What DMA & Consent mode v2 Mean for Your Business

The European Union's new Digital Markets Act (DMA) came into effect in March 2024. It is a groundbreaking piece of legislation which seeks to regulate large online platforms, dubbed "gatekeepers," in order to promote fair competition and protect consumer rights in the digital space.

What, yet more regulation? As ever, the challenge is to identify the opportunities it presents and integrate them with your goals, before somebody else does and gains the benefit.

This article explores the key aspects of the DMA, the risks it poses to businesses and the steps companies must take to ensure compliance, particularly in relation to consent mode. If you get there first, and set the standard, you don’t need us to tell you the leverage this will give you.

The DMA is a set of rules and obligations applicable to the large online platforms which act as "gatekeepers" in the digital sector. These gatekeepers (currently six) are defined as companies with a significant impact on the internal market, which act as an important gateway for business users such as yourself to reach their customers and enjoy an entrenched and durable position.

The DMA aims to prevent these gatekeepers from imposing unfair conditions on businesses like yours and consumers like yours. This in turn is designed to foster a more competitive digital landscape, in which all can participate without fear of being exploited by the gatekeepers.

Key provisions of the DMA include:

Prohibiting gatekeepers from engaging in unfair practices, such as self-preferencing their own products or services or using data collected from business users to compete against them.

Requiring gatekeepers to allow third-party apps and services to interoperate with their own services and platforms.

Mandating that gatekeepers provide business users with access to the data they generate through their activities on the gatekeeper's platform.

Ensuring that users have the right to uninstall pre-installed apps on gatekeeper platforms.

Requiring gatekeepers to obtain explicit consent from users before combining personal data from different sources or using it for targeted advertising.

Requiring third parties (advertisers) using a gatekeeper’s platforms and services to be DMA-compliant. This means using a consent management platform (CMP) or apps within their CMS to enable compliant consent collection and signaling.

If you are an advertiser and already do all these things, these processes should be documented and formalised to ensure ongoing compliance with the DMA. If you don’t, start thinking how you will implement the DMA before new inspectors, keen to make a good impression, notice it.

While the DMA aims to create a more level playing field in the digital sector, it also presents several risks and challenges for businesses. The sooner you are aware of and embrace these, the better.

Particular areas of concern are::

1. Compliance costs: Complying with the DMA's extensive obligations may consume significant resources, particularly for smaller businesses which may struggle to meet the technical and legal requirements. These will need to be budgeted for at this point, whether or not covered by existing revenue streams.
2. Disruption to existing business models: The DMA's restrictions on data sharing and targeted advertising could disrupt conversion tracking, and thus severely affect the revenue streams of businesses which rely heavily on these practices. The regulations here are outlined in this document.
3. Increased competition: By making it easier for third-party apps and services to interoperate with gatekeeper platforms, the DMA could intensify competition, potentially making it harder for businesses to maintain their market share.
4. Legal uncertainty: As with any new legislation, there may be a period of uncertainty as businesses navigate the DMA's requirements and await clarifications through enforcement actions and court rulings.

Special attention needs to be paid to Consent mode. This is the mechanism which permits websites and apps to adjust their behavior based on a user's consent preferences for ad personalization and analytics.

Under the DMA, gatekeepers must obtain explicit consent from users before combining personal data from different sources or using it for targeted advertising. Therefore to comply with this requirement, businesses using a gatekeeper should:

1. Implement a clear and user-friendly consent management system: Users should be provided with clear information about how their data will be used and given an easy way to provide or withdraw their consent.
2. Honor user consent preferences: Businesses must ensure that they only combine personal data or use it for targeted advertising if the user has explicitly consented to these practices.
3. Provide alternative options: If a user does not consent to targeted advertising, businesses should provide alternative, non-personalized advertising options to ensure that users can still access the service.
4. Regularly review and update consent practices: As user preferences and legal requirements evolve, businesses should regularly review and update their consent practices to ensure ongoing compliance with the DMA.

The introduction of DMA means that tracking and optimization of advertising campaigns across all platforms will be significantly affected. From now on, businesses will have to be compliant with GCM v2, the Google Consent mode v2 which covers Google and non-Google tags, which covers the regulations applicable to other gatekeeper sites.

This will involve:

1. Selecting a CMP: A Content Management Platform (CMP) will provide a proper notification banner for all visitors and give the option for them to reject data collection. While you can produce your own custom solution, several such platforms, such as Cookieyes or Cookiebot,already exist, and Google has produced a list of recommended ones.

2. Selecting a Consent Mode: Having selected the CMP and its design (language, position, buttons, etc.) businesses need to choose either the Basic or Advanced Google consent mode. The Advanced mode is generally better from the marketing perspective, but there are some additional legal limitations to its use in some countries (i.e. Germany), as is discussed here.

3. Applying essential features: A CMP with the appropriate consent mode should include the following elements:

• Functional information (such as headers added passively by the browser):
• Timestamp
• User agent (web only)
• Referrer
• Aggregate/non-identifying information:
• An indication for whether or not the current page or a prior page in the user's navigation on the site included ad-click information in the URL (e.g., GCLID / DCLID)
• Boolean information about the consent state
• Random number generated on each page load
• Information about the consent platform used by the site owner (e.g., Developer ID)

4. Adding non-mandatory features: Certain additional features are not explicitly mandated by the DMA but are now necessary for measuring results obtained by DMA-compliant campaigns. These are:

Looker Studio connectors, which push purchase and purchase value data directly from your CRM system into Looker Studio reports instead of Google Analytics 4.

• Power my Analytics
• Supermetrics

Native Google Ads conversion tracking, which tracks the full performance of Google Ads (the Enhanced rather than Basic version is recommended).

Google Analytics 4 analogs allowed by the DMA, which will track online visits to websites and display reports on these for analysis. For this feature to work correctly, users in the EU need to provide consent for cookies. Alternatives include:

• Matomo
• Piwik Pro

The Digital Markets Act 2024 is a significant advance in the regulation of large online platforms, and will promote fair competition and protect consumer rights. No longer will the gatekeepers be able to set the terms of engagement - businesses such as yours will have more control over how they use these sites and how their own information is used.

While the DMA poses risks and challenges for businesses, particularly in terms of compliance costs and potential disruption to existing business models, it also presents opportunities for innovation and the development of new, user-centric services. A holistic, compliant offering which protects both businesses and consumers, developed early, will gain the rewards other businesses will lose by not adapting quickly enough to the new legal environment.

To navigate this new world successfully businesses must review and adapt their practices, obtain explicit user consent for data combination and targeted advertising and develop the means to proactively pursue the new models of advertising the DMA is mandating. By embracing the principles of transparency, fairness, and user control enshrined in the DMA, businesses can not only ensure compliance but also build trust with their customers and thrive in the evolving digital marketplace.