ConsentScout

← All guides

The Digital Markets Act: what it means for ad personalisation

The DMA places stricter consent obligations on Google and Meta than GDPR alone. Here's what changed, who it affects, and how it connects to Google Consent Mode v2.

2026-02-28

Digital Markets Act

The Digital Markets Act (DMA) came into force in March 2024. It designated six companies as Gatekeepers - platforms large enough to control access to markets - and imposed specific obligations on what those Gatekeepers can do with personal data. The list includes Google, Meta, Apple, Amazon, Microsoft, and ByteDance.

For most compliance teams, the DMA registered as a competition law matter and not much else. For marketing teams, that was a mistake.

What the DMA requires from Gatekeepers

Article 5(2) of the DMA prohibits Gatekeepers from combining personal data across their services, or using data from third-party sites for ad targeting, unless the user has given explicit consent. "Explicit" here means consent that is freely given, specific to the purpose, and not bundled with acceptance of general terms.

That restriction covers:

  • Combining data from a platform's own services (for example, using a user's Google Search history to inform what Google Ads shows them on YouTube)
  • Using data collected on third-party sites - including via tracking pixels, tags, or cookies - to build ad profiles

For marketers, that second bullet is the one that matters. Remarketing, Customer Match, and lookalike audiences on Google and Meta all depend on data flows the DMA now regulates. If a user in the EEA has not given valid DMA consent, the Gatekeeper is not supposed to use that user's data for personalised targeting.

How this connects to Google Consent Mode

Google's response to the DMA was to update Google Consent Mode (GCM) to version 2, adding two new parameters to the four that already existed:

ParameterWhat it controls
ad_user_dataWhether user data may be sent to Google for advertising purposes
ad_personalizationWhether data may be used for personalised ads (remarketing, audience targeting)

The original four parameters (ad_storage, analytics_storage, and their equivalents) addressed GDPR. The two new ones address DMA. Specifically, ad_personalization: 'denied' tells Google that this user has not consented to their data being used for personalised advertising - which is exactly what Article 5(2) restricts.

If you are running Google Ads in the EEA and have not yet updated to GCM v2 with all six parameters set, your campaign targeting may be operating on users who have not given the consent the DMA requires. Google's own guidance is clear that GCM v2 with valid consent signals is required for personalised advertising features.

What "explicit consent" looks like in practice

The DMA's consent standard is close to GDPR's, but there are a few practical differences worth knowing:

Consent must be asked per purpose. A single "I agree to all data uses" tick box does not meet the standard. Users should be able to say yes to analytics and no to remarketing, for instance.

Declining should not degrade the service. Gatekeepers cannot make access to their core service conditional on accepting personalised advertising. In practice, this is why Google has introduced ad-free paid tiers in some markets - a concession to regulators that non-consenting users still get a usable product.

Consent can be withdrawn. The mechanism to withdraw must be as accessible as the mechanism to give it. A user who consented last year can change their mind, and the consent records must reflect that.

These requirements largely align with what a well-implemented Consent Management Platform (CMP) already captures. The problem is that many sites have CMPs that collect consent but do not correctly pass that consent state to Google's tags - which means GCM v2's parameters are never updated when a user declines.

Meta and the DMA

Meta received its DMA enforcement notice in late 2024 regarding its "pay or consent" model. The European Commission's position is that offering a binary choice between paying for the service and accepting data use for advertising does not constitute freely given consent.

For marketers running Meta campaigns, the practical implication is that the pool of EEA users available for personalised targeting is smaller than your account reporting suggests. Users who have chosen not to pay and not to consent, or who have opted out through Meta's data settings, are excluded from personalised audience targeting. Meta's own consent mode integration passes a data_processing_options signal, but implementation quality varies considerably across sites.

What to check on your own site

You do not need to audit the Gatekeepers themselves - that is the Commission's job. What you can check is whether your site is correctly passing consent signals to Google and Meta when users make their choices.

For Google, the key questions are:

  1. Does your CMP set all six GCM v2 parameters to 'denied' before any user interaction?
  2. Does it correctly call gtag('consent', 'update', ...) when a user accepts or declines individual categories?
  3. Is ad_personalization being set separately from ad_storage, or is your CMP treating them as one?

A quick way to check without opening developer tools: scan your site with ConsentScout and look at the GCM status in the results. A result of "Advanced mode" with correct defaults means the signals are reaching Google's tags before any cookies are set. A result of "Basic mode" or "Not detected" suggests your consent setup does not meet the standard the DMA requires.

The broader point

The DMA matters for marketers because it changes what data platforms are allowed to use - and that has a direct effect on targeting reach, audience sizes, and attribution. It is not enough to have a cookie banner; the banner's output must connect to the ad platforms in a way they can act on.

GCM v2 is the mechanism for Google. Meta's pixel has its own consent signal. Both require your CMP to be correctly configured and tested, not just present.