What You Can Learn From the EU's Digital Services Act (DSA) for Your Business

The European Union's Digital Services Act (DSA) went into effect on August 25th, 2023. The law is designed to protect consumer rights by preventing the spread of illegal content and disinformation online and requiring transparency in advertising.

This article explains what the EU DSA is, who it applies to, what it requires, and the steps small businesses can take to comply with the law and implement its lessons.

What is the EU's Digital Services Act (DSA)?

The EU DSA amends the EU's Electronic Commerce Directive 2000, a law that regulates online services in the EU. The EU DSA, along with the Digital Markets Act (DMA), is part of the Digital Services Act Package that was passed to protect EU consumers' rights and ensure a fair online market.

The EU DSA was created to:

• Prevent illegal online activities
• Stop harmful online behavior
• Restrict the spread of disinformation

The law provides protections for EU users and sets requirements for entities that provide internet services to help ensure a safe, fair, and transparent online platform environment.

Who Does the EU's Digital Services Act (DSA) Apply to?

The EU DSA applies to providers of digital services that do business in the EU, regardless of where they are based.

While the EU DSA sets specific rules for big businesses, all online intermediaries that offer their services to EU consumers (including small businesses that allow user-generated content on their websites or apps) should comply with EU DSA requirements.

The EU DSA covers a variety of online service providers that offer services to EU consumers, including:

• Marketplaces
• Social networks
• App stores
• Websites
• Online platforms
• Internet infrastructure service providers

Let's take a deeper look at the entities covered by the EU DSA.

Very Large Online Platforms and Very Large Online Search Engines

The EU DSA defines very large online platforms (VLOPs) and very large online search engines (VLOSEs) as those that are used by more than 10% of EU consumers each month - currently 45 million EU users per month.

As of August 2023, the EU DSA only applies to VLOPs and VLOSEs. However, all applicable platforms will need to comply with the law beginning February 17th, 2024.

Online Platforms That Unite Sellers and Consumers

The EU DSA defines an online platform as a hosting service that stores and disseminates information to the public on behalf of the person receiving the service.

Online platforms covered by the EU DSA include:

• Online marketplaces
• App stores
• Content-sharing platforms
• Social networks
• Travel and accommodation platforms

Hosting services include online cloud computing and web hosting services.

Intermediary service providers include internet providers and domain name registrars.

The EU DSA defines intermediary services as any of the following:

1. Mere conduit services: Allow access to or transmission of information over a communication network. Mere conduit services can include wireless access points, virtual private networks (VPNs), and domain name registrars.
2. Caching services: Transmit information over a communication network that involves temporary storage of the information, such as reverse and content adaptation proxies.
3. Hosting services: Store information in response to a user's request, such as cloud computing.

Section 29 of the EU DSA provides examples of mere conduit, caching, and hosting services:

What Does the EU's Digital Services Act (DSA) Require?

Let's take a look at the EU DSA's requirements for different categories of online service providers and what small businesses can do to comply with the law.

What Does the EU's Digital Services Act (DSA) Require for All Providers of Intermediary Services?

The EU DSA requires all providers of intermediary services to:

• Designate points of contact to communicate with authorities and users
• Assign a legal representative to be held liable for complying with the law
• Maintain an updated Terms and Conditions agreement

Let's break down each requirement and what steps you can take to comply.

Designate a Point of Contact to Communicate With Authorities

The EU DSA requires providers of intermediary services to designate a point of contact to communicate with EU Member States' authorities, the European Commission (the Commission), and the European Board for Digital Services (the Board).

Chapter 3, Section 1, Article 11 of the DSA explains that intermediary service providers need to create a point of contact specifically for communication with authorities:

To comply with this aspect of the EU DSA, you should establish a point of contact to communicate with authorities and make sure their contact info is publicly available, easily accessible, and kept up to date.

Provide Contact Information for Users

The EU DSA also requires providers of online intermediary services to give recipients of their services an easy method for contacting them.

The EU DSA states that users should be given choices when it comes to how they contact intermediary service providers, including an electronic means of communication, such as an email address or online contact form.

Article 12 of the EU DSA explains that intermediary service providers need to provide users with an easy way to contact them:

An effective means of complying with this requirement is to include your contact information within your legal agreements. You should include your business's name and email address at a minimum, but the more contact options you provide the better.

You can also put your contact information within a Contact page that is linked within your website's header or footer so that users can find it no matter what page of your site they are on.

You should appoint someone on your team to be responsible for regularly checking and responding to communications that you receive from users.

Here's how Hermes includes its email address, phone number, mailing address, and its Data Protection Officer's email address within its Privacy Policy:

Assign a Legal Representative

Any online intermediaries that offer services in the EU but aren't located in the EU must appoint a legal representative in one of the Member States where they provide services.

The legal representative should be able to communicate on the intermediary service provider's behalf with the Member States' authorities, the Commission, and the Board. The legal representative will be held liable for complying with the EU DSA.

The enforcing authority for the EU DSA in each Member State is its Digital Services Coordinator. Intermediary service providers must give their legal representative's contact information to the Digital Services Coordinator in the relevant Member State.

Article 13 of the DSA outlines the legal representative requirements for online intermediaries based outside of the EU:

There are a few steps you should take to comply with this requirement. If your business isn't established in the EU but offers services to EU residents, do the following:

1. Hire a legal representative who is based in one of the Member States where you provide services. Your legal representative should be able to communicate with the regulating authorities of the EU DSA on your behalf and take action to ensure compliance with the law.

2. Confirm that your legal representative's contact information is:

   • Accurate
   • Easily accessible to the public
   • Up to date
3. Send your legal representative's name, mailing address, email address, and phone number to their Member State's Digital Services Coordinator.

Maintain a Terms and Conditions Agreement

A Terms and Conditions agreement (also called Terms of Service or just Terms) is a document that outlines the rules that users must follow in order to use your services.

The EU DSA requires intermediary service providers to have a Terms and Conditions agreement that contains information about service restrictions users may face if they violate the agreement.

Article 14 of the EU DSA goes into detail about its Terms and Conditions requirements, including explaining potential restrictions and notifying users of any changes made to the agreement:

The best way to comply with this section of the EU DSA is by maintaining a clearly written, up-to-date Terms and Conditions agreement.

Your Terms and Conditions agreement should be:

• Easily accessible
• In machine-readable format
• Fairly enforced

Your Terms and Conditions agreement should include details about your policies and rules, an explanation of how content is moderated, and a description of your system for handling complaints.

If your service is directed at or mostly used by minors, your Terms and Conditions must be explained in a way that minors can understand.

You must also inform users of any changes you make to your Terms and Conditions agreement.

L'Oréal's Terms agreement outlines the code of conduct users must follow in order to use its website:

Here's an email that Skillshare sent to its users informing them about changes made to its Terms agreement. The email includes a link to its updated Terms of Service and a link to its Help Center for users who don't agree to the updated Terms of Service and wish to delete their accounts:

What Does the EU's Digital Services Act (DSA) Require for Providers of Hosting Services?

To comply with the EU DSA, providers of hosting services must:

• Provide a way for users to report suspected illegal content
• Explain decisions concerning illegal content or Terms and Conditions violations
• Notify authorities about suspected criminal activity

Provide Notification Mechanisms

The EU DSA requires hosting services to provide individuals with an easy-to-use, accessible way to report illegal content online.

The notification mechanism should include a statement that the individual believes they are providing accurate information, and should be designed so that individuals can:

• Explain why they think the content they found is illegal
• Show where the illegal content is located
• Include their name and email address

The provider of the hosting service should confirm receipt of the notification and respond with how they plan to remedy the situation as soon as possible.

Article 16 of the EU DSA explains that providers of hosting services must establish notification mechanisms that individuals or entities can use to submit notices concerning suspected illegal content:

To comply with this requirement, small businesses can maintain a contact or web form on their websites or include an email address within their legal agreements specifically for reporting suspected illegal content.

L'Oréal's Terms of Use agreement includes an email address and mailing address where users can send notifications about suspected illegal content, and describes what information the reports should contain:

Snapchat's Support page describes how EU users can report illegal content in-app, and includes a link to its illegal content reporting web form:

Explain Decisions Concerning Illegal Content or Breaches of Terms and Conditions

If a user posts illegal content or violates a hosting service provider's Terms and Conditions, the hosting service must send the user a statement of reasons explaining the decisions made regarding the violation.

Article 17 of the DSA describes what hosting service providers need to communicate to users who provide illegal content or violate the provider's Terms and Conditions:

To comply with this requirement you should contact users who have submitted illegal content or breached your Terms and Conditions to let them know the reasons for any decisions you made regarding the violation.

Your statement of reasons should include the following information:

• What decision you made concerning the illegal content (such as removal of the content or suspension of the user's account)
• Why the decision was made
• Whether automated means were used to help make the decision
• Why the content is considered illegal or a breach of your Terms and Conditions agreement
• Redress options

The DSA Transparency Database contains an archive of statements of reasons, including this one from TikTok that describes its reasons for deciding that a video was not eligible for recommendation in its For You feed:

Notify Officials About Suspected Criminal Activity

Providers of hosting services must notify law enforcement in the Member State where they believe criminal activity has happened, is happening, or is suspected to happen.

Article 18 of the DSA explains that hosting service providers need to contact their Member State's authorities if they suspect criminal activity:

To comply with this requirement you should contact local authorities in the Member State where you suspect criminal activity is taking place.

If you are not sure where the criminal activity is happening, you should contact law enforcement in the Member State where your company or your legal representative is based.

What Can Businesses Can Learn From the EU's Digital Services Act (DSA) Requirements for VLOPs and VLOSEs?

The EU DSA's rules depend on the size of the organization and the nature of the services it provides. Many of the EU DSA's requirements do not apply to what the law considers "micro or small enterprises."

A micro or small enterprise is any organization that meets the following criteria:

• Has less than 250 employees, and makes less than EUR 50 million/year and/or has an annual balance sheet total of EUR 43 million or less
• Employs less than 50 people, and has an annual turnover and/or annual balance sheet of EUR 10 million or less
• Has less than 10 employees, and an annual turnover and/or annual balance sheet of EUR 2 million or less

Although many of the EU DSA's rules only apply to VLOPs and VLOSEs, it's good business practice for companies of all sizes to follow these regulations.

Implementing the EU DSA's principles for larger entities can:

• Help companies that intend to scale to comply with the law
• Give smaller businesses a competitive edge by protecting users from harmful content

Let's explore some of the DSA's rules for VLOPs and VLOSEs and how you can apply insights from these requirements to benefit your small business.

Establish a System for Handling Complaints

Online platforms must offer users a way to submit complaints regarding decisions about Terms violations or illegal content.

An online platform's internal complaint-handling system should be free and easy to use. It should be made available to a user for at least six months from the date the user was informed about any decisions concerning illegal content or breaches of the platform's Terms and Conditions agreement.

Article 20 of the EU DSA explains that providers of online platforms must offer users access to an internal complaint-handling system:

To implement this, if your business takes actions against a user due to their use of illegal content or violation of your Terms and Conditions, you should give them a way to easily submit a complaint concerning your decision.

Offer Out-of-Court Dispute Settlement Options

The EU DSA gives EU citizens the right to choose an out-of-court dispute settlement body to resolve disputes concerning decisions made by an online platform.

Users can select any out-of-court settlement body that is certified by a Digital Services Coordinator to help resolve disputes.

Article 21 of the EU DSA explains that EU residents have the right to choose a certified out-of-court settlement body to facilitate dispute resolution:

To implement this, if you offer out-of-court dispute settlement options, you can use your legal agreements to inform users of how they can initiate the settlement process. Users should be able to easily access out-of-court settlement options online.

Prioritize Notices from Trusted Flaggers

A Digital Services Coordinator may give trusted flagger status to an entity that has experience handling illegal content. The EU DSA requires online platforms to prioritize notices from trusted flaggers.

Article 22 of the EU DSA explains that online platforms should prioritize notices from trusted flaggers and describes the conditions an entity must meet to receive trusted flagger status:

To implement this, small businesses should promptly process all notices of illegal content, and prioritize any notices they may receive from trusted flaggers.

Report Number of Monthly Active Users

The EU DSA requires providers of online platforms to publish their number of active monthly EU users (calculated as the average number of users over the previous six months) at least twice per year.

Article 24 of the DSA explains the law's transparency reporting requirements for online platforms:

To implement this, small businesses should keep track of the average number of active monthly EU users they have for each of their online platforms or search engines.

Microsoft maintains a web page with a table showing its average monthly number of active EU recipients of service:

Adopt Transparent Advertising Practices

The EU DSA requires VLOPs and VLOSEs to engage in transparent advertising practices.

VLOPs and VLOSEs must ensure their ads are clearly marked as such and include the following information:

• The person on whose behalf the advertisement is presented
• The person who paid for the ad
• How the audience was chosen for the ad, and how that information can be changed, if desired

Advertisements on online platforms cannot be presented to users based on profiling (the processing of users' personal data).

Article 26 of the EU DSA explains the advertising rules that online platforms must follow, including clearly identifying who funds an ad and how users can change the information used to determine an ad's audience:

To implement this, small businesses that advertise on their online platforms can label ads to help ensure their audience can tell the difference between ads and other content.

Here's an example of how you can identify ads with a label that shows users which content is sponsored:

Provide Additional Protection for Minors

The EU DSA requires online platforms to take steps to keep minors safe and prohibits the use of minors' personal data for targeted advertising.

Article 28 of the EU DSA explains that online platforms must have security measures in place to protect minors and cannot use minors' personal data for advertising purposes:

To implement this, if your business caters to minors, you should avoid collecting or using minors' personal information for advertising purposes.

You should provide online safety education to minors who use your services, and implement extra security measures to protect their personal information.

Facebook's Help Center describes the steps it takes to keep minors safe, including providing online safety education and protecting minors' sensitive information from public access:

Conduct Risk Assessments

The EU DSA requires VLOPs and VLOSEs to conduct regular audits of their systems to identify and mitigate certain risks. This includes the risk of dissemination of illegal content and any threats to the rights listed in the EU's Charter of Fundamental Rights (such as the rights to freedom of expression and human dignity).

Risks VLOPs and VLOSEs need to be aware of include those that threaten:

• Public security
• Civic discourse
• The electoral process
• Public health
• Minors
• Individuals' physical well-being

Article 34 of the DSA lists the risks that VLOPs and VLOSEs must be aware of when conducting risk assessments:

To implement this, small businesses should consider administering routine risk assessments to identify potential vulnerabilities in their systems or services that may require additional protective measures.

Publish Content Moderation Reports

The EU DSA requires providers of intermediary services to publish annual reports detailing their content moderation activities.

Intermediary service providers' content moderation reports should include:

• The number of orders received from Member States' authorities
• Content moderation activities
• The number of complaints received and how they were handled
• A description of any automated means of content moderation

Article 15 of the EU DSA explains that providers of intermediary and hosting services need to publish a yearly report outlining their content moderation activities:

To implement this, small businesses can keep records of their content moderation activities that detail the types of content they remove and how they handle any complaints they may receive.

TikTok's DSA Transparency Report contains a table that shows its content moderation activities, including the total amount of content removed automatically:

What Happens If You Don't Comply With the EU's Digital Services Act (DSA)?

The penalties for violating the EU DSA are set by each Member State and are not to exceed 6% of an intermediary service provider's gross revenue from the previous year.

Intermediary service providers may also face periodic penalties of up to 5% of their average daily gross revenue from the preceding year per day.

Article 52 of the EU DSA explains that penalties for violating the law are proportionate to the intermediary service provider's size:

Summary

The EU Digital Services Act (DSA) was created to prevent illegal and harmful online activities and reduce the dissemination of disinformation.

It applies to online intermediaries that do business in the EU, including:

• VLOPs and VLOSEs
• Online platforms
• Hosting services
• Intermediary service providers

The EU DSA's rules vary based on the size and function of online intermediaries. Its requirements include:

• Providing a point of contact specifically for authorities
• Providing contact information specifically for recipients of services
• Designating a legal representative if the entity is not based in the EU
• Maintaining an up-to-date Terms and Conditions agreement
• Providing users with notification mechanisms for reporting illegal content
• Giving affected users a statement of reasons explaining any decisions made concerning illegal content or Terms violations
• Alerting authorities about suspected criminal activity

Small businesses aren't required to comply with many of the EU DSA's requirements for VLOPs and VLOSEs, but implementing the associated lessons is good business practice for organizations of all sizes.

Some of the rules small businesses might want to consider applying include:

• Establishing an internal complaint-handling system
• Offering out-of-court dispute settlement options
• Prioritizing notices from trusted flaggers
• Recording their number of monthly users
• Adopting transparent advertising practices
• Protecting minors
• Conducting regular risk assessments
• Maintaining content moderation reports

Failure to comply with the EU DSA can result in fines of up to 6% of an organization's annual revenue from the previous year.