Digital Markets Act (DMA) compliance: what you need to know
Tracking and measurement make the foundation of online marketing. đ
Less data = worse performance. đŠ
And with Google Adsâ recent changes a lot of data and features might be lost soon. đ°
đđł đŽđąđđ˛đżđđśđđ˛đżđ đđŽđťđ đđź đ°đźđťđđśđťđđ˛ đđđśđťđ´
– Remarketing
– Customer Match
– GA4 Audience Lists
– Lookalike Audiences
Thanks to Maximilan
This includes PMAX and further down the line, conversion data might not be shared unless you have consent mode enabled.

Introduction to the Digital Markets Act and its implications
The European Commissionâs (EC) Digital Markets Act (DMA) came into effect in November of 2022. It became actionable in May 2023, but the companies designated as âgatekeepersâ by the EC have until March 6, 2024 to ensure their compliance with the Act.
Additionally, companies doing business in the European Union, European Economic Area and United Kingdom, and that use the gatekeepersâ services will also likely need to achieve and maintain compliance to prevent business disruptions.
Penalties for Digital Markets Act (DMA) violations are significant, and can be up to 10% of global annual turnover for gatekeepers, or up to 20% for repeated violations, among other penalties. Third parties using gatekeepersâ platforms and services could lose access to them, along with their data and user bases. This would cut off advertising, analytics, and other necessary functions, damaging business operations with losses of audience access, revenue, and brand reputation.
Obligations imposed by the Digital Markets Act are fairly similar to some of those required by the General Data Protection Regulation (GDPR), but they cover more territory. For example, the Digital Markets Act includes additional access to consumersâ personal data and uses of it. The Act also aims to bolster the competition landscape and increase fairness among digital companies and benefit smaller organizations in the market.
1. Which companies has the European Commission designated as gatekeepers?
The European Commission has so far designated six âgatekeeperâ companies under the Digital Markets Act, based on the size and influence of their platforms and audiences, and their power in the digital market. The list may grow or change in the future.
- Alphabet (parent company of Google and Android)
- Meta (parent company of Facebook, Instagram, WhatsApp and others)
- Apple
- Microsoft
- Amazon
- ByteDance (parent company of TikTok)
The gatekeeper designation means that these platforms and the services they offer have to ensure theyâre in compliance with the DMA by March 6, 2024. Otherwise, they risk substantial penalties.
Wondering about the DMA definition of gatekeeper and other terms? Learn more with our comprehensive glossary.
Requirements for Digital Markets Act compliance for third-party companies
Companies that use the gatekeepersâ core platform services in Europe will also need to demonstrate their compliance (e.g. collecting and signaling valid user consent) or risk losing access to those platforms and the associated data, user base and revenue.
Companies operating in the European Union, European Economic Area and the United Kingdom may also need to comply with additional data privacy regulations, like the GDPR. Fortunately, many of the lawsâ requirements are in alignment already.
These requirements make implementation of a consent management solution important to help ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data, and that you can signal it to gatekeepers.
2. What is a core platform service under the Digital Markets Act?
To date, the European Commission has identified 22 core platform services (CPS) among those that the gatekeepers own and operate. This list may grow or change over time. These are the services most under compliance scrutiny under the DMA due to their vast audiences, amount of data generated and processed, and consumer and market influence:
- 3 operating systems (Google Android, iOS, Windows PC OS)
- 2 web browsers (Chrome and Safari)
- 1 search engine (Google)
- 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
- 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
- 3 online advertising services (Amazon, Google, and Meta)
- 2 large communication services (Facebook Messenger and WhatsApp)
- 1 video sharing platform (YouTube)
Third-party entities that make use of the CPS will be required by the gatekeepers to comply with the Digital Markets Act if they want to maintain access to these services, e.g. for advertising. Otherwise they risk significant revenue loss if their access to the platforms is removed.
Does the Digital Markets Act provide more protection for user privacy?
The Digital Markets Act uses the same principles for user privacy and consent as the EUâs GDPR and ePrivacy Directive (ePD). This means that they use an opt-in model, and personal data cannot be collected or processed before valid consent is obtained. Third parties will also have to be able to signal this consent to gatekeepers like Google.
As per the GDPR, consent must be freely given, specific, informed, unambiguous, and obtained in advance of data collection.
Consent is also not a âsingle useâ action. Consumers must be able to change or withdraw their consent at any time, and it must be as easy to do so as it was to provide consent. If a company is audited by data protection authorities, they must be able to provide a record of user consent choices.
A consent management platform (CMP) enables companies to do several things that facilitate valid consent and regulatory compliance with privacy laws. A CMP enables companies to:
- notify users about what personal data they collect from the use of cookies or other trackers
- enable overall or granular-level consent for tracking technologies in use
- provide consent options and enable them to be changed
- store consent data securely
Companies using Google services must also support the most up to date version of Google Consent Mode, as this is used to enable consent signaling to Google when their services are in use.
Prior or opt-in consent is required by the DMA from customers, visitors or site/app users of gatekeepersâ and third partiesâ services, if these companies:
- process personal data in the course of providing advertising service using CPS
- combine personal data from CPS with data from other CPS or services provided by the gatekeepers
- cross-use personal data from CPS in other services the gatekeepers or CPS provideand/or
- sign end users in to other services in order to combine personal data
4. What rights do third-party companies have under the Digital Markets Act?
One of the big goals of the Digital Markets Act is a fairer digital marketplace and improved competition. To this end, the law has a number of requirements that gatekeepers must meet, and which benefit third parties using the CPS. These benefits include:
- allowing third-partiesâ apps to equally accessed and used on on gatekeepersâ operating system(s)
- allowing more access to data generated by activities on CPS
- prevention of preferential ranking of gatekeepersâ services
- prohibiting tracking of end users outside of the gatekeepersâ CPS for targeted advertising purposes unless consent is obtained
- ability to uninstall pre-installed apps
- enabling operating system or browser settings leading to gatekeepersâ products or services to be changed
- allowing third-party business users to offer their products and services on their own or third-party platforms for the same price as on gatekeepersâ platforms and services
- providing advertisers and publishers information free of charge about ads placed, remuneration and fees
Read the ECâs published list of specific âdoâs and donâtsâ for gatekeepers
5. How can companies obtain and store valid consent under the Digital Markets Act?
Conditions for valid consent under the Digital Markets Act are the same as under the GDPR:
Explicit: Active acceptance required, e.g. ticking a box or clicking a link.
Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?
Documented: You have the burden of proof of consent in the case of an audit.
In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.
Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.
Freely given: Equally accessible and easy to use âAcceptâ and âDenyâ options, e.g. buttons all on the first layer of the CMP. Do not manipulate usersâ choices via design.
Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.
The GDPR and DMA require consent for the use of cookies and trackers on websites. This makes a consent management platform (CMP) a necessary tool in many cases, but a lot of companies doing business in the EU do not have a CMP installed, or itâs installed incorrectly, preventing regulatory compliance.
These companies risk noncompliance with the Digital Markets Act, which also risks their business continuation via access to the gatekeepersâ platforms and services, including advertising with Google.
A consent management platform can be implemented on websites, apps, and other platforms in minutes. A CMP like Cookiebot CMP can be customized to match corporate branding, and deep scans your website to ensure detection and control of all of the cookies and other tracking technologies you use.
Cookiebot CMP is a European leader in helping companies obtain consent and achieve data privacy compliance, and enables this right out of the box. Cookiebot CMP relies on state of the art technology that detects more cookies and trackers. It automates detection, categorization and blocking of them over time to help you maintain compliance without dedicating a lot of technical or legal resources. Protect your operations from DMA violations and ensure you can keep using gatekeepersâ services.
6. How can a CMP get you ready for the Digital Markets Act and why do you need one?
Data protection authorities in Europe have demonstrated that they will pursue compliance with data privacy laws, and enforcement continues to expand. The DMA will build on that commitment.
The European Commission can impose fines for DMA violations on gatekeepers of up to 10% of the companyâs annual global turnover, 20% in cases of repeated violations. Additionally, the EC can require gatekeepers in the EU to sell parts or all of a business, or institute bans on acquisitions if they would involve lines of business in which the entity had been found to be in violation.
As for third-party organizations relying on gatekeepersâ services, if they fail to comply, they can lose platform access, which would also involve loss of data, audience/customers, and be a hit to revenue. As noted, the DMA bears similarities with other laws, so a DMA violation may also mean a violation of the GDPR or other privacy laws, which have their own potential penalties. This would be publicity no company wants, and would likely damage brand reputation and consumer trust, which would be a further hit to revenues and growth potential.
How do you implement a CMP to be ready for the Digital Markets Act?
The specifics of CMP implementation do depend on what platforms youâre using, like your CMS, as well as other tools, including Google Tag Manager and other services. Cookiebot CMP is flexible and can be installed with just a few lines of JavaScript. Thereâs also a cookies WordPress plugin.
- Select a flexible, reliable CMP that can be customized to your needs and will be easy to maintain by technical or non-technical staff
- Implement the CMP according to your website setup and your integrations, including those of DMAâs designated gatekeepers
- Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
- Activate Google Consent Mode signaling
- Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
- Start collecting DMA-compliant consent from users
Google Consent Mode v2 and TCF 2.2 implementation FAQs
- Does the TCF or Consent Mode apply to the USA and non-EU (GDPR) countries? No, they donât. But if you have visitors from the EEA/EU, you will need to obtain consent and provide consent signals.
- What happens if thereâs no consent tool and nothing is being blocked? What is the default state? Weâre not sure yet, but the most likely scenario is that the service wonât run. So in the case of Google Ads, no ads will be served. Currently users are receiving warnings in Google Ads for exactly this case.
- Is enabling the TCF necessary if no ad services are used on the homepage? No, the TCF is only needed for publishers and websites that generate ad revenue.
- Do I need to set the status for each service before loading Usercentrics CMP, or is implementing Smart Data Protector sufficient? Assuming that everything is configured correctly, you should be able to simply rely on the Smart Data Protector. The service wonât be able to run without prior consent.
- If using only Consent Mode v2, does it protect serving ads for Google, Facebook, and everything else? Itâs important to keep in mind that Consent Mode is a Google product and only Google Tag Manager (GTM) receives Consent Mode signals. That being said, if you use GTM to load third-party services from Apple, Amazon, Meta, Microsoft, or ByteDance you can use Consent Mode to only load these services if consent has been given.
- Are adjustments required in the Consent Manager, such as changes to the consent text on the first layer? No, when you enable the TCF, your bannerâs configuration will automatically be adjusted to satisfy the requirements set forth by IAB Europe. Consent Mode has no requirements when it comes to banner configuration. You donât even have to mention that youâre using it.
- How can I easily verify correct implementation of the TCF and Consent Mode? For the TCF, if you issue the following command in the developer console, and donât get âtrueâ, then TCF is enabled: â__tcfapiâ in window. Regarding correct implementation, the service that requires TC Strings (TCF consent strings) will generally inform you if something is amiss. For Consent Mode you can check the âConsentâ tab in the GTM preview or Tag Assistant.
- Will the user interface display specific options for ad_user_data and ad_personalization, or will it remain unchanged? This will most likely remain unchanged. Regardless of whether or not you ask people for consent for services or cookie types, there is no real need to split these permissions up. That being said, as things develop and a demand arises to be able to set these permissions separately we may very well add that option. In my own experience users usually go all in for consent or decline all and rarely take the time to make granular consent choices.
- Is consent data forwarded to vendors using the TC String, and is the TC String considered separate personal data? The TC String is essentially an encoded message that says exactly what vendors, purposes, and features are allowed to be used. So it actually doesnât include any data on the user.
- After setting up Consent Mode v2, do users need to provide consent again, or does their existing consent suffice? Their current consent remains valid when switching from Consent Mode v1 to v2. It is switching from the TCF v2.0 to v2.2 when consent needs to be updated.
- Should all pageview tags be fired on cookie_consent_update with the GTM installation of Advanced Consent Mode for Google tags? No, only when you use Basic Consent Mode. When you use Advanced Consent Mode you donât need to change the trigger at all.
- On the first pageview, does consent denied automatically update to Google without firing the tag again on cookie_consent_update? Tags are only fired once. Googleâs own tags will modify their behavior, and third-party tags will only fire on cookie_consent_update if consent has been given.Furthermore, you can configure tags to only load once per page load.
- Does Consent Mode apply only to ads or also to analytics? Currently the following services support Consent Mode: Google Ads, Google Analytics, and Floodlight.
- Could Consent Mode be responsible for âUnassignedâ in GA4, or how can we notice a difference in GA4 with or without Consent Mode? We believe so, yes. There are other possible causes, but from what weâve observed, a sharp increase in Unassigned traffic does indeed seem to be due to the use of Advanced Consent Mode. Basic Consent Mode shouldnât cause an increase in Unassigned traffic.
- Does the parameter data-consentmode-defaults=âdisabledâ prevent overwriting our default consent, and how does it work without this parameter? That is its intended purpose. The idea is that Cookiebot CMP always sends Consent Mode data to GTM, regardless of whether itâs been enabled or not. That has not been implemented yet, though, since thereâs some debate whether or not we should force the use of Consent Mode. (We donât like making decisions for you.)
- So itâs more in preparation for a possible future scenario. The attribute is in no way required and Consent Mode will work fine without it. Should Switzerland be excluded, considering we received messages from there as well? If a company based in Switzerland and exclusively serves Swiss visitors, then technically they wouldnât be required to send consent signals to the six gatekeepersâ services.However, if you do have visitors from the EEA/EU you would be required to provide consent signals to be able to use these services.
- Currently, âad_user_dataâ and âad_personalizationâ are granted or denied together with ad_storage. Is this intended, or will it change? That is intended and unlikely to change in the near future. That said,, rules and regulations change and evolve, and we will obviously evolve along with them.