Digital markets have a number of large, dominant online platforms. These companies have great influence over everything from policies to privacy to how consumers use online services. The European Digital Markets Act (DMA) aims to ensure that these companies, which they call “gatekeepers,” operate fairly and promote competition. The DMA is designed to ensure fair business practices, prevent abuse of their power and position in the marketplace, and protect consumer privacy online.

The DMA regulation provides a framework that makes major players in the ad tech sector responsible for the user data they collect and use in the EU. They must ensure that they obtain valid consent; it is no longer the responsibility of individual websites using the services of these gatekeepers.

In this summary of the Digital Markets Act, we will look at the core provisions of the DMA Privacy Act, as well as its impact on gatekeepers and other organizations, and what it does for users online.

What is the Digital Markets Act (DMA)?

The Digital Markets Act (DMA) is a regulation that affects organizations doing business in the European Union. As of November 2022, when it took effect, antitrust concerns are being addressed at large technology companies – gatekeepers – that control many online activities and process vast amounts of consumer data.

The DMA Act aims to influence competition and ensure fairness and transparency of gatekeepers. Because of their undue influence on the market and consumers, the DMA imposes restrictions on a variety of tech services, including search engines, cloud services, social networks, video sharing platforms, online advertising networks and more products and services owned by large digital companies. enterprises.

A key goal of the DMA is to level the playing field for smaller organizations in the digital space and provide better protection of user rights and data. For example, there are new restrictions on data access and users can now uninstall applications pre-installed on their phones, in browsers and on other platforms.

Who are the gatekeepers of the DMA and what do they control?

Big Tech, tech giants, gatekeepers: they pretty much all refer to the same players. So who has identified the European Commission (EC) as highly influential organizations that strongly influence the market and how it works between consumers and so many other businesses?

The six are:

• Alphabet (parent company of Google and Android)
• Amazon
• Apple
• ByteDancing (parent company of TikTok)
• Meta (parent company of Facebook, Instagram, WhatsApp, and others)
• MicrosoftName (parent company of LinkedIn)

Of these six companies, all are based in the United States, with the exception of ByteDance, which is Chinese. The EC also listed 22 critical platforms/services managed by these gatekeepers:

• 1 search engine (Google)
• 1 video sharing platform (YouTube)
• 2 major communication services (Facebook Messenger and WhatsApp, both owned by Meta)
• 2 web browsers (Chrome and Safari)
• 3 most popular operating systems (Google Android, iOS, Windows PC OS)
• 3 online advertising services (Amazon, Google, and Meta)
• 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
• 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)

Notable omissions included Korean conglomerate Samsung (market leader for Android mobile devices), Google’s Web-based e-mail service Gmail and Microsoft’s Web-based e-mail service Outlook.

The EC’s explanation for the decision to exclude these providers and services was as follows:

“The Commission has concluded that although Gmail, Outlook.com and Samsung Internet Browser meet the thresholds under the DMA to qualify as gateways, Alphabet, Microsoft and Samsung have presented sufficiently reasoned arguments showing that these services do not qualify as gateways to the respective core platform services. “Therefore, the Commission decided not to designate Gmail, Outlook.com and Samsung Internet Browser as core platform services. It follows that Samsung has not been designated as a gatekeeper with respect to any core platform service.”

What are the gatekeeper’s obligations under the DMA?

The DMA has a compliance deadline of March 6, 2024 for gatekeepers to comply with a list of “do’s and don’ts. These requirements are designed to improve user privacy and help ensure fair competition in digital markets.

The “do” list focuses on a broader ecosystem and information sharing. The “don’t do” list focuses on not allowing preferential treatment, silos, excessive tracking and limiting user choices.

How do gatekeepers respond to the DMA?

The response from technology giants has been mixed. Google has announced they will be making changes, noting in a blog post, “Our goal is to make changes consistent with the new regulations while preserving the user experience and delivering valuable, innovative and secure products for European users.”

Microsoft welcomed the European Commission’ s decision to open an investigation into possible DMA exemptions for services such as Bing, Edge and Microsoft Ads. It did note that it accepted the designation as gatekeeper.

Apple and TikTok’s reception of the DMA was less positive. Apple expressed lingering concerns about the DMA law regarding privacy and security risks. Apple’s statement mentioned a commitment to “mitigate these impacts and continue to deliver the very best products and services to our European customers.“

TikTok’s parent company ByteDance did say it would meet the criteria, but at the same time “fundamentally disagreed with this decision,” disputed whether it should be listed at all, and was “disappointed that no market research was conducted prior to this decision. decision”.

Meta’s response was more limited, with a spokesperson noting, “We are evaluating the Commission’s appointments and will provide further information in due course as we work to comply with the DMA.“

What does the DMA law require of gatekeepers?

There are three main categories of change or new responsibility for gatekeeper organizations:

• Interoperability and non-discrimination
• Data portability and access
• Transparency and profiling

The interoperability and non-discrimination requirements of the DMA Act

Much of the DMA’s requirements are designed to expand the digital ecosystem in a healthy, sustainable way. Gatekeepers will need to ensure interoperability of their platforms and services with third parties. Communication and integrations with gatekeeper platforms are required. This helps prevent excessive benefits and promotes competition. Gatekeepers cannot favor their services over those of smaller competitors.

Non-discrimination requirements focus on fair treatment of all firms, designed to prevent preferential treatment for gatekeepers’ own products and services or those of preferred partners.

The data portability and access requirements of the DMA Act

Under the DMA Privacy Act, gatekeepers cannot prevent users from changing services or service providers. They should have control over their data and be able to transfer it to another service or platform, also called data portability under many privacy laws.

Users, businesses and other third parties should also have real-time access, if requested, to the data they generate on gatekeeper platforms. Data access or access requests from data subjects are one form of this.

The transparency and profiling requirements of the DMA Act

Gatekeepers should provide clear, verified information about how consumer profiling is conducted on their platforms. Just as many privacy laws contain requirements about data processing, including purposes and sharing, the DMA requires disclosure about the purpose, duration and impact of consumer profiling.

Gatekeepers should also ensure that efforts are made to obtain user consent, and provide options that allow users to withdraw or refuse consent to the collection and use of data. Overall, the goal is to ensure that consumers are informed and kept informed about what data they provide to companies, how it is used and what their privacy rights are.

What are the benefits of the Digital Market Act (DMA)?

While the DMA focuses on large technology companies, a wide variety of organizations benefit from its requirements.

• Consumers: access to more and better services, more opportunities to switch providers, direct access to services, more competitive prices, better data protection.
• Businesses: Greater fairness in the marketplace for smaller businesses that rely on gatekeeper services.
• Gatekeepers: Maintain opportunities for innovation and rollout of new products and services. Greater clarity on permissible business practices.
• Tech startups and innovators: new opportunities to be competitive on online platforms and in the digital ecosystem without having to meet onerous third-party conditions that hinder growth.

What the DMA means for user privacy and permission management

User privacy and data protection are key objectives of the Digital Markets Act, so the impact of the law will be significant. The DMA limits the legal bases that gatekeepers can use to process personal data. These organizations can claim a legal obligation, vital interest or public interest, but will need to be able to substantiate them. User consent is also a viable legal basis, but it must be obtained in a valid way.

Consent marketing emphasizes the importance and benefits of obtaining explicit and informed consent from users and ensuring user control over their data before it is collected and processed for marketing activities, so the DMA further supports this.

Want to continue your online ad spending? Read all about it in our guide.

DMA privacy law requirements for valid user consent

To process users’ personal data for a number of reasons, gatekeepers must obtain valid consent from them and may not use manipulative design practices to obtain it (e.g., dark patterns). Activities requiring prior consent include online advertising or combining personal data from different services. Users should also be informed that they can refuse consent and its consequences.

DMA Privacy Act requirements for sharing personal data

The Digital Markets Act aims to eliminate unfair competitive advantages and information silos between technology organizations with platforms that collect and process consumers’ personal data. It requires gatekeepers to share the data (with restrictions) they collect – upon request – with other companies or advertisers operating on their platforms. This allows these smaller companies to use user data for targeted advertising or to personalize services.

Data sharing should be reasonable and not preferential, and user privacy and data protection should be a priority.

DMA privacy law on data portability rights

The right to data portability is not universal under the privacy laws, but is part of the AVG and the DMA. Gatekeepers should allow users to retrieve their personal data (usually in a commonly usable format) and transfer it to other platforms or services. This right allows users to retain control of their data and does not penalize them for leaving a platform or discontinuing use of a service. It also helps encourage competition among platform providers and others to provide the best experiences and services to users.

DMA privacy law on transparency and user control

Under privacy laws, it is standard that users must be informed about the collection and use of data, and the DMA is no exception. Consumers need to be able to make informed choices about how to access and use their data, and these notifications about what data is collected, what it is used for, with whom it can be shared, and more, make that possible.

Profiling techniques should be clearly explained by gatekeeper organizations and users should be asked for consent before organizations start using targeted advertising. Users should also be able to refuse or withdraw their consent at any time.

Platforms for DMA law compliance and consent management

All companies that collect and use consumers’ personal data have a responsibility to inform users about the collection and use of data, and to obtain it in a compliant manner (e.g., with consent), and to manage and share it securely. This includes gatekeepers and the outside organizations that use their services.

More needs to be determined about exactly how gatekeepers and third parties, such as advertisers, will achieve compliance and data usage, and what the exact legal and technical requirements will be. However, existing privacy laws, such as the AVG, already provide strict requirements and best practices for companies doing business in the EU, and the DMA works in conjunction with existing (and possibly future) regulations.

Third parties using gatekeeper’s platforms and services, such as websites and apps, will play a key role in gathering consent from users before personal data is collected and used. While the gatekeepers will have to comply with the DMA, these smaller companies that use their platforms and do business with them will be on the front lines, so to speak, with respect to user engagement, obtaining consent, etc.

A consent management platform can be an important tool in obtaining compliant consent from users for data use. Consent Management Platforms (CMP) such as the Cookiebot™ consent solution and Usercentrics CMP are already valuable tools for organizations of all sizes to obtain valid user consent and comply with data privacy laws.

Implementation challenges and future implications of the DMA Act

Although gatekeepers and other organizations must already comply with existing privacy regulations, the DMA will require additional efforts and likely create some challenges.

Necessary adjustments to data collection and processing practices, technology updates and changes, and other actions will likely be required to meet DMA compliance requirements. Supervisors will play an important role in enforcement, ensuring that gatekeepers’ actions are compliant and not just paying lip service to data sharing requirements and other actions.

The Digital Markets Act and its role in the digital world

The DMA represents a further strengthening of consumers’ rights regarding their personal data, and ensures the protection of data and those rights. The obligations of identified gatekeepers to comply with the DMA and the restrictions placed on these companies also help level the playing field in digital markets and help smaller organizations compete globally. This will also promote better innovation and enable better online experiences for users. The DMA aims to help create a more transparent and user-centric digital ecosystem.

Preparing for DMA compliance

European data protection authorities are committed to enforcing data privacy laws, with the DMA reinforcing this commitment. Gatekeepers who violate the DMA face significant fines, possible divestitures and takeover bans. External organizations also risk loss of platform access, data loss and revenue impacts due to non-compliance with DMA, AVG or other privacy laws. Maintaining compliance is critical to maintaining brand reputation and consumer confidence.

Implementing a Consent Manegement Platform aligns your business with DMA requirements, protects against breaches and ensures uninterrupted access to gatekeeper services.

Do you have questions about the DMA? Contact us.

Want to read more about the DMA? Read all about it in our guide Digital Markets Act – guide to unraveling the DMA puzzle.