’s provisions.

Google, for example, requires companies that collect data from users in the EU, EEA and/or UK and use its platforms to comply with its EU User Consent Policy or find themselves suspended from the platforms. Companies that use Google’s ad platforms to serve ads to traffic from the EU, EEA and/or UK must specifically use a Google-certified CMP as of January 16, 2024 if they want to continue serving personalized ads to visitors in these regions. As a result of both these requirements, travel companies will have to obtain explicit user consent under the GDPR to collect personal data, which is also the standard of consent under the Digital Markets Act.

Meta has added a paywall for users in the EU, EEA and Switzerland, with the option to pay a monthly fee so their personal data isn’t used for advertising. Users who choose not to pay will have their data collected and processed for personal ads. Travel companies that advertise on Meta’s platforms (Facebook and Instagram) will have to alter their paid marketing strategies to reach a relevant audience.

As communication around DMA requirements is an ongoing process, travel companies should regularly monitor news and updates from gatekeepers and regulatory bodies to stay updated on the steps they’re required to take. They can get ready for the DMA by implementing the changes required by the gatekeeper platforms to continue using the platforms without interruption.

Use a consent management platform to obtain valid consent

Travel businesses preparing for the Digital Markets Act should prioritize securing valid consent under the regulation. The DMA’s transparency obligations means travel companies need clear privacy policies and easy to understand cookie consent banners. These banners should be straightforward, informing customers about the data being collected and how it will be used, to ensure that any consent given is informed and voluntary.

Using a consent management platform (CMP) like Usercentrics CMP makes collecting valid consent easy for businesses. Usercentrics simplifies the process by providing customizable consent banners that adjust to the user’s location, adhering to local data privacy regulations. It integrates seamlessly with popular content management systems (CMS) such as Adobe Experience Manager, Shopify, WordPress, Duda, BigCommerce and PrestaShop. It also integrates with popular services such as Adobe, Microsoft, HubSpot, and Google’s suite of services to ensure seamless compliance across platforms.

Read about shopify cookie banner now

Read about hubspot cookie banner now

In addition to collecting consent on web browsers, Usercentrics App CMP fully supports your travel booking mobile apps built on iOS, Android, React and Flutter.

Conduct regular data privacy audits

Companies should establish periodic internal audits concentrating on data protection impact assessments (DPIA). These audits serve to scrutinize how the company handles user data, checking that storage, processing, and sharing procedures comply with the current standards set by the Digital Markets Act at the time.

By routinely evaluating these practices, travel businesses can adapt to any changes in the regulation, or the advent of future regulations, so that it aligns with its requirements at all audit points.

Enhance data management processes

Travel companies managing customer data across various platforms must develop a meticulous data management approach. This strategy should be capable of handling information across different systems while prioritizing the privacy of travelers and adhering to legal standards. User data must remain confidential and secure at each stage of the process, from collection to storage to use.

Seek legal expertise

Businesses should enlist the help of legal professionals and/or privacy experts well-versed in data protection laws, such as a Data Protection Officer (DPO), to navigate privacy regulations effectively. These experts are adept at identifying specific risk areas within a company’s data handling processes and providing concrete recommendations to enhance compliance in strict accordance with evolving privacy laws including DMA privacy compliance.

With Consent Mode, Google has provided a solution for businesses to customize how Google tags behave on their website related to ads and analytics cookies based on users’ consent status.

How does Google Consent Mode work?

By pairing the Consent Mode API with the Usercentrics Consent Management Platform (CMP), advertisers can indicate if the user has given consent for cookie usage related to ads and/or advertising.

The supported Google tags will respect this signal and adjust their behavior accordingly, only using cookies if consent was granted for the specific purposes.

Google Consent Mode

Tag behavior based on consent (Source: Google)

Which Google services support Consent Mode?

The following tools and services currently support Consent Mode. As this list will change over time, it’s important to regularly review website infrastructure, marketing tools, and data processing operations to ensure all functions and data privacy compliance activities are kept up to date.

✔ Google Analytics
✔ Google Analytics 4
✔ Google Ads (Google Ads Conversion Tracking and Remarketing)
✔ Floodlight
✔ Conversion Linker

Google’s support documentation provides more information about Consent Mode for websites and apps.

Google also supports the IAB TCF v2.2 framework with its ad systems. Consent Mode is meant to be used by advertisers that are not using a consent management platform implementation integrated with and supporting the TCF v2.2. Usercentrics CMP is a Google-certified CMP, which is a requirement to serve ads with Google services in the EU/EEA and UK.

Google Consent Mode with Usercentrics CMP: Implementation example

Implementing Google Consent Mode with the Usercentrics CMP solution as alternative to prior blocking requires just two steps:

Read Usercentrics’ full Google Consent Mode documentation for more information.

Google CMP Partner

Conclusions and the future of Google Consent Mode

As more data privacy regulations are passed around the world and as consumers only become more aware of their rights and the use of their data, smart solutions for consent will become ever more important.

Google continues to build on, evolve and integrate products and services to enable privacy compliance and consent management. Companies using their products for advertising, analytics, and more should be sure to regularly review their operations and ensure their implementations are up to date. This will help enable continued privacy compliance with regulations, get the valuable data companies need for marketing operations, and build trust and engagement with users.As more data privacy regulations are passed around the world and as consumers only become more aware of their rights and the use of their data, smart solutions for consent will become ever more important.