Digital markets have experienced significant growth and dominance by a few companies and their platforms, raising concerns about competition, consumer choice, and data access. To address these issues, both the European Union (EU) and the United Kingdom (UK) have introduced regulatory reforms.

The EU has implemented the Digital Markets Act (DMA) and the Digital Services Act (DSA), while the UK has proposed the Digital Markets, Competition, and Consumer Bill (DMCCB) and the Online Safety Bill. 

We’ll look at the regulatory approaches taken by the EU and UK, highlighting similarities and differences in scope, applicability, the importance of consent and how to get started with compliance.

Data privacy regulations in the European Union 

The Digital Markets Act applies to companies designated as “gatekeepers” by the European Commission. Gatekeepers are the owners and providers of what the Commission identified as core platform services (CPS), such as search engines, social networking services, video-sharing platforms, and cloud computing services. 

Companies designated as gatekeepers must carry out self-assessments to determine that they have met and continue to meet both quantitative and qualitative criteria. The list of gatekeepers may grow or change over time based on these criteria. 

The quantitative criteria include a minimum annual turnover of €7.5 billion in the EU and at least 45 million active monthly users on the relevant platform or service in the last three financial years. Qualitative criteria consider the impact, importance, and market position of the CPS provider.

The DMA’s requirements are similar in many respects to those of the EU’s General Data Protection Regulation (GDPR), but are broader in some ways, addressing additional access to and uses of end users’ personal data. 

Data privacy regulations in the United Kingdom 

The Data Protection Act 2018 (“DPA”) covers the general processing of personal data in the UK and came into force on 25 May 2018, just before the EU GDPR took effect.

Following the end of the Brexit Transition Period, the EU GDPR became part of UK law through the European Union Withdrawal Agreement, and the Data Protection, Privacy and Electronic Communications Regulations 2019 (Exit Regulations). 

The EU GDPR gave rise to the UK GDPR, which came into force on January 1, 2021, as the EU GDPR no longer protected UK citizens’ data. It includes the provisions of the EU GDPR with only minimal changes to the core principles, rights and obligations for data protection.

The UK GDPR and the DPA 2018 (amended version) are now the principal data protection regulations in the UK. They require businesses to protect individuals’ data, obtain consent to collect and use it, and protect data subjects’ rights.

The Privacy and Electronic Communications Regulations (PECR) implemented the EU’s ePrivacy Directive (Directive 2002/58/EC) and sets out privacy rights relating to electronic communications. The PECR came into force in 2003 and .

The “British DMA”: Enter the Digital Markets, Competition, and Consumer Bill (DMCCB)

In the U.K., Parliament has yet to pass the British equivalent of the DMA, the Digital Markets, Competition, and Consumer Bill, or the DSA equivalent, the Online Safety Bill.

The DMCCB applies to digital commercial operations in the UK or affecting the UK market, which are deemed to have Strategic Market Status (SMS). The definition of a digital activity is broad and includes any service provided via the internet. 

To qualify as an SMS, a firm must meet criteria such as conducting a digital activity linked to the UK, having substantial market power, and holding a position of strategic significance. Turnover thresholds of £25 billion global turnover and/or £1 billion UK turnover are also considered.

Obligations and requirements

European Union: Digital Markets Act

The DMA imposes various behavioral obligations on gatekeepers. These include allowing third-party interoperability, granting access to user-generated data, promoting fair competition, and prohibiting preferential treatment of the gatekeeper’s services. 

Gatekeepers must appoint compliance officers and submit annual compliance reports to the Commission. 

Additionally, gatekeepers are required to inform the Commission about mergers (any “intended concentration”  irrespective of whether they’re notifiable under the EU Merger Regulation or national merger rules. (DMA Art. 14.).

United Kingdom: Digital Markets, Competition and Consumer Bill

Strategic Market Status (SMS) firms in the UK will be subject to strict behavioral obligations under the DMCCB. These obligations revolve around fair trading, open choices, trust, and transparency. 

The specific requirements will be tailored by the Digital Markets Unit (DMU) and the Office of Communications (Ofcom), the regulatory bodies overseeing the DMCCB and the Online Safety Bill, respectively. 

SMS firms must also report proposed acquisitions meeting certain thresholds to the DMU.

EU vs. UK processes

European Union: (Digital Markets Act)

The EU’s legislative-driven model designates gatekeepers based on size and imposes behavioral expectations through regulation. The European Commission develops and enforces these requirements for compliance from gatekeepers.

United Kingdom: Digital Markets, Competition and Consumer Bill (DMCCB)

The UK’s approach involves more regulatory discretion. The DMU and Ofcom determine if a company has Strategic Market Status and tailor specific remedies accordingly. This approach allows for a more flexible and tailored oversight of digital platforms.

Participatory regulation

In the UK, both the DMU and Ofcom adopt a participatory regulation approach. This means regulators work closely with target companies to develop behavioral expectations and codes that can be enforced. The companies conduct their own Duty of Care analysis, which is reviewed by regulators that provide guidance and work collaboratively to define behavioral codes.

This means that beyond what’s defined by the two regulations, gatekeepers and SMS are required to determine their own privacy requirements to apply to third-party businesses using their services.

The importance of consent management for EU, EEA and UK companies

While both the European Union’s Digital Markets Act (DMA) and the United Kingdom’s Digital Markets, Competition and Consumers Bill (DMCCB) emphasize the significance of obtaining user consent for data processing activities, there may be variations in specific requirements and implementation.

To address these differences and get ready for data privacy compliance, follow these steps:

1. Understand the regulations

Familiarize yourself with the specific consent requirements outlined in both the DMA and DMCCB. Identify any variations in terms of lawful bases for processing, explicit consent, and additional obligations.

2. Assess your website or online platform’s data processing

Assess your organization’s data processing practices and identify any areas of noncompliance. Scan your website and check its degree of GDPR compliance.

3. Implement a leading European consent solution

Choose a consent management platform that enables GDPR and ePrivacy-compliant user consent collection and signaling for DMA compliance. Ensure that the CMP provides features such as granular consent options, secure recordkeeping, and user-friendly interfaces.

The specifics of CMP implementation do depend on what platforms you’re using, like your CMS, as well as other tools, including Google Tag Manager and other services. Cookiebot CMP is flexible, has direct integrations with leading website platforms, and can be installed with just a few lines of JavaScript. There’s also a cookie WordPress plugin.

4. Customize consent banners

Tailor the consent banners displayed on your website or online platform to meet the specific requirements of each regulation. Provide clear information about data processing activities, purpose specification, and the ability to manage preferences.

5. Update your privacy policy

Review and update your privacy policy to align with the requirements of the DMA and/or DMCCB. Include details about the types of data collected, the purposes of processing, parties with access to the data, and how user consent is obtained and managed.

6. Train your team

Educate your staff about the nuances of both regulations and the proper implementation of consent management. Ensure they understand their roles and responsibilities in obtaining and managing user consent.

Final thoughts

The UK and EU regulatory initiatives are creating de facto global digital risk management standards, by taking significant steps to regulate digital markets and addressing concerns related to market dominance, competition, consumer choice, and data access. 

While the EU has implemented the DMA and DSA, the UK is in the process of enacting the DMCCB and the Online Safety Bill. The approaches differ in some aspects, but there’s a shared goal of promoting fair competition and protecting consumer interests.

Would you like these insights straight to your mailbox?

    Profile picture of Will Newland - Managing Director of SoBold.
    By Will Newland
    Managing Director