It’s an understatement to say much has changed online in the 23 years since the EU introduced the e-Commerce Directive. The rise of online marketplaces connecting consumers with an array of products, services, and content from individual sellers and businesses around the globe has forever changed how we research and make purchases — as well as how we communicate. These marketplaces have also made it easier to conduct cross-border trades and reach new markets.
But for all their benefits, marketplaces also have become a hotbed for bad actors and scammers to sell or trade illegal goods, services, and content online. Because of the lack of regulations, marketplaces have had few guardrails as to how they should monitor and flag illegal content and to whom, which has made it challenging for them to maintain trust and safety on their platforms.
The DSA focuses on modernizing the e-Commerce Directive by regulating online platforms, intermediaries, and marketplaces and creating obligations that better protect consumers’ rights and reduce exposure to illegal content. At the same time, the DSA gives platforms a uniform set of rules across the EU, improving the ability of smaller businesses and start-ups to compete across Europe.
What is the Digital Services Act?
The Digital Services Act (DSA) requires online platforms, hosting providers, and other intermediaries that operate in the EU to create safer digital spaces that protect the fundamental rights of all users. In effect since August 25, 2023, the DSA delivers a single transparency and accountability framework across the EU to protect consumers from illegal content, including goods and services. The DSA also requires online platforms to provide a mechanism to allow users to flag illegal content.
Together with the Digital Markets Act (DMA), which aims to level the playing field for innovation and competition in online markets and imposes additional regulations for large conglomerates such as Amazon, Apple, Google, Meta, and Microsoft, the two regulations form a common set of rules that apply across the EU and represent a major step toward protecting consumers from harm while providing greater choice.
What are the requirements of the DSA?
The DSA touches virtually every type of service provider in the online ecosystem that operates in the EU, including:
- Intermediary services providers, defined as companies offering network infrastructure, including internet access providers and domain name registrars;
- Hosting services providers, such cloud and web hosting service; and
- Online platforms that bring together sellers and consumers, such as online marketplaces, app stores, collaborative economy platforms, and social media platforms.
The requirements for each category become progressively more stringent as they move closer to touching the actual consumer.
Intermediary service providers must have:
- A single point of contact for regulators and the public;
- A designated legal representative in the EU, even if the company is not established in the EU;
- Fair and transparent terms and conditions that address content moderation; and
- A mechanism to publish reports on content moderation and the removal of illegal or non-compliant content.
In addition to the above, hosting services must also have:
- “Notice and action” mechanisms that allow users to flag illegal content along with a sufficient explanation as to the reason it is illegal; and
- A way to communicate with the reporting user what action was taken against the reported content (e.g., restriction, removal, or termination) and why (or why not).
If hosting service providers become aware of content that could involve a threat to the life or safety of an individual or individuals, they must immediately inform law enforcement.
Finally, online platforms must adhere to all of the above and, in their “notice and action” mechanism, they must create a “trusted flagger” role for certain individuals who meet specific criteria, whose notifications must be acted on without delay.
It’s worth noting that the DSA lays out EU-wide rules that dictate that online service providers must put into place transparent mechanisms to detect, flag, and remove “illegal content” from their platform, but leaves the definition of illegal content to other laws at the EU or national level.
Tiered requirements based on size
Recognizing that the universe of online platforms and service providers is as large as it is diverse, the DSA takes the size of the organization and the risk it poses to consumers into account and tiers requirements accordingly. Following that principle, very large online platforms and very large online search engines — designated as those reaching at least 45 million active users in the EU — are held to higher accountability standards and obligations than other online platforms. In order to prevent abuse of their systems, these platforms are required to take risk-based action and conduct independent audits of their risk management systems.
On the other hand, small and micro enterprises — platforms with fewer than 50 employees or whose annual revenue does not exceed 10 million euros — are excluded from the most costly and burdensome obligations (e.g., audits) but are free to apply the best practices for a competitive advantage.
What information do I need to collect to be compliant with DSA?
If you host anyone selling or promoting goods or services, the DSA requires you to collect the following information before allowing them to promote messages or offer products or services on your platform:
- Name, address, telephone number, and email address
- Identity documentation
- Bank account details (for a person)
- Registration number (for a business)
What’s more, not only must sellers self-certify that they offer only products or services that comply with applicable laws, but you, as the online platform provider, must also make reasonable efforts to confirm the reliability of seller or trader information. If it’s inaccurate or incomplete, you are required to gather the correct information or stop the trader from participating on your platform. You may use official online databases or trustworthy supporting documents to verify traders’ information before reporting to Digital Services Coordinators, who are appointed by the EU and will ensure businesses are compliant.
Furthermore, if you become aware of an illegal product or service, you are required to inform the consumers who purchased these products or services of their illegality, the identity of the seller, and any means of redress.
What are the penalties for non-compliance?
The DSA imposes steep penalties for noncompliance: the maximum penalty for a failure to comply with the DSA’s obligations is 6% of a provider’s global annual gross revenues. If you knowingly supply incorrect, incomplete, or misleading information to a regulator, you may be subject to a maximum fine of 1% of global annual gross revenues. In addition, since both the DSA and the DMA have overlapping requirements with the GDPR, you could be hit with multiple violations if you don’t meet the compliance obligations.
Preparing your business for DSA
If your platform operates in the EU, you should evaluate whether your business already has mechanisms and procedures in place to ensure compliance with the DSA — or what changes you need to make to provide a safe, trustworthy, and transparent environment for consumers.
DSA requirements became obligatory for all platforms on February 17, 2024, making it critical to have answers to these questions and factor them into your compliance strategy:
- Do you already collect and verify the data you need from sellers for other reporting purposes like DAC7? If not, what do you need to do, process- and systems-wise, to collect and verify that data?
- Do you need to amend any terms and conditions (T&Cs) or posted consent policies to facilitate data collection from sellers and notification requirements?
- Which new or additional steps do you need to take to protect the data you collect?
- What is your current process for communicating with buyers and users of products and services available on your platform that are later deemed illegal?
- Are you subject to other regulations or laws that have similar collection, verification, and reporting requirements with which you can combine efforts?
How Persona can help
To help platform operators comply with the DSA, our no-code platform can be configured to quickly onboard, verify, and reverify any seller, trader, or merchant. You have the freedom to determine the information you’ll collect from sellers and how you’ll verify this data — whether it involves document verification, business verification, bank account verification, or any combination of techniques.
If you do business in the EU but you’re also based in the U.S., you’re also in scope for compliance with the new INFORM Consumers Act that takes aim at online fraud by adding more transparency to online transactions. You can use Persona’s Know Your Seller solution to comply with the INFORM Act, making Persona a valuable partner across your compliance efforts.
Interested in learning more? Start for free or get a custom demo today.