It’s not only the six gatekeeper companies designated by the European Commission that will have to achieve DMA-compliant consent management by March 6, 2024.
Digital platforms form an ecosystem in which data moves widely and rapidly. Which means that vast numbers of third-party companies that rely on the gatekeepers’ platforms and services will also have to comply with Digital Markets Act requirements directly, or with specific obligations conveyed by the gatekeepers to their partners and customers.
Why does the Digital Markets Act make consent management critical for businesses?
Among its other stipulations, the DMA law creates stricter requirements for privacy, protection and consent with regards to consumers’ personal data. The gatekeepers will need to comply with these requirements on the 22 core platform services (CPS) identified by the European Commission, but will also develop compliance requirements for companies that use their platforms for advertising, analytics, and more.
In line with the consent requirements of the EU’s General Data Protection Regulation (GDPR) and many other international data privacy laws, under the Digital Markets Act consent for collection and processing of personal data from end users will have to be obtained before any data is collected. Users will also have to be provided with clear information on what data is collected, how, for what purpose, and with whom it may be shared.
Third-party companies will also need to be able to signal consent to the gatekeepers to be able to continue access to their platforms, audiences, and data. Hence the need for consent management.
What activities under the Digital Markets Act require prior consent?
Per the DMA’s specific requirements, gatekeepers and third-party companies will need to obtain prior consent if they engage in the following data-centric activities:
- processing personal data for providing advertising service using CPS
- combining personal data from CPS with data from other CPS or services provided by the gatekeepers
- cross-use of personal data from CPS in other services provided by the gatekeeper or CPSand/or
- sign end users in to other services in order to combine personal data
As noted, these platforms and services, and the companies running business operations using them, form an ecosystem, so it is critical to ensure consent for data use before it enters the ecosystem. Trying to prove consent once data has been processed and/or shared could verge on impossible.
What does a consent management platform need to do to be ready for the Digital Markets Act?
A consent management platform (CMP) will enable third parties to collect, store, manage and signal compliant consent from users to gatekeeper companies. Surprisingly, many companies doing business in the EU still are not GDPR-compliant, even though that law has been in place since 2018. The DMA will provide added incentive to achieve compliance, as loss of revenue from advertising, ecommerce, and more could be a crushing financial blow to companies’ EU operations.
There are several things that a CMP needs to enable companies to do to comply with the DMA (and other privacy regulations) and gatekeepers requirements:
- Generate a consent banner that is user-friendly and can be fully customized for your company’s branding, messaging, relevant regulations, and the cookies and tracking technologies in use.
- Clearly notify users about data collection, purposes, parties that may access the data, and what their data privacy rights are and how to pursue them.
- Detect cookies and other tracking technologies in use on websites and other platforms to ensure companies disclose and users are aware of all the ways their data may be used.
- Obtain users’ consent on websites, apps, connected TV or other platforms before any personal data is collected, if necessary.
- Securely store users’ consent data per regulatory requirements, in case of an audit by data protection authorities, or to fulfill data access requests.
- Signal consent to gatekeepers’ platforms via integrated tools, like Google Consent Mode.
- Enable generation of a cookie and/or privacy policy that includes the types of information listed above, and keeps them up to date to enable continued privacy compliance.
- Automatically update the consent banner as regulations and technologies in use change, to enable companies to maintain privacy compliance.
How can companies implement a consent management platform to be ready for the Digital Markets Act?
Companies with operations in the European Union and/or European Economic Area, that collect and process users’ personal data, and that use the gatekeepers’ platforms and services, need to start with an audit to have up to date knowledge of what data they collect and store, via what means, for what purposes, and how it’s used and/or shared.
These third parties also need to know which gatekeepers’ platforms and services they use, for what purposes, with what data, and what consent signaling will be required by each, if any.
Companies need to determine what consent management platform and necessary signaling tools will best integrate with their existing platform, like their website content management system (CMS).
- Select a consent management platform that is flexible, scalable, and easy to install and maintain. You want to be able to stay focused on your core business and not need to dedicate a lot of legal, technical, or non-technical resources to it.
- Ensure that the CMP can be fully customized to your needs for appearance, messaging, technologies in use, and relevant regulations. Recognizable branding, user-friendly interface, and clear, accessible information not only help meet legal requirements, they help build trust with your users, which helps increase consent rates.
- Implement the CMP according to your website (or other) setup and your integrated tools. This could be via direct integration, head tag, Google Tag Manager, or other options.
- Ensure that the CMP can scan for, detect and control/block all of the cookies and other tracking technologies you use. This is a regulatory requirement and under many legal bases cookies and other tracking technologies cannot be used unless user consent has been obtained. This information is also passed along to populate and update the consent banner and privacy policy generator as your cookies in use change over time.
- Ensure that your privacy notice or policy is updated and kept up to date. This includes the cookie policy, which may be a standalone document or part of the privacy policy. The CMP can enable automation to save time and bring compliance peace of mind.
- Activate consent signaling to relevant gatekeepers, for example via Google Consent Mode, which is on by default with Usercentrics CMP.
- Start collecting user consent to comply with the Digital Markets Act, GDPR, and other data privacy laws, secure your ad revenue, and build trust with your users.
How Usercentrics CMP enables fast, easy, reliable compliance with Digital Markets Act requirements
All Usercentrics CMP implementations will differ at least somewhat depending on your specific implementation, platforms and tools in use. However, Usercentrics integrates with leading web and app platforms, like WordPress, Magento, Wix, Squarespace, Shopify, Prestashop, and more. It also works seamlessly with gtag, Google Tag Manager, and other popular tools.
You can customize the consent banner using HTML, CSS or JavaScript, or you can work with our user-friendly out-of-the-box templates that enable privacy compliance in a few quick steps.
Usercentrics CMP’s scanning technology detects the most cookies and trackers, and saves you time and effort at describing and classifying them with a database of over 2,200 data processing services templates. This information can also be used to generate and update your privacy policy.
Once your consent banner is up and running, you can enjoy peace of mind knowing that you are respecting users’ data privacy, complying with regulations, and meeting gatekeepers’ Digital Markets Act requirements.
The Digital Markets Act and your consent management platform – what’s next?
Regulators and data protection authorities in the European Union have shown that they are serious about data privacy and enforcing it. It’s simply not worth the risk of fines or other penalties to fail to achieve data privacy compliance. Given that a world-class consent management platform can be implemented and enable compliance in minutes, there’s simply no excuse.
What company trying to compete in digital markets can risk losing access to Google, Facebook, or LinkedIn advertising? Or analytics or search data? Or Amazon’s marketplace? At the same time, though, who wouldn’t want to achieve greater trust and engagement with their customers and users, building long-term relationships to grow revenue?
Combined with the other ways that the Digital Markets Act aims to level the playing field for smaller companies, it’s time to get ready for the DMA and take advantage of these opportunities for greater transparency and opportunities.
Get started with the Usercentrics CMP today and be ready for the DMA. Enjoy a 30-day free trial and make privacy compliance a key part of your company’s growth strategy.