DMA — The EU Digital Markets Act
What the Digital Markets Act means for consent, gatekeepers, and how it changes the consent game.
The Digital Markets Act (DMA) isn’t a privacy law. It’s a competition law. But it has massive implications for consent, cookies, and data collection on the web.
Effective since November 2022, fully applicable since March 2024. Enforced by the European Commission.
What the DMA does
The DMA targets “gatekeepers”: large digital platforms with significant market power. As of 2024-2025, the designated gatekeepers include Alphabet (Google), Amazon, Apple, ByteDance, Meta, and Microsoft.
For these gatekeepers, the DMA imposes specific obligations:
- Cannot combine personal data across their services without explicit consent
- Cannot pre-install their own apps and require users to use them
- Cannot prevent users from uninstalling pre-installed apps
- Cannot track users outside their platform without consent
- Must allow third-party interoperability
- Must provide data portability tools
Why it matters for consent
Here’s the big one for cookie consent: gatekeepers must obtain explicit consent before combining personal data from different services or tracking users across third-party sites.
This means Google cannot just assume you consent to cross-service tracking because you have a Google account. Meta cannot combine your Instagram and Facebook data without asking. And the consent must meet GDPR standards: freely given, specific, informed. The ePrivacy Directive is what makes the cookie-and-tracker layer itself consent-dependent, so the DMA hooks into a regime that was already there.
This changes the consent game for anyone using gatekeeper services (analytics, ads, embeds) on their websites.
Google Consent Mode and the DMA
Google’s Consent Mode v2 was largely driven by DMA compliance requirements. When consent is denied, Google must respect that across all its services. No fudging. No “legitimate interest” workaround for DMA-covered processing.
Who needs to care
- Gatekeepers are directly regulated and face fines up to 10% of global annual turnover.
- Websites using gatekeeper services: your Google Analytics, Meta Pixel, Google Ads integrations must respect DMA consent requirements.
- Everyone else: the DMA sets a new baseline for consent quality that will influence regulation globally.
The practical impact
If you run a website with Google Analytics or Meta Pixel, you need:
- A consent mechanism that explicitly informs users about data combination and cross-service tracking
- Consent signals that gatekeeper services can actually read and respect
- The ability to prove consent was obtained before any gatekeeper data processing began
How Zest handles it
Zest sends properly formatted consent signals that gatekeeper APIs (Google Consent Mode, Meta CAPI) can process. Consent is collected first, then third-party services are activated. No tracking before consent. No gray areas. Documented records of every consent decision.