In September 2023, the European Commission designated six companies as “gatekeepers” under the Digital Markets Act (DMA) and gave them six months to adapt to the requirements of the Act.
The gatekeepers in question? Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta (Facebook), and Microsoft.
The DMA aims to regulate the behaviour of these designated gatekeepers that offer core platform services and ensure fair competitive conditions for businesses and end users in the EU. So, how does a regulation that impacts the big players affect publishers like you? This article will answer the question and lay out how you can comply.
What is the Digital Markets Act (DMA)?
The DMA consists of a set of rules that regulate the gatekeepers to ensure a fairer marketplace and expand service options for business users and end users. The key requirements of DMA compliance include transparency, non-discrimination, interoperability, prohibition of unfair practices, data portability, consent for data processing, and independent audits.
By March 6, 2024, the gatekeepers have to comply with the requirements and enact significant changes to their products and data processing.
How does DMA affect publishers?
The responsibilities outlined in the DMA pertain to those designated as gatekeepers, however, other businesses, big or small, will invariably face indirect consequences.
DMA’s rules include requirements that the gatekeepers must meet regarding third-party companies that use their core platform services or CPS. This includes companies that collect and process user data for their own operations, or access data collected by the gatekeepers. The companies that use the gatekeepers’ CPS, which includes publishers like you, will have to comply with the new DMA-related updates to keep using these services.
Failing to comply would mean losing access to user data and services that Google, Meta, and others provide, resulting in a loss of audience and revenue.
Obtain user consent
Digital Markets Act’s introduction has heightened the importance for website owners to treat consent management with greater seriousness as “gatekeepers” cannot track end users for advertising purposes without getting user consent.
This applies to your advertising and analytics platforms such as Google and Facebook that are now obligated to obtain explicit user consent.
The Digital Markets Act follows the principles for user privacy and consent as set by the EU’s GDPR and ePrivacy Directive (ePD). Consent must be freely given, specific, informed and unambiguous indication of the user’s choice. Users must also be able to change their consent preferences or withdraw consent at any time, and companies are obligated to furnish proof of consent in case of regulatory audit.
Set up CookieYes CMP in minutes, without any coding or extra effort. Sign up for a 14-day free trial.
Google’s new CMP requirements
In response to the DMA, Google has updated its policies and requires all publishers using Google AdSense, Ad Manager, or AdMob to serve ads to EEA and UK, to use a Google-certified Consent Management Platform (CMP) by January 16, 2024.
After the enforcement is implemented, ad requests directed to Google for EEA or UK traffic without utilizing a Google-certified CMP will be ineligible for personalized or non-personalized ads.
Websites using Google publisher products should implement a Google-certified CMP like CookieYes to continue serving personalized ads in EEA and the UK.
Google consent mode v2
Google has updated the functionality of consent mode with the Consent Mode v2 which introduces two additional parameters to enhance user privacy. The configurations dictate whether personal data is transmitted to Google based on user consent, across various Google products such as Google Ads, Google Shopping, and Google Play.
Google Consent Mode offers two levels of implementation for Consent Mode – Basic and Advanced. Organizations collecting data from users in the EEA are required to integrate with the ‘basic’ edition of Consent Mode to ensure the delivery of consent signals to Google.
Companies using Google advertising tools who fail to implement consent mode cannot use data for advertising use cases, including audience creation and targeting.
- Implement Basic Consent Mode on your website. This functionality lets you track the performance of ads targeting new European users in both Google Ads and GA4 audiences.
- Note: To use Google Consent Mode V2, it is necessary to have a compliant cookie banner in place.
Switch to Google Analytics 4
You need to migrate to GA4 to maintain remarketing, audiences, & conversion export, and bidding optimization. Google recommends that you switch to Google Analytics 4 by March 2024, as Google will delete your access to any Universal Analytics properties or the API starting July 1, 2024.
Switch your Universal Analytics 360 properties to Google Analytics 4.
Upgrade to Google’s latest APIs and SDK
Advertisers should update to the latest versions of APIs and software development kits (SDKs) for Google Ads and DV360. If you do not have the updated Consent Mode or Google APIs/SDKs in place, you will not be able to utilise first-party data audiences.
Checklist for DMA compliance
- Consent is key: Use a trusted and Google-certified CMP like CookieYes to request user permission to track them for ads.
- Turn on Basic Consent Mode: Implement Google Consent Mode V2 to ensure that your users’ consent preferences are communicated to the advertising tools throughout your Google Marketing Platform.
- Switch to GA4: For accurate audience targeting, remarketing and conversion reports, switch to Google’s new GA4 tool.
- Update your tools: Upgrade to the latest API/SDK versions for Google Ads and DV360 for tracking and ad buying.
Consent management for DMA compliance
Consent management is a crucial aspect of DMA compliance. To comply with the DMA, businesses need a trusted Consent Management Platform (CMP) that allows them to easily manage user consent preferences, communicate it to gatekeepers and store consent for proof.
First things first, CookieYes is a Google-certified CMP for IAB TCF v2.2 and Consent Mode V2, so you can rely on us to comply with Google’s new requirements and deadlines.
CookieYes CMP will help you ensure that your cookie banner aligns with the conditions for valid consent as per the GDPR.
Cookie consent for DMA compliance
Freely given: Users can easily accept or reject consent with the prominent ‘Accept’ and ‘Reject’ buttons all on the first layer of our CMP.
Informed: Cookie text/message that provides clear information about your data collection – what data is collected, for what purpose, for how long, and who will it be shared with etc.
Granular: Option to consent to individual cookie categories to enable granular consent choices. Our CMP’s second layer displays all cookie categories used, their purposes, and the option to turn on/off tracking.
No dark patterns: Our default cookie banner templates are designed for accessibility and to provide transparent choices for users, as required by the Digital Markets Act.
Explicit: No cookies are set or data is collected before a user gives explicit consent. Third-party cookie scripts are automatically blocked until the user has consented.
Documented: All your user consents are recorded so that you have a centralized document for proof of consent in the case of an audit.
Easy to withdraw: Changing cookie preferences or opting out is as easy as opting in. Users can reject consent from the CMP’s first layer. They can call back the banner and withdraw consent anytime later using our ‘revisit consent widget’.
Next steps for publishers
To navigate the new updates and deadlines, start by implementing a robust consent management platform on your website. CookieYes is the leading Consent Management Platform (CMP) trusted by over 1.4 million websites in 170+ countries.
With CookieYes CMP, you get the highest standards of cookie compliance:
- Custom cookie consent banners that can be geo-targeted
- Supports 170+ languages with auto-translation in 41 languages
- IAB TCF v2.2 compliant cookie banner
- Compatible with Google Consent Mode V2
- Centralized audit trail for proof of compliance
- Scheduled cookie scanning and auto-updating cookie list
- Free legal policy generators and more
Keep in mind that DMA compliance is not a one-and-done task but an ongoing process, stay informed about major updates and policy changes of the core platform services your business uses, and continuously audit your compliance efforts.
FAQ on DMA Compliance
What is the Digital Markets Act (DMA)?
The Digital Markets Act (DMA) is a law that aims to regulate huge online platforms or gatekeepers to ensure fair competition and protect user rights in digital markets. It aims to address the power imbalance between large online platforms such as online marketplaces, search engines, operating systems, cloud services, and businesses/users by imposing certain obligations and prohibitions on them.
The Digital Markets Act (DMA) and the Digital Services Act (DSA) are part of a wider package of legislation introduced by the EU in the form of the Digital Services Act Package to create a safer digital space and establish a level playing field in the European market and globally.
Who does the Digital Markets Act apply to?
The DMA applies to certain large online platforms that meet specific criteria, such as having a significant impact on the internal market, acting as gatekeepers, and providing core platform services.
The European Commission has designated six ‘gatekeepers’ – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, in relation to the 22 core platform services (CPS) they provide.
When does the Digital Markets Act come into force?
The Digital Markets Act (DMA) came into force on November 1, 2022. The gatekeepers were officially designated on September 6, 2023, and are required to comply with the DMA by March 6, 2024.
