A recent study by the Federation of German Consumer Organizations (vzbv) shows: Using manipulative designs, the big internet companies want to get users to agree to the most extensive possible merging of personal data, among other things. How the gatekeepers do this and why they are violating the Digital Markets Act.
Gatekeepers have been subject to the Digital Markets Act in the EU since March 2024
Since March 7, 2024, the six major digital groups Amazon, Alphabet, Apple, Meta, Microsoft and TikTok (Bytedance) must fully comply with all obligations under the Digital Markets Act (DMA) as gatekeepers.
The vzbv has now investigated whether these six gatekeepers comply with the provisions of Article 5(2) DMA (data pooling) and Article 5(8) DMA (Prohibition of tying) fulfill.
Article 5(2) DMA restricts the merging of personal data from central platform services with personal data from other central platform services, other gatekeeper services and third-party services. In principle personal data are not merged unless the user consents.
Article 5(8) DMA obliges gatekeepers not to link the use of the central platform services they offer with certain other services of the same company. In particular, providers may not require users to subscribe to or register with other central platform services from the gatekeeper's offering if they wish to use, access, log in to or register with a central platform service of the gatekeeper.
Reading tip: DSA - Temu and Shein must provide information to EU
Gatekeepers use dark patterns for data merging
According to the consumer advocates, there are manipulative designs (dark patterns) in all of the services investigated. These aim to ensure that users allow the gatekeepers to merge personal data as far as possible. Dark patterns concern, for example, the visual design of the selection window, the linguistic framing of the options for users or the effort required to individually adapt or change the data aggregation.
Concrete example from the vzbv: "If you choose the variant without data exchange with Facebook on Facebook Marketplace, the banner 'You are using the non-personalized version of Marketplace. You can find more information and options here (link). In this case, the link takes users to the 'Change my selection' option and then to the selection menu." With the personalized version (with Consent) this banner does not appear on the start screen of the Marketplace.
TikTok (ByteDance), on the other hand, is deliberately playing on users' concerns that they will have to pay for the service if they do not agree to the pooling of data. "Allow us to use your data to provide you with relevant Advertising so that TikTok remains free," writes the video platform, which is particularly popular with young people.
The consumer advocates also criticize the fact that the consent option for data sharing is at the top or first position in all the services examined, in some cases even highlighted in color.
"All of the services investigated continue to use manipulative designs to obtain more data," says vzbv board member Ramona Pop. The aim of the providers is to be able to compile as much data as possible into profiles.
Up to eight clicks to revoke consent—if users can even find the option
Obviously there is not only trickery in order to Consent to receive. In its report, the vzbz criticizes the fact that all of the gatekeepers examined make it difficult for users to withdraw their consent to the merging of data from multiple services.
"On average, it takes six clicks to open the Consent to revoke", according to the vzbz. The Meta services examined stand out particularly negatively, with an average of eight clicks required to revoke the Consent in the data exchange.
Another criticism is that the revocation option is sometimes particularly well hidden. As a user, you have to scroll all the way down an extensive menu to find the revocation option under unspecific categories such as "LinkedIn Services" (Microsoft) or "Use of information for Facebook products" (Meta).
In the opinion of the vzbv, the gatekeeper services investigated therefore violate Article 7 (3) sentence 4 GDPR and thus also against Article 5 para. 2 DMA, which refers to it.
Violation of the prohibition of tying on Facebook?
When examining the linking ban, the consumer advocates are particularly bothered by the close linking of Facebook and Facebook Marketplace. "Although the Marketplace was designated as a central platform service and therefore may not be linked to Facebook, it should be noted that Meta does not provide an option that would allow the service to be used entirely without a Facebook account. Rather, the gatekeeper forces users who want to buy or offer products on the Marketplace to log in with a Facebook account."
In the case of Google (Alphabet) and Apple, the review revealed that the services examined are not directly linked to each other. Instead, a cross-service user account of the gatekeeper company is required for full use.
For Chrome, Google Android, Google Maps, Google Play, Google Shopping, Google Search and YouTube the only registration option available is to sign in with a Google account. The situation is similar for the App Store, iOS and Safari. The services can be used with the same Apple ID and can only be fully used as a logged-in user.
A Infringement against the Prohibition of tying is obviously not the case here: Apple ID and Google account are not central platform services within the meaning of the DMA.
Germany's top consumer advocate Ramona Pop is calling for tougher action from the EU: "Google, Meta and Amazon act as gatekeepers and influence what people in Germany consume. When providers use their influence to their own advantage, this also harms competition. The European Commission must take decisive action against violations of applicable law. It should initiate further investigation proceedings, as it has already done against Alphabet, Apple and Meta." This could again be very expensive for the companies.
Source: Data aggregation and coupling under the Digital Markets Act
German 
English 
Italian 
French