Update Data Protection No. 135

Online Marketing pursuant to the Digital Services Act

Previously, the rules for online marketing primarily resulted from the GDPR, the German Telecommunication Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDPA] and the German Act against Unfair Competition [Gesetz gegen den unlauteren Wettbewerb, UWG]. Moreover, Art. 25 and 26 of the DSA now has to also be taken into consideration in practice. While these do not enter into force until 2024, they nevertheless also contain a significant number of new requirements that should be dealt with early on. We already reported on the DSA in general in February 2023, in particular also regarding the early implementation deadlines.

The new rules only apply for "online platforms"

The new advertising requirements do not obligate every company, but rather only the providers of "online platforms". Broadly speaking, online platforms include all apps and websites that feature user generated content. In the language of the DSA, this is worded as follows: An "‘online platform’ means a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public“. The following are practical examples of online platforms as defined under DSA:

  • Social media providers and providers of their own area within a social media platform (e. g. operator of a Facebook fan page)
  • Providers of online forums
  • Providers of websites with extensive commenting and review options (including both the classic media portals as well as rating portals)
  • App stores.

Incidentally, the term "information" is not defined in the DSA. Thus, it is not clear whether only "text information" applies or if user generated content in the form of images, videos or whether individual games (e. g. in the case of platforms such as Roblox) or in general all Metaverse portals are also included.

Exceptions for user generated content as a technically mandatory secondary function

This does not include, however, such offers where the provision of user generated content "is merely a minor and purely ancillary feature that is intrinsically linked to another service, or a minor functionality of the principal service, and that feature or functionality cannot, for objective technical reasons, be used without that other or principal service”. This exception is rather narrowly worded. It must be seen in practice whether e. g. a webshop which allows for a small number of ratings, but no user generated content, can invoke the exception.

DSA advertising regulations do not apply to SME portals

However, the strict regulations under Art. 25 and 26 for advertising in online platforms do not apply to SMEs as a whole in accordance with Art. 19(1) DSA. With reference to the Commission Recommendation 2003/361/EU, therefore, companies with less than 250 employees and revenues of less than EUR 50 million or a balance sheet total of less than EUR 43 million are exempt from the requirements for online marketing under the DSA.

Prohibition of personalized advertising on the basis of Art. 9 GDPR data

In accordance with Art. 26(3) DSA, online platforms are not allowed to present advertising on the basis of profiling within the meaning of Art. 4 No. 4 GDPR, if particularly sensitive information as defined under Art. 9 GDPR is used for this purpose. Thus, e. g. personalized advertising based on health data is categorically excluded. Advertising based on the storing of profile information regarding "political opinions" or "ideological convictions" is also prohibited. This restricts the current advertising practice on social media significantly. Forums whose business model is primarily based on health topics and advertising for products from the health care sector would probably have to rethink their practises.

From the point of view of legal doctrine, it is interesting that an advertising practice which, in accordance with the GDPR, may be allowed based on a declaration of consent pursuant to Art. 9(2) lit. a GDPR, is prohibited by another EU regulation. The resolution of this conflict may have to be decided by the courts. There is reason to believe that as Art. 26(3) DSA takes precedence over Art. 9(2) lit. a GDPR lex specialis. At any rate, however, the violation of Art. 26(3) DSA does not necessarily result in the violation of Art. 9 GDPR. This is important because the possible fines for violations of GDPR and the DSA may vary widely (see below).

Obligations for advertising on online platforms as well

Regardless of the use of data according to Art. 9 GDPR, the provider of an online platform must meet the following obligations in connection with advertising:

  • a clear labelling of advertising as such (Art. 26(1) lit a);
  • the provision of information as to the natural or legal person on whose behalf the advertisement is presented (Art. 26(1) lit b); if a different person has paid for the advertising, the latter must also be named (Art. 26(1) lit c);
  • an explanation as to which criteria were used to select the advertising ("meaningful information […] about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, about how to change those parameters."; Art. 26(1) lit d);
  • the provision of a function which allows the users to label their content as commercial communication (and thus at least indirectly as advertising).

The first- and last-mentioned obligations are relatively easy to implement. It would be difficult, however, to name the advertiser or those which pay for this. This is perhaps possible in the case of very simple advertising models. In the context of personalized advertising selected in a real-time-bidding process, in which several players such as "Demand Side Platforms" (DSPs), "Supply-Side Platforms" (SSPs) and various marketing agencies participate, this is likely to be challenging in several respects. It is to be hoped that the advertising industry will provide auxiliary solutions for this purpose e.g. as part of the "IAB TCF" (see Data Protection Update No. 131).

Overlapping with obligations under the GDPR – enriching the privacy policy?

Please note that the requirements under the DSA also apply if advertising is completely without personalization and without any processing of personal data.

However, if personal data is used (and for this purpose IP addresses or cookie IDs are sufficient according to the ECJ jurisprudence) the requirements from the GDPR must also be met at the same time. The obligation to provide information according to Art. 12-14 GDPR, therefore, equally applies in addition to the obligation to provide information under Art. 25(1) DSA. However, in rare occasions, one can fulfill the obligation to provide information according to DSA by enriching the privacy policy with appropriate information. One the one hand, it must be made clear that the extent of information required under Art. 25(1) DSA at times goes significantly beyond that required according to GDPR (e. g. with regards to "main parameters used to determine the recipient to whom the advertisement is presented.“). On the other hand, abstract-general information does not suffice according to the DSA, but rather for each individual advertising material it must be specifically and individually explained as to who finances it and why is it currently displayed to the specific user. In any case, this requires individual information in the case of personalized advertising.

Unfortunately, exception rules such as those in Art. 13(4) or Art. 14(5) GDPR are not included in Art. 26 DSA, so that the obligation to provide information according to Art. 26 DSA applies even if it can be firmly assumed that the user of the online portal is already in possession of the relevant information (because it is e. g. obvious from the advertising banner as to in whose name the advertising is being carried out).

Additional transparency requirements for "very large online platforms"

Art. 39 DSA stipulates additional requirements for "very large online platforms". Here in particular, additional technical specifications are stipulated as to how the information must be made available to the user (e. g. the information regarding each individual advertisement must be made available and searchable in an archive for a period of one year).

However, as defined under the DSA, a "very large online platform" exists only from an average user number of at least 45 million active users in the Union (Art. 33 GDPR). Moreover, the special rules for "very large online platforms" apply only if the EU Commission has determined, based on the reporting of the number of users in accordance with Art. 24(4) DSA, that a specific online platform is a "very large online platform" (see Art. 33(4) DSA).

Dark pattern for cookie banners and consent management platforms

Consent management platforms have already been subject to a high degree of requirements for several years in terms of cookies and personal data. Misleading designs or other "controlling" of the users through "nudging technics", can result in the invalidity of declarations of consent according to Art. 7 GDPR and Section 25 TTDSG (see Data Protection Update No. 108).

At the same time, now a general prohibition on influencing the users through dark patterns must be observed in accordance with Art. 25 DSA ("deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions“), which applies to online platforms regardless of whether personal reference or advertising is intended (Art. 25 DSA). While it is true that Art. 25(2) DSA stipulates that the requirements of the GDPR take precedence in the case of overlapping of facts, no reference is made in Art. 25(2) DSA to the national implementation of the previous ePrivacy Directive (2002/58/EG), so the regulations under Section 25 TTDSG apply at the same time to Art. 25 DSA.

Due to the similar wording and connection to the voluntariness or the possibility of making free and informed decisions, it might be the case that, at the end of the day, there are no differences in requirements. However, as it might be the case that Art. 25 DSA is not implemented in Germany (and other European jurisdictions) by the already overloaded data protection supervisory authorities, but rather by other or entirely new authorities, it is also conceivable to develop a practice in which the interpretation resulting from Section 25 TTDSG and Art. 25 DSA differ significantly from each other.

Still no fines and no competent authorities – but risk of warnings

Two of the most relevant parameters are still not defined in Germany: which fines can be imposed in the case of a violation and which authorities can impose the fine.


From a technical and organizational point of view, the fulfillment of the requirements under Art. 26 and 39 DSA is anything but trivial. Every company must therefore check whether it is a provider of an "online platform" which displays advertisement to the users. In particular, in the case of personalized advertising, individual information is required which is currently still not available to many operators of online platforms.

Moreover, every online platform should closely monitor in the coming months whether additional specifications of the obligations will result from the implementation of an industry code for online advertising in accordance with Art. 46 DSA, which authority will be declared by the German legislator as the competent authority and which framework of fines is set in Germany. Regardless of the fine framework it is to be noted that warnings might be issued in the case of violations of the DSA in accordance with Section 3a UWG when it concerns "market conduct rules".

Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.