Last year, two new European Union regulations restricting how big tech brands like Apple, Amazon, and Meta tackle competition and handle user data entered into force. The Digital Markets Act (DMA) and Digital Services Act (DSA) aim to create a safer digital space where users’ fundamental rights are protected. They also establish a fair field for businesses in the European Single Market and globally.
This article discusses both laws and explains their effect on the digital space and your business.
The two acts were endorsed under one legislative package, the Digital Services Act package (DSA package), but they function as separate laws. These acts are significantly impacting big tech.
The DSA package creates numerous new compliance and transparency requirements that companies must implement.
The European Digital Services Act aims to modernize the e-Commerce Directive, regulating online intermediaries and platforms. These include “online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.” Additionally, it creates obligations for online platforms to moderate content and implements transparency in data collection.
The regulation gives better protection to users, ensures fundamental online rights, establishes transparency and accountability for online platforms, and provides a unified framework across the EU.
The Digital Services Act’s entry into force on November 16, 2022 meant that online platforms were required to report the number of active end users on their websites until February 17, 2023. Based on these numbers, the European Commission will decide whether a platform should be designated a very large online platform or search engine. Consequently, any entity thus declared will have four months to complete and submit its first annual risk assessment.
At the latest, the DSA will be applicable from February 17, 2024.
The second pillar of digital regulation, the DMA, is a competition protection law targeting so-called gatekeeper platforms. The regulation defines ten core platform services, including online search engines, operating systems, web browsers, virtual assistants, and social networks. It means that the Act, as for now, will also regulate the actions of tech giants including Meta, Google, and Amazon.
The DMA requires these online platforms to obtain users’ consent before using personal data for targeted advertising. It also determines clear rules on how large online platforms should act to ensure users’ safety.
The act is effective from May 2, 2023.
The regulations were introduced to restrict the monopoly of tech giants and ensure fair competition between companies operating online. They aim to make the Internet more user-friendly and business-friendly, with clear guidelines to follow.
But, as these laws also focus on ensuring users’ online safety, serious health reasons have implicated their endorsement, such as increased anxiety among younger people, spreading misinformation and panic, and promoting addictive content.
Very large platforms, online platforms, hosting services, and intermediary services in the light of the DSA package
The DSA imposes different obligations on different types of intermediaries depending on the nature of their services, size, and impact. These rules ensure their services are not misused for unlawful activities and operate responsibly.
Certain obligations are limited to very large online platforms, often referred to as VLOPs, facilitating public debate and economic transactions. Very small platforms are exempt from the majority of their obligations.
The DSA classifies platforms or search engines with more than 45 million users per month in the EU as very large online platforms (VLOPs) or very large online search engines (VLOSEs). They were designated based on user numbers provided by the platform or search engines by February 17, 2023. They also must update these figures at least every six months.
By rebalancing responsibilities in the online ecosystem based on the size of the platforms, the proposal ensures that the regulatory burdens of these new rules are proportionate.
Which providers are covered by the DSA?
- Intermediary services offering network infrastructure, internet access providers, and domain name registrars.
- Hosting services such as cloud and web hosting services.
- Online platforms such as online marketplaces, app stores, collaborative economy platforms, and social media platforms.
- Very large online platforms are a particular risk in disseminating illegal content and societal harm. They have a specific set of rules as they reach at least 45 million users in the EU.
Excepting those platforms with fewer than 50 employees or whose annual revenues do not exceed 10 million euros, all platforms must comply with the following:
- Set up complaint and redress mechanisms
- Cooperate with trusted flaggers
- Take measures against abusive notices
- Deal with complaints
- Include the credentials of third-party suppliers
- Provide user-friendly and transparent online advertising
On April 24, the European Commission announced the first companies to be encompassed by the DSA package:
- Very large online platforms (VLOPs): Alibaba AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, Zalando
- Very large online search Engines (VLOSEs): Bing, Google Search.
These companies will have to comply with the full set of obligations established by the DSA to VLOPs and VLOSEs, such as removing illegal content, increasing algorithmic transparency, redesigning their systems to ensure a high level of privacy, security, safety of minors, and more.
Also, on September 9, The European Commission designated six tech companies, Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft, as gatekeepers under the DMA. The designation applies to 22 of their core services.
Companies now have six months to ensure compliance with the DMA’s obligations. If they fail to meet the requirements, the Commission can fine them with 10% of the company’s worldwide turnover and up to 20%, if the breaches repeat. The Commission can also introduce further steps related to non-compliance, such as requiring the sale of certain business parts or prohibiting companies from developing additional services.
Both regulations are consistent with international demands for data privacy laws, especially regarding safeguarding consumers. Moreover, they focus on ensuring children’s online security and limiting data collection without proper consent.
There are a few key provisions that will provide customers protection in the online space.
The DSA will bring greater transparency to content moderation. Each platform must clearly explain why certain content is prohibited, stating this in its terms and conditions. However, the restrictions must not infringe on users’ human rights. Also, websites must regularly publish so-called transparency reports, revealing, among other things, data about deleted content.
Moreover, users need to be informed in all EU languages via a simple form about the rules for content moderation. They have to know which algorithms are used and their exact role.
The DSA package will also regulate how user accounts are blocked and removed. Each user will have to receive a detailed explanation of such a decision with information about the exact rule that was violated and be able to appeal against each decision.
Online platforms will have to ensure proper content moderation in all EU languages. Moderators will also handle illegal content distribution and appeals against decisions to remove content or ban users’ accounts.
A common practice of online platforms is persuasive and manipulative design. Dark patterns trick users into taking actions that serve the company’s business goals. That is why the DSA package bans such manipulative tactics.
Websites won’t be allowed to design their services in a way that deceives or limits users’ choices. This applies to the use of dark patterns, pop-up windows that force users’ consent to personal data collection, or even applications that are easy to run but difficult to disable.
Collecting data about users is one of the most profitable marketing practices, but also a form of online manipulation. The problems with such practices arise when advertising takes advantage of weaknesses related to mental health, addictions, or life experience. The DSA partially addresses these problems.
Online platforms will no longer be allowed to use sensitive data and data from children for advertising. Serving tracking ads will still be possible, but only if they are matched to users based on “non-sensitive” data types. Also, each ad should include clear information that it is sponsored content, who the sponsor is, and why this ad was shown to a specific user.
Read our article about the ruling against Meta’s behavioral ads practices: Meta’s ad practices ruled illegal under GDPR: key facts and implications of the decision
Algorithms decide what is displayed to users, and we are so used to it that we no longer even notice it going on. The DSA will now provide guidelines on how it should be used.
Each online platform must now explain:
- How each piece of content is selected for users
- What parameters and data are used
- What the main goal of the algorithm is
Users will be able to choose at least one content selection system without tracking. For example, it will not use data to recommend profiled content.
Big platforms have got us used to ignoring threats related to their business model rather than actively counteracting them. That’s why the DSA will encourage them to change this approach to a more socially responsible one.
Big online platforms will be obliged to carry out risk assessments regularly, covering:
- Content moderation systems
- Content recommendation algorithms
- Interfaces’ operation rules
- Default website settings
The DSA is also trying to respond to the dynamic development of ecommerce platforms. They will be required to allow the identification of sellers and conduct random checks of products to better protect consumers from fraudsters. Users can expect reliable and accessible information about each product’s features and where it was manufactured.
As the DSA ensures transparency, user safety, and accountability for online platforms, the DMA establishes clear rules for how large online platforms can operate. Both pieces of legislation will significantly impact businesses across Europe. Although they are European laws, they will also impact big tech companies outside Europe that offer services to Europeans. The DSA package set new standards for the global digital space.
So how exactly will these laws limit the tech giants’ online activities?
Personal data collection is already very strictly regulated and requires consent. The DSA package will also apply consent as a ground for collecting data that, by combining information from various internal or external sources, can become personal data.
The total ban will cover, for example, integrating users’ data from websites using Google Analytics or combining data from Facebook, Instagram, and WhatsApp into one profile.
Since the DSA and the DMA have overlapping consent requirements with the GDPR, platforms that don’t comply can now be hit with multiple violations.
The DMA states that users outside the gatekeeper’s platform can only be tracked with effective consent. Under GDPR, consent is necessary to collect users’ data online. For many platforms, it’s impossible to continue using their services without giving the proper levels of consent.
New regulations mean that the most popular online platforms can no longer use personal data for targeting ads. Also, users could opt out of receiving recommendations based on profiling from very large platforms.
As the DSA package aims to significantly reduce the tech giants’ monopoly, their services need to be restricted.
- Users will no longer be forced to connect or log in to different services of one cyber giant with the same account.
- The law will enable users to send and read messages on all messengers available. For example, when a user sends a message on Facebook Messenger, it can be read on Signal or WhatsApp. It will also work the other way around. As for the first years, it will only apply to individual text, video, and voice messages, but ultimately it will be expanded to group chats and voice calls.
- Cross-selling and cross-advertising of services will not be available. That means users won’t be encouraged to use the services within one tech giant’s offer. For example, while using iOS, users will not receive a recommendation to install Safari as a default browser.
Finally, these regulations will allow users to unsubscribe or uninstall services easily. For example, each app will have an intuitive interface that will direct users to install it effortlessly and uninstall it with the same simplicity.
Depending on the type of online business you run, the size of your operations, and other factors, the new rules will affect your company differently.
The DSA package influences businesses that use the platforms for advertising purposes. The laws ban targeted advertising based on personal information such as ethnicity, political views, or sexual orientation. Moreover, targeting ads to younger audiences will no longer be possible. This will have large influence on the effectiveness of online campaigns.
The DSA package also bans the use of dark patterns for smaller companies. Now, the option to refuse tracking and personalized advertising needs to be as easy as the option for accepting. Websites that change their UX by, for example, turning all the “accept” uttons green, will be banned.
To learn more about “dark patterns,” read our article: When design goes awry – How dark patterns conflict with GDPR and CCPA
Smaller businesses must also ensure a well-designed platform interface and easy-to-use mechanisms to comply with the new rules. They must adopt a streamlined set of processes that allow for continuous compliance, notably with obligations such as transparency reporting and independent audits.
Another responsibility focuses on the traceability of traders on the platforms, such as name, where they are registered, a copy of their ID, etc. This information will need to be verified. The platform can suspend the trader’s services if it fails to provide updated or more accurate data.
Furthermore, when the platform becomes aware of any illegal products or services, it needs to inform the consumers who purchased illegal products or services of their illegality, the identity of the traders, and any means of redress.
Smaller businesses will benefit from this new set of rules. They will have access to simple and effective tools for flagging illegal activities that damage their trade, as well as internal and external redress mechanisms, affording them better protections against incorrect removal and limiting losses for legitimate businesses and entrepreneurs.
The introduction of the new laws will be the next big step in regulating online business. GDPR, the so-called Privacy Shield 2.0, and Intelligent Tracking Prevention (ITP) have already limited the use of collected data for personalized targeting, so the DSA packages will only clarify the rules.
The regulations mainly target the tech giants, but companies using their platforms for marketing will also feel their impact. In addition, there is a big possibility that smaller companies will be forced to follow the same rules soon.
There won’t be a single solution for proper compliance with these new laws. But businesses must start looking for platforms that replace the old invasive methods with transparent consent collection, cookieless tracking, first-party databases, and contextual advertising.
While searching for DSA- and DMA-compliant solutions, it’s a good idea to work with partners who support values such as privacy by design. Following these best practices will help you fully control and understand the data you collect. In addition, transparency will help you build a relationship of trust with your customers.
Read the below articles to see how Piwik PRO Analytics Suite handles personal data and protects user online privacy: