Digital Markets Act (DMA) compliance: what you need to know

Tracking and measurement make the foundation of online marketing. 📊

Less data = worse performance. 🚩

And with Google Ads’ recent changes a lot of data and features might be lost soon. 😰

𝗜𝗳 𝗮𝗱𝘃𝗲𝗿𝘁𝗶𝘀𝗲𝗿𝘀 𝘄𝗮𝗻𝘁 𝘁𝗼 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲 𝘂𝘀𝗶𝗻𝗴
– Remarketing
– Customer Match
– GA4 Audience Lists
– Lookalike Audiences

Thanks to Maximilan

This includes PMAX and further down the line, conversion data might not be shared unless you have consent mode enabled.

Introduction to the Digital Markets Act and its implications

The European Commission’s (EC) Digital Markets Act (DMA) came into effect in November of 2022. It became actionable in May 2023, but the companies designated as “gatekeepers” by the EC have until March 6, 2024 to ensure their compliance with the Act.

Additionally, companies doing business in the European Union, European Economic Area and United Kingdom, and that use the gatekeepers’ services will also likely need to achieve and maintain compliance to prevent business disruptions.

Penalties for Digital Markets Act (DMA) violations are significant, and can be up to 10% of global annual turnover for gatekeepers, or up to 20% for repeated violations, among other penalties. Third parties using gatekeepers’ platforms and services could lose access to them, along with their data and user bases. This would cut off advertising, analytics, and other necessary functions, damaging business operations with losses of audience access, revenue, and brand reputation.

Obligations imposed by the Digital Markets Act are fairly similar to some of those required by the General Data Protection Regulation (GDPR), but they cover more territory. For example, the Digital Markets Act includes additional access to consumers’ personal data and uses of it. The Act also aims to bolster the competition landscape and increase fairness among digital companies and benefit smaller organizations in the market.

1. Which companies has the European Commission designated as gatekeepers?

The European Commission has so far designated six “gatekeeper” companies under the Digital Markets Act, based on the size and influence of their platforms and audiences, and their power in the digital market. The list may grow or change in the future.

  • Alphabet (parent company of Google and Android)
  • Meta (parent company of Facebook, Instagram, WhatsApp and others)
  • Apple
  • Microsoft
  • Amazon
  • ByteDance (parent company of TikTok)

The gatekeeper designation means that these platforms and the services they offer have to ensure they’re in compliance with the DMA by March 6, 2024. Otherwise, they risk substantial penalties.

Wondering about the DMA definition of gatekeeper and other terms? Learn more with our comprehensive glossary.

Requirements for Digital Markets Act compliance for third-party companies

Companies that use the gatekeepers’ core platform services in Europe will also need to demonstrate their compliance (e.g. collecting and signaling valid user consent) or risk losing access to those platforms and the associated data, user base and revenue.

Companies operating in the European Union, European Economic Area and the United Kingdom may also need to comply with additional data privacy regulations, like the GDPR. Fortunately, many of the laws’ requirements are in alignment already.

These requirements make implementation of a consent management solution important to help ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data, and that you can signal it to gatekeepers.

2. What is a core platform service under the Digital Markets Act?

To date, the European Commission has identified 22 core platform services (CPS) among those that the gatekeepers own and operate. This list may grow or change over time. These are the services most under compliance scrutiny under the DMA due to their vast audiences, amount of data generated and processed, and consumer and market influence:

  • 3 operating systems (Google Android, iOS, Windows PC OS)
  • 2 web browsers (Chrome and Safari)
  • 1 search engine (Google)
  • 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
  • 6 intermediary platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
  • 3 online advertising services (Amazon, Google, and Meta)
  • 2 large communication services (Facebook Messenger and WhatsApp)
  • 1 video sharing platform (YouTube)

Third-party entities that make use of the CPS will be required by the gatekeepers to comply with the Digital Markets Act if they want to maintain access to these services, e.g. for advertising. Otherwise they risk significant revenue loss if their access to the platforms is removed.

Does the Digital Markets Act provide more protection for user privacy?

The Digital Markets Act uses the same principles for user privacy and consent as the EU’s GDPR and ePrivacy Directive (ePD). This means that they use an opt-in model, and personal data cannot be collected or processed before valid consent is obtained. Third parties will also have to be able to signal this consent to gatekeepers like Google.

As per the GDPR, consent must be freely given, specific, informed, unambiguous, and obtained in advance of data collection.

Consent is also not a “single use” action. Consumers must be able to change or withdraw their consent at any time, and it must be as easy to do so as it was to provide consent. If a company is audited by data protection authorities, they must be able to provide a record of user consent choices.

A consent management platform (CMP) enables companies to do several things that facilitate valid consent and regulatory compliance with privacy laws. A CMP enables companies to:

  • notify users about what personal data they collect from the use of cookies or other trackers
  • enable overall or granular-level consent for tracking technologies in use
  • provide consent options and enable them to be changed
  • store consent data securely

Companies using Google services must also support the most up to date version of Google Consent Mode, as this is used to enable consent signaling to Google when their services are in use.

Prior or opt-in consent is required by the DMA from customers, visitors or site/app users of gatekeepers’ and third parties’ services, if these companies:

  • process personal data in the course of providing advertising service using CPS
  • combine personal data from CPS with data from other CPS or services provided by the gatekeepers
  • cross-use personal data from CPS in other services the gatekeepers or CPS provideand/or
  • sign end users in to other services in order to combine personal data

4. What rights do third-party companies have under the Digital Markets Act?

One of the big goals of the Digital Markets Act is a fairer digital marketplace and improved competition. To this end, the law has a number of requirements that gatekeepers must meet, and which benefit third parties using the CPS. These benefits include:

  • allowing third-parties’ apps to equally accessed and used on on gatekeepers’ operating system(s)
  • allowing more access to data generated by activities on CPS
  • prevention of preferential ranking of gatekeepers’ services
  • prohibiting tracking of end users outside of the gatekeepers’ CPS for targeted advertising purposes unless consent is obtained
  • ability to uninstall pre-installed apps
  • enabling operating system or browser settings leading to gatekeepers’ products or services to be changed
  • allowing third-party business users to offer their products and services on their own or third-party platforms for the same price as on gatekeepers’ platforms and services
  • providing advertisers and publishers information free of charge about ads placed, remuneration and fees

Read the EC’s published list of specific “do’s and don’ts” for gatekeepers

Conditions for valid consent under the Digital Markets Act are the same as under the GDPR:

Explicit: Active acceptance required, e.g. ticking a box or clicking a link.

Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?

Documented: You have the burden of proof of consent in the case of an audit.

In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.

Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.

Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.

Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

The GDPR and DMA require consent for the use of cookies and trackers on websites. This makes a consent management platform (CMP) a necessary tool in many cases, but a lot of companies doing business in the EU do not have a CMP installed, or it’s installed incorrectly, preventing regulatory compliance.

These companies risk noncompliance with the Digital Markets Act, which also risks their business continuation via access to the gatekeepers’ platforms and services, including advertising with Google.

A consent management platform can be implemented on websites, apps, and other platforms in minutes. A CMP like Cookiebot CMP can be customized to match corporate branding, and deep scans your website to ensure detection and control of all of the cookies and other tracking technologies you use.

Cookiebot CMP is a European leader in helping companies obtain consent and achieve data privacy compliance, and enables this right out of the box. Cookiebot CMP relies on state of the art technology that detects more cookies and trackers. It automates detection, categorization and blocking of them over time to help you maintain compliance without dedicating a lot of technical or legal resources. Protect your operations from DMA violations and ensure you can keep using gatekeepers’ services.

6. How can a CMP get you ready for the Digital Markets Act and why do you need one?

Data protection authorities in Europe have demonstrated that they will pursue compliance with data privacy laws, and enforcement continues to expand. The DMA will build on that commitment.

The European Commission can impose fines for DMA violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated violations. Additionally, the EC can require gatekeepers in the EU to sell parts or all of a business, or institute bans on acquisitions if they would involve lines of business in which the entity had been found to be in violation.

As for third-party organizations relying on gatekeepers’ services, if they fail to comply, they can lose platform access, which would also involve loss of data, audience/customers, and be a hit to revenue. As noted, the DMA bears similarities with other laws, so a DMA violation may also mean a violation of the GDPR or other privacy laws, which have their own potential penalties. This would be publicity no company wants, and would likely damage brand reputation and consumer trust, which would be a further hit to revenues and growth potential.

How do you implement a CMP to be ready for the Digital Markets Act?

The specifics of CMP implementation do depend on what platforms you’re using, like your CMS, as well as other tools, including Google Tag Manager and other services. Cookiebot CMP is flexible and can be installed with just a few lines of JavaScript. There’s also a cookies WordPress plugin.

  1. Select a flexible, reliable CMP that can be customized to your needs and will be easy to maintain by technical or non-technical staff
  2. Implement the CMP according to your website setup and your integrations, including those of DMA’s designated gatekeepers
  3. Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
  4. Activate Google Consent Mode signaling
  5. Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
  6. Start collecting DMA-compliant consent from users

Google Consent Mode v2 and TCF 2.2 implementation FAQs

  1. Does the TCF or Consent Mode apply to the USA and non-EU (GDPR) countries? No, they don’t. But if you have visitors from the EEA/EU, you will need to obtain consent and provide consent signals.
  2. What happens if there’s no consent tool and nothing is being blocked? What is the default state? We’re not sure yet, but the most likely scenario is that the service won’t run. So in the case of Google Ads, no ads will be served. Currently users are receiving warnings in Google Ads for exactly this case.
  3. Is enabling the TCF necessary if no ad services are used on the homepage? No, the TCF is only needed for publishers and websites that generate ad revenue.
  4. Do I need to set the status for each service before loading Usercentrics CMP, or is implementing Smart Data Protector sufficient? Assuming that everything is configured correctly, you should be able to simply rely on the Smart Data Protector. The service won’t be able to run without prior consent.
  5. If using only Consent Mode v2, does it protect serving ads for Google, Facebook, and everything else? It’s important to keep in mind that Consent Mode is a Google product and only Google Tag Manager (GTM) receives Consent Mode signals. That being said, if you use GTM to load third-party services from Apple, Amazon, Meta, Microsoft, or ByteDance you can use Consent Mode to only load these services if consent has been given.
  6. Are adjustments required in the Consent Manager, such as changes to the consent text on the first layer? No, when you enable the TCF, your banner’s configuration will automatically be adjusted to satisfy the requirements set forth by IAB Europe. Consent Mode has no requirements when it comes to banner configuration. You don’t even have to mention that you’re using it.
  7. How can I easily verify correct implementation of the TCF and Consent Mode? For the TCF, if you issue the following command in the developer console, and don’t get “true”, then TCF is enabled: ‘__tcfapi’ in window. Regarding correct implementation, the service that requires  TC Strings (TCF consent strings) will generally inform you if something is amiss. For Consent Mode you can check the “Consent” tab in the GTM preview or Tag Assistant.
  8. Will the user interface display specific options for ad_user_data and ad_personalization, or will it remain unchanged? This will most likely remain unchanged. Regardless of whether or not you ask people for consent for services or cookie types, there is no real need to split these permissions up. That being said, as things develop and a demand arises to be able to set these permissions separately we may very well add that option. In my own experience users usually go all in for consent or decline all and rarely take the time to make granular consent choices.
  9. Is consent data forwarded to vendors using the TC String, and is the TC String considered separate personal data? The TC String is essentially an encoded message that says exactly what vendors, purposes, and features are allowed to be used. So it actually doesn’t include any data on the user.
  10. After setting up Consent Mode v2, do users need to provide consent again, or does their existing consent suffice? Their current consent remains valid when switching from Consent Mode v1 to v2. It is switching from the TCF v2.0 to v2.2 when consent needs to be updated.
  11. Should all pageview tags be fired on cookie_consent_update with the GTM installation of Advanced Consent Mode for Google tags? No, only when you use Basic Consent Mode. When you use Advanced Consent Mode you don’t need to change the trigger at all.
  12. On the first pageview, does consent denied automatically update to Google without firing the tag again on cookie_consent_update? Tags are only fired once. Google’s own tags will modify their behavior, and third-party tags will only fire on cookie_consent_update if consent has been given.Furthermore, you can configure tags to only load once per page load.
  13. Does Consent Mode apply only to ads or also to analytics? Currently the following services support Consent Mode: Google Ads, Google Analytics, and Floodlight.
  14. Could Consent Mode be responsible for “Unassigned” in GA4, or how can we notice a difference in GA4 with or without Consent Mode? We believe so, yes. There are other possible causes, but from what we’ve observed, a sharp increase in Unassigned traffic does indeed seem to be due to the use of Advanced Consent Mode. Basic Consent Mode shouldn’t cause an increase in Unassigned traffic.
  15. Does the parameter data-consentmode-defaults=”disabled” prevent overwriting our default consent, and how does it work without this parameter? That is its intended purpose. The idea is that Cookiebot CMP always sends Consent Mode data to GTM, regardless of whether it’s been enabled or not. That has not been implemented yet, though, since there’s some debate whether or not we should force the use of Consent Mode. (We don’t like making decisions for you.)
  16. So it’s more in preparation for a possible future scenario. The attribute is in no way required and Consent Mode will work fine without it. Should Switzerland be excluded, considering we received messages from there as well? If a company based in Switzerland and exclusively serves Swiss visitors, then technically they wouldn’t be required to send consent signals to the six gatekeepers’ services.However, if you do have visitors from the EEA/EU you would be required to provide consent signals to be able  to use these services.
  17. Currently, “ad_user_data” and “ad_personalization” are granted or denied together with ad_storage. Is this intended, or will it change? That is intended and unlikely to change in the near future. That said,, rules and regulations change and evolve, and we will obviously evolve along with them.