How the DMA & DSA laws will impact your business
The European Parliament has approved two new laws that will place tough constraints on how big tech brands such as Apple, Amazon, Alphabet, and Meta tackle competition and handle user data. The Digital Markets Act (DMA) and Digital Services Act (DSA) aim to create a safer digital space where the fundamental rights of users are protected, and to establish a level playing field for businesses in the European Single Market and globally.
This is the first official legislation around the globe that aims to regulate big tech in such a big way. The new rules are an important step in defending European values in the online space. They respect international human rights norms, and help better protect democracy, equality and the rule of law.
The new laws apply in the EU single market, without discrimination, including to those online intermediaries established outside of the European Union that offer their services in the EU.
Digital Services Act
The Digital Services Act (DSA) tackles concerns of values and safety in the online space. It focuses on content moderation enforcement and transparency, and will likely go into effect around mid-2023.
The rule is built under the overarching principle: “what is illegal offline must also be illegal online.” The goal is to create a safer digital space in which the fundamental rights of all users of digital services are protected. It will give better protection to users and to fundamental rights online, establish a powerful transparency and accountability framework for online platforms, and provide a single, uniform framework across the EU.
The rules specified in the DSA concern online intermediaries and platforms such as online marketplaces, social networks, app stores, online travel platforms, and cloud services. It will mainly impact ‘very large’ online platforms, which have a significant societal and economic impact, reaching at least 45 million users in the EU (representing 10% of the population), and online search engines with more than 10% of the 450 million consumers in the EU.
Included in the new regulations, the DSA bans targeted advertising of minors based on profiling, and targeted advertising based on profiling using special categories of personal data such as sexual orientation or religious beliefs.
Digital Markets Act
The Digital Markets Act (DMA) focuses more on the so-called ‘gatekeepers’ in digital markets such as search engines, social networking sites, web browsers, cloud computing services and virtual assistants. The criteria is even stricter than with DSA; similarly, most businesses will not be impacted directly, but will indirectly have to work with the consequences.
The DMA establishes a set of narrow defined criteria for qualifying large online platforms as ‘gatekeepers’. You are considered to be a gatekeeper when:
- You have a yearly revenue of €7,5 billion, a market value of €75 billion, or you have over 45 billion unique monthly visitors on your platform. (Note that the European Commission can also appoint gatekeepers themselves, so companies like Booking, Zalando or Just Eat Takeaway may not meet these criteria just yet, but could be added to the list in the future).
- Furthermore, you need to have an impact on the market, be an important gatekeeper for business users to reach end users and have a firm position in the market
The DMA places far greater restrictions on tech giants in regards to how they utilise their gatekeeper platforms, in a bid to even the playing field for competition. For example, it introduces a ban on: sharing data between services without expressed consumer consent; on ranking the gatekeeper’s own products or services in a more favourable manner compared to those of third parties, and tracking end users outside of the gatekeepers’ core platform service for the purpose of targeted advertising, without effective consent having been granted. The DMA’s competition rules could impact services such as iMessage, Amazon’s ability to self-preference on ecommerce, and Google and Meta’s advertisement data gathering practices.
These competition rules will likely go into effect in 2024, and those found to be non-compliant could face fines of up to 10% of the company’s worldwide annual turnover, rising to 20% for repeated infringements and penalty payments of up to 5% of the company’s worldwide daily turnover.
What does it mean for your business?
While the new laws are targeted mainly at ‘very large’ platforms and tech giants, there will be repercussions for those businesses that utilise the platforms for advertising purposes.
DSA: Ban on targeted advertising to minors and via special category profiling
The DSA bans on targeted advertising on online platforms by profiling children, or based on special categories of personal data such as ethnicity, political views or sexual orientation
As of 2021, advertisers on Meta, Messenger, and Instagram were no longer able to target teens based on their interests. But businesses could still target ad campaigns to people 18 years and under based on age, gender, and location. On TikTok, you cannot target those under the age of digital consent, which differs per country (e.g. 16 in the Netherlands, 13 in the UK). According to the platform, it was never possible to target specifically based on profiling such as the sexual orientation listed in a profile or political preference. However, advertisers could target you based on your interests, for example “LGBTQ+ rights”. Also as of 2021, advertisers on Meta were no longer able to target these sensitive interest categories.
The new law will limit the possibilities of targeting children, or based on special categories of personal data. Depending on the type of organisation you are, this may have a big impact on your advertising possibilities. When your target audience are minors (ecommerce focussed on younger people, theme parks, or even recruiting focussed on student jobs), it will no longer be possible to target specifically for your target audience. This will most likely have a big impact on the effectiveness of your online campaigns.
For political parties and their online advertising, it will become harder to specifically target based on political views. This is a topic which is hotly debated leading up to many elections already. Important to note that in this specific case, the EU bans profiling users based on their political views but we know that in the US, Meta’s user interests were indirectly used as a proxy for politically or racially targeted advertising.
DSA: Ban of ‘dark patterns’ design
The DSA also bans the use of so-called ‘dark patterns’ on the interface of online platforms, referring to misleading tricks that manipulate users into choices they do not intend to make.
The law means that it cannot be harder to refuse than to accept tracking and personalised ads. Changes in UX and visual design, for example changing the ‘accept all’ button to green, are also called ‘dark patterns’ and are no longer allowed.
Note that this legislation focuses on ‘very large platforms’; those that reach over 10% of the total 450 million consumers in Europe. For most organisations, that doesn’t directly create the obligation to change their own consent. However, once platforms such as Meta, TikTok and Google are forced to ask for consent to be tracked, you’ll see that the number of users accepting these terms will decrease. (FYI, platforms cannot refuse their services to those who do not consent). Although this won’t have a direct impact on most businesses, they will have to accept that there will be a larger group of people that can not be targeted based on user data. In the long run, this may even change their business model.
What changes for gatekeepers?
The DMA stipulates that gatekeepers must not:
- Treat services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper’s platform.
- Prevent consumers from linking up to businesses outside their platforms.
- Prevent users from uninstalling any pre-installed software or app if they wish to do so.
- Track end users outside of the gatekeepers’ core platform service for the purpose of targeted advertising, without effective consent having been granted.
More specifically, the DMA states that different messenger services are to be connected to each other, meaning that you can send a message from Facebook Messenger to Signal, or from iMessage to Telegram. This part of the DMA is heavily criticised, as the technical feasibility of connecting these services together is low; there is no protocol like there is for email (smtp) or phone (ss7). However, legislation isn’t meant to be a technical requirement, and this type of legislation will keep everyone on their toes.
Lastly, the DMA mentions that users outside of the gatekeeper’s platform can no longer be tracked without effective consent. The interesting twist here is ‘consent’. Under GDPR, consent was already necessary to track users online. You can therefore argue that nothing will really change. For many of these platforms, it’s already practically impossible to continue using their services without giving the right levels of consent. However, we need to see this in the context of the DSA as well. The combination of DSA and DMA could potentially mean that online platforms like Meta’s Facebook and Google, will no longer be able to create these enormous datasets based on personal and interaction data that can be used for targeting ads.
The DMA also requires gatekeepers to be more transparent towards their business users. For example, this means that Meta and Google will need to provide more information on the ads and campaigns their business users run. So, your business won’t have to rely on inaccurate or intransparent reports, but instead have access to in-depth data that is created via your campaigns.
Additionally, gatekeepers are no longer allowed to self-preference their products on their platforms (e.g. if you’re searching for a voice assistant on google search, Google isn’t allowed to place their Google Home in the first ranking). An obvious bonus for any smaller companies offering similar solutions.
What to do now?
If you’re considered a gatekeeper (DMA), intermediary service, hosting service, online platform or very large online platform (DSA), changes will come your way. What exactly will change, depends on the kind of service you offer or the kind of platform you run. As a web hosting service you’ll have different obligations than a internet network provider or a marketplace. There won’t be a one size fits all solution, so do seek advice.
All other businesses will not be directly impacted by this new legislation, but will most certainly face indirect consequences. The most obvious impact is the restrictions of these platforms to target advertisements in a personalised way. Mitigating the implications of DSA and DMA are somewhat similar to the strategies we advise our clients to take to tackle the loss of cookies. Relying on these platforms to help you find your target audience isn’t a smart way to move forward. Instead, build your own robust first party database, invest in relationships with publishers directly and start investing in contextual advertising.
The first single digital market
There’s no doubt that this is an historic moment in digital regulation; the introduction of these new laws has set Europe as the first, single digital market in the free-world. While, in practice, GDPR and Intelligent Tracking Prevention (ITP) have already limited the possibilities to target users specifically based on their data, the introduction of DMA and DSA brings clear regulatory monitoring and punishments for non-compliance.
While the implications of the new legislation will be most intensely felt by the tech giants, the ripple effects will undoubtedly be felt across all organisations utilising their platforms. Plus, it’s only a matter of time before smaller parties will also have to follow these regulations, so be advised to start following the same ‘consent rules’ that the tech giants are being given now.
More Insights?View all Insights