What the DSA Covers and Who It Applies To

The DSA is a regulation, not a directive — it has direct effect across all EU member states without needing national transposition. It came fully into force for very large online platforms and search engines in August 2023 and for everyone else in February 2024, which means publishers have now had two years of operational experience with the regime. The Act creates a tiered set of obligations based on size and platform type: micro and small enterprises are largely exempt, intermediary services have basic obligations, hosting providers face content-moderation duties, online platforms face additional transparency rules, and very large online platforms (over forty-five million EU monthly active users) face the strictest obligations including systemic-risk assessments and external audits.

Where Most Publishers Sit

The vast majority of publishers fall into the online-platform category — they host user-generated content (comments, forum posts, reader contributions), they serve advertising, and they recommend content through algorithmic feeds or related-articles modules. The online-platform tier is where the DSA becomes operationally relevant: targeted-advertising restrictions for minors, transparency obligations on ad delivery and targeting parameters, recommender-system explanations and opt-outs, and a notice-and-action regime for illegal content. Publishers above the very large online platform threshold add systemic-risk assessment, external-auditor-of-record obligations, and the requirement to give the Commission's vetted researchers access to platform data.

The Geographic Test

The DSA applies extraterritorially. A US publisher with European visitors is in scope the moment EU users can interact with the service — which is essentially every public-facing website. The test is not where the publisher is based but whether the service is offered to EU recipients. Mirroring GDPR, this catches most of the global publishing industry by default.

The Targeted-Advertising Restrictions

The DSA layer that matters most for cookie consent and ad operations is Article 26, which restricts targeted advertising in two specific ways that publishers must engineer around.

The Minor-Targeting Ban

The DSA prohibits targeted advertising to minors based on profiling using personal data. The prohibition applies whenever the publisher knows, or should reasonably know, that the recipient is a minor — which in practice means it kicks in for any signal a publisher could plausibly act on (a self-declared age, a parental-controls signal, a content category that strongly implies a young audience, an account flag from the publisher's own user system). The CMP must encode this restriction: even if a minor user accepts marketing cookies, the targeted-advertising path must default to off. The fallback is contextual advertising — ad selection based on the page content rather than user profiles — which most major SSPs and ad servers now expose as a first-class delivery mode.

The Sensitive-Data Ban

The DSA also prohibits targeted advertising based on profiling that uses special categories of personal data as defined in GDPR Article 9 — race, religion, political views, trade union membership, health, sex life, sexual orientation, biometric data, genetic data. The prohibition is absolute: consent does not unlock it. Publishers running content categories that touch any of these areas — health publishers, religious media, political news sites, LGBTQ+ publications — must ensure their ad-tech stack does not pass profile signals derived from this data to advertisers, even when the user has consented to all categories of marketing.

Operational Implications for the CMP

The CMP must encode the DSA restrictions as hard gates, not consent-state flips. A consent receipt that says 'all categories accepted' does not authorise targeted advertising to a minor or based on Article 9 data. The cleanest implementation routes the consent state, the minor signal, and the page's sensitive-content classification through a single decision function that sits between the CMP and the ad-tech vendors, and the function defaults to contextual delivery whenever any of the DSA gates fires.

The Recommender-System Opt-Out

Article 38 of the DSA requires online platforms that use recommender systems — algorithmic content ranking on feeds, related-article modules, video-up-next queues — to explain the main parameters of those systems and offer users at least one option that is not based on profiling. Publishers running personalised content discovery cannot make profiling the only available mode.

What the Non-Profiling Mode Looks Like

The non-profiling mode is typically a chronological feed, a popularity-ranked feed, or an editorially-curated feed that does not personalise based on the individual user's behaviour. The user must be able to switch to it through a clearly visible control — not buried in account settings — and the choice must be remembered for future sessions. Publishers should treat the recommender-system control as a first-class part of the consent UX, often surfaced through the same CMP interface that handles cookie preferences.

Transparency on Ranking Parameters

The platform must publish, in plain language, the main parameters its recommender system uses — recency, popularity, similarity to past behaviour, editorial weight, advertising relevance. The publication is typically a section in the privacy policy or a dedicated transparency page, and it should be specific enough that a regulator reading it can verify the description against actual platform behaviour. Vague language like 'we use machine learning to recommend content you might like' fails the standard.

How the DSA Layers on Top of GDPR and ePrivacy

The DSA does not replace GDPR or ePrivacy — it adds platform-level rules on top of them. The interactions are mostly additive but in two specific places they constrain what consent alone can authorise.

Consent Cannot Override DSA Bans

The minor-targeting ban and the Article 9 sensitive-data ban are absolute. A user cannot consent their way into receiving targeted advertising in either case. This is a meaningful design constraint for CMPs that historically treated consent as the universal unlock — under the DSA, the consent state is necessary but not sufficient, and the CMP architecture must reflect that.

Transparency Obligations Sit on Top of GDPR's

The DSA's ad-transparency obligations — clearly identifying ads, naming the advertiser, explaining the main targeting parameters used for the specific ad delivery — are independent of GDPR's transparency requirements and must be satisfied in the ad creative itself. Most publishers handle this through ad-server templates that inject the DSA ad-marker block into served creatives automatically.

Practical CMP and Ad-Stack Changes

The DSA-aware CMP and ad stack has a small number of repeatable elements that have stabilised across the major commercial platforms by 2026.

Minor-Signal Plumbing

The CMP must accept a minor signal from the publisher's user-account system, the page's content classification, or the parental-controls layer, and propagate the signal into the consent decision. Most CMPs now expose this as a 'minor' attribute on the consent receipt that the ad stack reads alongside the consent state. The signal flows downstream through Google Consent Mode v2, the IAB TCF v2.3 string, and any vendor-specific integration that supports it.

Sensitive-Content Classification

Publishers should run a content-classification pass on every page that maps it to the DSA's sensitive-data categories. The classification can be manual for editorial sites with structured taxonomies or automated for high-volume sites with NLP-based content tagging. The classification feeds the ad-stack's contextual fallback decision: a page tagged with a sensitive category routes to contextual ads only, regardless of consent state.

Recommender-System Toggle

The recommender-system opt-out should live in the same place as the consent banner's preferences view — most CMPs now expose a generic 'platform controls' module for this purpose. The toggle changes the user's session-level preference and, if the user is authenticated, their account-level preference. The downstream recommender service reads the preference on every ranking call.

Common DSA Mistakes That Trigger Findings

The DSA enforcement decisions through 2024 and 2025 have produced a clear list of patterns that lead to Commission inquiries. The CMP defaults the minor-targeting flag to false for every user without ever checking the publisher's own age signals. The recommender-system opt-out is buried three clicks deep in account settings rather than surfaced near the consent banner. The ad-creative ad-marker block is added to display ads but missed for video creatives. The sensitive-content classification covers obvious categories like health and religion but misses political news sites that nonetheless qualify under Article 9's political-views protection. The very large online platform tier publishes its systemic-risk assessment but treats it as a one-time exercise rather than the annual living document the DSA requires.

The Bottom Line

The DSA is the first major EU regulation since GDPR to materially reshape what publishers can do with the audience attention they have already collected consent for. The minor-targeting and Article 9 bans are absolute design constraints, not consent options. The recommender-system opt-out is a first-class user control that sits next to the cookie banner. The transparency obligations on ad delivery require ad-server templates that automatically inject the right markers into every served creative. None of this is optional, and none of it can be retrofitted in a hurry when an enforcement letter arrives. Publishers who built the DSA gates into their CMP and ad stack during the 2023-2024 phase-in are now operating cleanly; publishers who treated the DSA as a documentation exercise are spending 2026 in the Commission's enforcement queue. The work is moderate, the architecture is settled, and the consequences of skipping it are no longer hypothetical.