What Is the Digital Markets Act?
The Digital Markets Act (DMA) is an EU regulation designed to break the stranglehold that a handful of tech giants hold over digital markets. It entered into force on 1 November 2022 and became fully applicable on 2 May 2023. Unlike the GDPR, which applies broadly to any organisation processing personal data, the DMA targets a specific class of companies the European Commission calls gatekeepers - large platforms that serve as critical intermediaries between businesses and consumers.
Seven companies have been designated so far: Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta, Microsoft, and Booking.com (added in May 2024). Between them, they control 23 core platform services spanning search engines, operating systems, app stores, messaging apps, social networks, browsers, and online advertising.
The regulation does not replace the GDPR or the ePrivacy Directive. It sits alongside them, adding a competition-focused layer that restricts how gatekeepers collect, combine, and exploit user data.
Who Are the Gatekeepers and How Are They Designated?
A company qualifies as a gatekeeper if it meets three cumulative criteria: it has a significant impact on the EU internal market, it operates a core platform service that acts as an important gateway for business users to reach consumers, and it holds an entrenched, durable market position. The European Commission uses quantitative thresholds to presume these criteria are met.
| Threshold | Requirement |
|---|---|
| Annual EU turnover | EUR 7.5 billion or EUR 75 billion global market capitalisation |
| Monthly active end users in the EU | At least 45 million |
| Yearly active business users in the EU | At least 10,000 |
| Duration | Thresholds met in each of the last three financial years |
Companies can attempt to rebut the presumption with evidence, though no designated gatekeeper has succeeded. ByteDance appealed its designation to the EU General Court but lost its bid for interim measures in February 2024.
The first six gatekeepers were designated on 6 September 2023 and had until 6 March 2024 to comply. Booking.com was designated in May 2024, with a compliance deadline of November 2024.
DMA Obligations: What Gatekeepers Must (and Must Not) Do
Articles 5, 6, and 7 of the DMA contain the core obligations. Several directly affect data collection and consent.
Data Combination and Cross-Use (Article 5(2))
Gatekeepers cannot combine personal data from their core platform service with data from other services they provide - or from third parties - unless the user gives explicit, GDPR-standard consent. This means Google cannot merge your Chrome browsing data with your YouTube watch history or Google Ads profile without asking first and receiving a clear yes.
The consent must be freely given, specific, informed, and unambiguous. Dark patterns are explicitly prohibited. If a user refuses or withdraws consent, the gatekeeper cannot ask again for the same purpose for a full year. Users who decline must not receive a degraded or different version of the service.
No Tracking for Advertising Without Consent
Under Article 5(2)(a), gatekeepers cannot process personal data of end users from third-party services for online advertising purposes without consent. If you run a website that feeds visitor data to Google or Meta through their advertising pixels or analytics tags, the gatekeeper must be able to prove that the visitor consented.
Other Key Obligations
Gatekeepers must allow app developers to steer users to offers outside their platforms, must not self-preference their own products in search results, must allow users to uninstall pre-installed apps, and must provide business users with access to their performance data.
How the DMA Changes Cookie Consent for Your Website
The DMA does not directly regulate your website. You are not a gatekeeper. But the regulation's ripple effects reach every site that relies on gatekeeper services - and that includes almost everyone running analytics or marketing cookies.
Google responded to the DMA by enforcing its EU User Consent Policy with renewed urgency. Since March 2024, websites targeting EU users must use a Google-certified consent management platform and implement Google Consent Mode v2 to signal user consent preferences back to Google's services. Without valid consent signals, Google restricts access to conversion tracking, remarketing audiences, and personalisation features in GA4 and Google Ads.
Meta took a similar path. Under DMA pressure, it initially offered EU users a "pay or consent" model - either agree to personalised advertising or pay a monthly subscription fee for an ad-free experience. The European Commission found this model non-compliant and fined Meta EUR 200 million in April 2025. Meta then agreed to offer EU users the choice between full personalised ads and a less personalised option that requires sharing less data, with the revised model rolling out in January 2026.
What This Means in Practice
If your website uses Google Analytics, Google Ads, Meta Pixel, or any advertising service from a designated gatekeeper, you need a consent banner that does three things correctly. First, it must present accept and reject options with equal prominence - no oversized green "Accept All" button next to a tiny grey "Manage Preferences" link. Second, it must communicate the user's consent choice to the gatekeeper through a standardised mechanism such as Google Consent Mode or the IAB Transparency and Consent Framework (TCF). Third, it must log consent for audit purposes, because the gatekeeper may demand proof.
A consent management platform handles all three. It detects which cookies and trackers are present, categorises them, presents a compliant consent interface, and passes consent signals downstream to Google, Meta, and other services that require them.
Enforcement So Far: Fines and Investigations
The European Commission is the sole enforcer of the DMA, and it has moved quickly. In March 2024, just weeks after the compliance deadline, the Commission opened non-compliance investigations into Apple, Google, and Meta. The first fines arrived on 23 April 2025.
| Gatekeeper | Violation | Fine |
|---|---|---|
| Apple | Preventing app developers from steering users to offers outside the App Store (Article 5(4)) | EUR 500 million |
| Meta | "Pay or consent" advertising model that did not offer genuine user choice (Article 5(2)) | EUR 200 million |
| Antitrust violation related to advertising technology (separate from DMA, decided September 2025) | EUR 2.95 billion |
These amounts sit well below the DMA's maximum penalty of 10% of worldwide annual turnover (rising to 20% for repeat offenders). The Commission has signalled that initial fines are calibrated to encourage compliance, with periodic penalties of up to 5% of average daily worldwide turnover available for ongoing non-compliance.
Investigations into Google's self-preferencing in Search and anti-steering in Google Play remain open. Cloud computing is emerging as the next frontier, with probes into Amazon and Microsoft launched in November 2025.
DMA vs GDPR: How They Work Together
The DMA and GDPR are both EU regulations with equal legal standing. They overlap significantly on consent and personal data, but serve different purposes. The GDPR protects individual privacy rights. The DMA protects market competition.
Where the two intersect is on consent. Article 5(2) of the DMA explicitly references GDPR-standard consent (as defined in Articles 4(11) and 7 of the GDPR) as the required standard for gatekeepers seeking to combine user data. The European Commission and the EDPB published joint guidelines clarifying how the two frameworks interact, particularly around what constitutes a genuine, freely given choice.
For website owners, the practical takeaway is straightforward: GDPR consent requirements have not changed, but the DMA makes it far more likely that your advertising and analytics partners will enforce them. Where Google and Meta once tolerated weak consent implementations, they now actively restrict features for sites that fail to pass valid consent signals.
What the DMA Means for Smaller Businesses
The DMA's direct obligations fall only on designated gatekeepers. A small e-commerce shop or a medium-sized SaaS company will never be designated. But the indirect effects are real.
Google's enforcement of its EU User Consent Policy means that any website running analytics or advertising through Google's ecosystem must implement proper consent flows. Failure to do so results in degraded data: no conversion tracking, no remarketing lists, no audience insights. For businesses that rely on paid advertising, this is a measurable loss in campaign performance.
On the positive side, data portability requirements mean users can move their data between services more easily, and the prohibition on self-preferencing may level the playing field in search results and app store rankings.
DMA Review and What Comes Next
The European Commission is required under Article 53 to evaluate the DMA by 3 May 2026 and every three years after that. Cloud computing is already under scrutiny as a potential expansion area. The U.S. administration has criticised the DMA as discriminatory towards American companies and threatened retaliatory tariffs, adding geopolitical uncertainty to the enforcement outlook.
For website owners, the direction of travel is clear. Consent requirements are tightening, not loosening. Non-essential cookies need proper consent. Advertising platforms demand verifiable consent signals. And regulators across the globe are watching the DMA as a model for their own competition and privacy legislation.
Frequently Asked Questions
Does the DMA apply to my website directly?
No. The DMA applies only to designated gatekeepers - currently Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Booking.com. Your website is affected indirectly because these gatekeepers now require you to pass valid consent signals when using their advertising and analytics services.
Do I need to change my cookie banner because of the DMA?
Likely yes, if your banner does not already meet GDPR standards and pass consent signals via Google Consent Mode v2 or the IAB TCF. Google and Meta now restrict features for websites that cannot demonstrate valid user consent.
What happens if I ignore the DMA's indirect requirements?
You will not be fined under the DMA itself, but Google may disable conversion tracking, remarketing, and audience building in your Google Ads and GA4 accounts. Meta may similarly restrict ad targeting capabilities for your campaigns.
Is the DMA the same as the GDPR?
No. The GDPR protects individual data privacy rights and applies to all organisations processing personal data. The DMA regulates competition in digital markets and applies only to designated gatekeepers. They overlap on consent requirements but serve different purposes.
How much can gatekeepers be fined under the DMA?
Up to 10% of worldwide annual turnover for initial violations, rising to 20% for repeat offences. Periodic penalties of up to 5% of average daily global turnover can be imposed for ongoing non-compliance. Structural remedies, including forced divestiture, are available as a last resort.
Which gatekeeper services are covered by the DMA?
As of early 2026, 23 core platform services are designated, including Google Search, YouTube, Android, Chrome, Google Maps, Google Play, Google Shopping, Google Ads, Facebook, Instagram, WhatsApp, Messenger, the App Store, iOS, Safari, iPadOS, Amazon Marketplace, Windows, LinkedIn, TikTok, and Booking.com's travel intermediation service.
Will the DMA affect websites outside the EU?
If your website targets EU users and uses gatekeeper services like Google Analytics or Meta Pixel, you are indirectly affected. The gatekeepers' consent requirements apply based on the location of the end user, not the location of the website owner.
Get Your Cookie Consent Right
The DMA has raised the bar for consent across the entire advertising ecosystem. If your website relies on Google, Meta, or any other gatekeeper service, your cookie setup needs to meet the standard these platforms now enforce. Kukie.io scans your site for cookies, categorises them, and passes consent signals to Google Consent Mode v2 and the IAB TCF - so your tracking keeps working and your visitors get a genuine choice.
