A recent study by the Federation of German Consumer Organizations (vzbv) shows: Using manipulative designs, the big internet companies want to get users to agree to the most extensive possible merging of personal data, among other things. How the gatekeepers do this and why they are violating the Digital Markets Act.
Gatekeepers have been subject to the Digital Markets Act in the EU since March 2024
Since March 7, 2024, the six major digital groups Amazon, Alphabet, Apple, Meta, Microsoft and TikTok (Bytedance) must fully comply with all obligations under the Digital Markets Act (DMA) as gatekeepers.
The vzbv has now investigated whether these six gatekeepers comply with the provisions of Article 5(2) DMA (data pooling) and Article 5(8) DMA (prohibition of tying) in their services.
Article 5(2) DMA restricts the merging of personal data from central platform services with personal data from other central platform services, other gatekeeper services and third-party services. In principle, personal data may not be merged unless the user consents.
Article 5(8) DMA obliges gatekeepers not to link the use of the central platform services they offer with certain other services of the same company. In particular, providers may not require users to subscribe to or register with other central platform services from the gatekeeper's offering if they wish to use, access, log in to or register with a central platform service of the gatekeeper.
Reading tip: DSA - Temu and Shein must provide information to EU
Gatekeepers use dark patterns for data merging
According to the consumer advocates, there are manipulative designs (dark patterns) in all of the services investigated. These aim to ensure that users allow the gatekeepers to merge personal data as far as possible. Dark patterns concern, for example, the visual design of the selection window, the linguistic framing of the options for users or the effort required to individually adapt or change the data aggregation.
Concrete example from the vzbv: "If you choose the variant without data exchange with Facebook on Facebook Marketplace, the banner 'You are using the non-personalized version of Marketplace. You can find more information and options here (link). In this case, the link takes users to the 'Change my selection' option and then to the selection menu." In the personalized version (with consent), however, this banner does not appear on the start screen of the Marketplace.
TikTok (ByteDance), on the other hand, is deliberately playing on users' concerns that they will have to pay for the service if they do not agree to the pooling of data. "Allow us to use your data to show you relevant advertising so that TikTok remains free," writes the video platform, which is particularly popular with young people.
The consumer advocates also criticize the fact that the consent option for data sharing is at the top or first position in all the services examined, in some cases even highlighted in color.
"All of the services investigated continue to use manipulative designs to obtain more data," says vzbv board member Ramona Pop. The aim of the providers is to be able to compile as much data as possible into profiles.
Up to eight clicks for revocation - if users find the option at all
Apparently, there is more than just trickery to obtain consent. In its report, the vzbz criticizes the fact that all of the gatekeepers examined make it difficult for users to revoke their consent to the merging of data from multiple services.
"On average, it takes six clicks to withdraw consent", according to the vzbz. The Meta services examined stand out particularly negatively, with an average of eight clicks required to withdraw consent to data sharing.
Another criticism is that the revocation option is sometimes particularly well hidden. As a user, you have to scroll all the way down an extensive menu to find the revocation option under unspecific categories such as "LinkedIn Services" (Microsoft) or "Use of information for Facebook products" (Meta).
In the opinion of the vzbv, the gatekeeper services examined thus violate Article 7 (3) sentence 4 GDPR and thus also Article 5 (2) DMA, which refers to this.
Violation of tying ban on Facebook?
When examining the linking ban, the consumer advocates are particularly bothered by the close linking of Facebook and Facebook Marketplace. "Although the Marketplace was designated as a central platform service and therefore may not be linked to Facebook, it should be noted that Meta does not provide an option that would allow the service to be used entirely without a Facebook account. Rather, the gatekeeper forces users who want to buy or offer products on the Marketplace to log in with a Facebook account."
In the case of Google (Alphabet) and Apple, the review revealed that the services examined are not directly linked to each other. Instead, a cross-service user account of the gatekeeper company is required for full use.
For Chrome, Google Android, Google Maps, Google Play, Google Shopping, Google Search and YouTube, signing in with a Google account is the only registration option available. The situation is similar for the App Store, iOS and Safari. The services can be used with the same Apple ID and can only be fully used as a logged-in user.
However, there does not appear to be a breach of the tying prohibition here: Apple ID and Google account are not central platform services within the meaning of the DMA.
Germany's top consumer advocate Ramona Pop is calling for tougher action from the EU: "Google, Meta and Amazon act as gatekeepers and influence what people in Germany consume. When providers use their influence to their own advantage, this also harms competition. The European Commission must take decisive action against violations of applicable law. It should initiate further investigation proceedings, as it has already done against Alphabet, Apple and Meta." This could again be very expensive for the companies.
Source: Data aggregation and coupling under the Digital Markets Act