The European Commission and EDPB published over 100 public submissions on draft DMA-GDPR guidelines that constrain how Alphabet, Apple, Meta, Amazon and Microsoft handle consent for personalized ads and data access. Final rules expected in 2026.
Yesterday, the European Commission published over 100 public submissions received during its closed consultation on draft joint guidelines governing the intersection of the Digital Markets Act and the General Data Protection Regulation - a document that, once finalised, will set binding expectations for how Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft handle personal data across their core platforms in the European Union.
The consultation opened on 9 October 2025 and closed on 4 December 2025 at 23:59 CET. The Commission and the European Data Protection Board announced on 13 March 2026 that the submissions had been published in full, with personal data redacted. The final guidelines are expected to be adopted in 2026.
The stakes are significant. According to the consultation page published by the Commission, contributions were sought "particularly from business users (especially SMEs) and end users of the gatekeepers' digital services in scope of the DMA and associations representing these users." What arrived instead was a remarkably broad cross-section: law firms, think tanks, civil society groups, academics, trade associations, individual citizens and, critically, the gatekeepers themselves. The document governing both how companies like Google and Meta may process personal data for advertising, and how alternative app store operators or messaging services may access that data, drew scrutiny from across the digital economy.
The DMA and GDPR pursue distinct objectives, and that is where the complexity begins. According to the joint guidelines drafted for public consultation, "the DMA aims to tackle the potential harmful effects for business users of unfair practices by laying down harmonised rules applicable to gatekeepers ensuring, for all businesses, contestable and fair markets in the digital sector across the Union." The GDPR, by contrast, "aims to protect natural persons with regard to the processing of personal data and ensure the free flow of personal data in the Union covering all data controllers and processors."
Both frameworks can apply simultaneously to the same entity performing the same act. A gatekeeper running an ad network is, at once, a data controller under the GDPR and a regulated entity under the DMA. The guidelines make clear that this overlap is not coincidental - it is structural. According to the document, "a consistent and coherent interpretation of the DMA and the GDPR should mutually reinforce and maximise achievement of the respective objectives of the two frameworks." The document also warns explicitly that the guidelines are designed to "avoid risks that gatekeepers, controllers and processors instrumentalize their compliance with the GDPR with a view to make their compliance with the DMA less effective, and vice-versa."
That last sentence carries real commercial weight. Critics of large platforms have long argued that privacy messaging can function as a competitive moat - that invoking data protection obligations can, in practice, limit what smaller rivals or alternative stores are permitted to do. The guidelines attempt to close that gap.
The most commercially sensitive section of the guidelines concerns Article 5(2) DMA, which governs end-user consent for data processing for advertising purposes. This provision prohibits gatekeepers from doing four things without obtaining valid consent from end users: processing personal data from third-party services for online advertising; combining personal data across different core platform services; cross-using personal data from one service in another separately provided service; and signing users into services in order to combine their data.
According to the guidelines, all four of these categories "qualify as processing operations within the meaning of Article 4(2) GDPR." That means GDPR consent standards apply - and those are demanding. Consent must be "freely given, specific, informed and unambiguous," according to Articles 4(11) and 7 of the GDPR. Gatekeepers cannot rely on legitimate interests or contractual necessity as a lawful ground for these categories of processing. Consent is the only option.
The practical consequence for digital advertising is considerable. Performance Max from Google, Advantage+ from Meta and similar AI-driven campaign tools select audiences automatically across platforms in ways that may combine data across services. Whether those automated selections constitute "profiling" requiring consent under Article 9 GDPR - particularly when the underlying data infers sensitive categories - is a live regulatory question the guidelines begin to address but do not fully resolve.
On consent design, the guidelines are specific. Gatekeepers must offer a "less personalised but equivalent alternative" to users who refuse consent - they cannot simply deny service. Acceptance and refusal options must be presented in equal terms, "without nudging end users towards consenting." Pre-ticked boxes are not valid consent and are explicitly described as non-compliant. And once a user refuses or withdraws consent, the gatekeeper "is prohibited from repeating its request for consent for the same purpose more than once within a period of one year."
That annual limit is technical and nuanced. According to the guidelines, the clock starts from the moment a user "actively" makes a choice - not from when they dismiss or abandon a consent dialog. If a user deletes the cookie or technical record that stores their preference, or switches to a different device, a fresh request may be permissible.
The largest cluster of individual public submissions focused not on advertising data but on Article 6(4) DMA - the provision requiring gatekeepers to allow and technically enable the installation and use of third-party apps and alternative app stores on their operating systems.
Multiple submissions, including those from a French citizen identified as Thibaud Boquet, a Czech developer named Jan Bouška, and a Swedish user named Samuel Blomster, referenced Google's August 2025 announcement of a mandatory developer verification programme. According to one submission dated 7 November 2025, "In August 2025, Google announced that starting next year, it will no longer be possible to develop apps for the Android platform without first registering centrally with Google. This registration will involve: paying a fee to Google; agreeing to Google's T&Cs; and listing all current and future application identifiers."
Several respondents connected this directly to the DMA. According to a submission from Evgeni Kunev of Bulgaria, "Gatekeepers being allowed to require registration by alternative store operators does not seem to comply with (at least) the spirit of the GDPR. Gatekeepers have no legitimate interest in having that information. Furthermore this maintains their ability to gather information on end users' installed applications outside their respective app stores."
A Finnish respondent named Andreas Jabbari, writing as an Apple user, took a different angle - arguing that DMA enforcement itself had produced harmful outcomes. According to his submission, "Over 90% of high-profile enforcement actions, fines, and specification proceedings since 2024 have singled out Apple. Features like Wi-Fi sync on Apple Watch, iPhone Mirroring, Live Translation, and Home Screen web apps are being deliberately crippled or removed in the EU only."
The tension in the submissions reflects a genuine regulatory challenge. The guidelines themselves acknowledge it. According to the document, gatekeepers "should not seek to instrumentalize their compliance with other applicable laws with a view to make their compliance with Article 6(4) DMA less effective." At the same time, Article 6(4) does permit gatekeepers to take security-related measures, provided those measures are "strictly necessary and justified and that there are no less-restrictive means to achieve that goal."
Beyond advertising and app stores, the guidelines address two further provisions with direct implications for the marketing technology ecosystem.
Article 6(9) DMA establishes a right to data portability for end users that goes further than the equivalent right in Article 20 GDPR. According to the guidelines, portability under the DMA "applies irrespective of the lawful ground under which data has been processed by the gatekeeper under the GDPR" and must be enabled "on a continuous and real-time basis." There is no charge permitted. The legal basis for this processing by the gatekeeper is Article 6(1)(c) GDPR - compliance with a legal obligation - meaning the gatekeeper does not need separate consent to port the data, only to receive the instruction to do so.
On-device data falls within scope. According to the guidelines, "on-device data that is provided or generated in the context of the use of a CPS falls within the scope of Article 6(9) DMA, irrespective of whether the gatekeeper makes use of such on-device data." This matters for advertisers and measurement providers who rely on device-level signals that platform owners may choose not to surface through standard APIs.
Article 6(11) DMA addresses a narrower but significant slice: the right of third-party search engine providers to receive access to ranking, query, click and view data from a gatekeeper's search service. This data must be anonymised before sharing. The guidelines spend considerable space defining what anonymisation actually means in this context. According to the document, "pseudonymised data should be considered to be personal in nature" if it remains possible - using means "reasonably likely" to be employed - to re-identify the end user. Gatekeepers should select anonymisation techniques that "preserve the most quality and usefulness of the data for the third party," while still meeting the legal threshold.
For the search advertising market, this matters. Access to click and query data from dominant search platforms could, in principle, allow smaller search providers to train ranking systems competitive with those of Google, which has faced sustained DMA enforcement pressure over its European search product since March 2024.
Article 7 DMA requires gatekeepers designated for number-independent interpersonal communication services - which presently means Meta's WhatsApp - to offer interoperability with competing messaging services at no charge. WhatsApp enabled third-party chats with BirdyChat and Haiket in November 2025 as a first step toward meeting this obligation.
The guidelines address the GDPR implications of interoperability in detail. End-to-end encryption presents a particular challenge: sharing personal data with a third-party messaging service, even to route a message, constitutes data processing under the GDPR. According to the guidelines, "implementing a well-defined protocol for managing the exchange and certification of cryptographic keys between gatekeepers and providers of NIICS requesting interoperability would greatly contribute to a secure foundation for a reliable implementation of E2EE." The document also specifies that "gatekeepers should consider appropriate measures to ensure that the different service providers can only use the keys as well as any other corresponding content exchanged for key agreement received from the gatekeeper for the intended purpose of enabling interoperability."
Data protection impact assessments under Article 35 GDPR are required. This is not discretionary - the guidelines state that interoperability implementation "is very likely to fulfil the criteria for the requirement to carry out a data protection impact assessment."
A final section of the guidelines addresses the institutional mechanics of how the Commission and national data protection supervisory authorities (DPAs) are expected to cooperate when the same conduct potentially violates both the DMA and the GDPR.
The Commission holds sole authority to enforce the DMA. DPAs enforce the GDPR. But when a gatekeeper's conduct involves both frameworks simultaneously - as it almost always does in advertising - the document establishes mutual consultation obligations. According to the guidelines, "where the Commission is called upon, in the exercise of its powers, to examine whether a gatekeeper's conduct is compliant with the DMA, when such examination also entails examining whether the gatekeeper's conduct is consistent with the provisions of the GDPR," consultation with relevant data protection authorities is required. The obligation runs in both directions.
The guidelines also address double jeopardy. Gatekeepers "subjected to proceedings or sanctions by the Commission and by a data protection supervisory authority in relation to the same conduct" face potential ne bis in idem complications. The document does not resolve this fully but establishes consultation as the mechanism for avoiding it.
This matters practically. Luxembourg's Administrative Court annulled Amazon's €746 million GDPR fine yesterday on procedural grounds - not because the underlying GDPR violations were found to be absent, but because the regulator had skipped required analytical steps. As DMA enforcement scales up and as the two frameworks interact more frequently, the procedural coherence the guidelines attempt to establish will be tested repeatedly.
For digital marketing professionals, the guidelines create clarity in some areas and uncertainty in others. The prohibition on relying on legitimate interests or contractual necessity as lawful grounds for cross-service data combination is unambiguous. If a platform processes data from a third-party site to serve personalised ads - or combines a user's search history with their shopping behaviour to refine a targeting model - that processing requires consent.
Check My Ads, an advertising accountability organisation, submitted a detailed response during the consultation period. The organisation argued that the guidelines should clarify that "providing online advertising services" encompasses the full chain of operations - profiling, targeting, bidding, optimisation, measurement, frequency capping and attribution - rather than allowing narrow interpretations that could exclude algorithmic targeting steps from consent requirements.
The consent architecture questions are equally live for advertisers using Consent Mode from Google, which mandates signals aligned with EU privacy rules, and for those operating in markets where platform fines have already been issued. Apple received €150 million from French regulators and €98.6 million from Italian regulators in 2025 for asymmetric consent designs in its App Tracking Transparency framework. Meta was fined €200 million in April 2025 for its European advertising consent architecture and subsequently appealed the decision. Microsoft mandated consent signals from advertisers by May 2025.
The joint guidelines, once finalised, will provide an authoritative interpretation of how these frameworks interact. They will not create new law - both the DMA and GDPR remain the governing texts - but they will establish the Commission's and the EDPB's shared reading of ambiguous provisions. For gatekeepers, compliance teams and the advertisers who depend on those platforms to reach European consumers, that reading will effectively set the floor.
The final guidelines are expected to be published in 2026. The Commission and EDPB have stated they will "carefully review all submissions" before adoption.
Who: The European Commission and the European Data Protection Board (EDPB), acting jointly, along with over 100 respondents including gatekeepers (Alphabet/Google, Amazon, Apple, Meta, Microsoft), civil society organisations, SMEs, academics, law firms, and individual citizens.
What: The Commission and EDPB published all redacted public submissions received during the consultation on draft joint guidelines that address the interplay between the Digital Markets Act and the General Data Protection Regulation. These guidelines cover consent requirements for advertising data, app store access, data portability rights, search data sharing, messaging interoperability, and regulator coordination. The final guidelines, expected in 2026, will establish the authoritative interpretation of how both frameworks apply to the same conduct by designated gatekeepers.
When: The consultation ran from 9 October 2025 to 4 December 2025. The submissions were published on 13 March 2026. The draft guidelines were first released on 9 October 2025 as a 1.13 MB PDF reference document.
Where: The process is governed at European Union level. The DMA applies to gatekeepers' core platform services offered to users in the Union. Enforcement of the DMA rests with the European Commission; enforcement of the GDPR rests with national data protection supervisory authorities across 27 member states, coordinated through the EDPB.
Why: Both the DMA and the GDPR can apply to the same data processing act by the same entity at the same time. Without coordinated guidance, gatekeepers, their business users and end users face legal uncertainty about how to comply with both simultaneously - and face a specific risk that compliance with one framework could be used to undermine compliance with the other. The guidelines are designed to ensure the two frameworks "mutually reinforce and maximise achievement of their respective objectives."