ByteDance's Second DMA Compliance Workshop: A Short Sequel to Season 2 of Compliance

The Digital Markets Act (DMA) became entirely applicable on 7 March 2024 for most gatekeepers. By then, the gatekeepers issued their compliance reports documenting their technical solutions and implementation of the DMA’s provisions under Article 11 DMA, as well as their reports on consumer profiling techniques as required under Article 15 DMA. A year later, six gatekeepers submitted an update to the first version of their compliance reports (they can be found here).

I will be covering this year’s compliance workshops held by the European Commission, where the gatekeeper representatives meet stakeholders to discuss their compliance solutions to the DMA’s obligations (and the updates they introduced since 2024). You’ll be able to find a previous feature of the newsletter relating to Apple’s and Google’s workshops here and here. In this instalment, I’ll review ByteDance’s short compliance workshop before the European Commission and stakeholders.

Fairness tick, tock, and data-related obligations

The workshop held by the EC to provide ByteDance (TikTok’s parent company) with the opportunity to explain its compliance solutions was short-lived. Although the workshop spanned two different sessions, the first one touched upon the DMA implementations and developments that the gatekeeper followed throughout the last year, since March 2024.

In the second session, TikTok’s representatives presented TikTok Shop (its e-commerce feature integrated into its social network), TikTok Studio (its app consolidating its creator tools into one accessible location), and the rest of its TikTok business-facing features, without providing many detail on how those interplay with the regulation at hand. Not without reason. The EC only designated ByteDance’s TikTok as a social networking service CPS in September 2023 and decided not to designate TikTok Ads as an additional CPS in May 2024. As the gatekeeper pointed out in the 2025 version of its compliance report, TikTok Shop is “integrated within the existing TikTok online social networking service and not ‘provided separately’” (page 18 of the compliance report). As such, it does not even amount to a service provided separately from TikTok, and no DMA provisions were triggered as a result, despite the fact that the gatekeeper treats it as such by expanding the application of its Article 5(2)(b) consent moment.

On the side of the provisions that are applicable to the gatekeeper’s CPS, ByteDance’s legal representatives provided updates on the implementation surrounding Articles 5(2), 6(9), 6(10) and 6(12) DMA, since those are the main obligations compelling it to tweak its business model.

Not many developments were presented or introduced by the gatekeeper at the workshop. For instance, its approach towards the prohibition on combinations and cross-uses of personal data across its CPSs and other services has stayed the same, even though it introduced a similar consent prompt for TikTok Shop for combinations of data with its social network (page 12 of the compliance report). Asked by participants to the workshop, the gatekeeper confirmed that its other services (such as TikTok Ads) also apply a similar consent mechanism in two different tiers: i) personalised ads, where users consent to the delivery of ads based on both TikTok data and data obtained outside of the social network; and ii) generic ads, where users consent to the delivering of ads only based on TikTok data (page 14 of the compliance report). On the topic of Article 5(2) DMA, TikTok confirmed that it does not integrate comparable AI features and LLMs to those catered by Google and Microsoft via Gemini and Copilot, and, as such, no further intervention is required from it.

Moreover, the portability tools introduced by ByteDance as a consequence of the implementation of Article 6(9) DMA, i.e., the Data Portability API, posed a main issue of disagreement with stakeholders. In its presentation, ByteDance confirmed that it approved all API applications for third parties to port the data of users in a variety of use cases, such as cross-posting to multiple platforms, message interoperability, personal data management, or data broker services. According to the gatekeeper, those applications stand in the double digits, and the functionality was extended to UK users. In a similar vein, the gatekeeper asserted that it had not received any negative feedback on the functioning of its Data Portability API, but stakeholders did not seem to agree. Pursuant to their comments, portability of data by third-party business users does not deliver an agreeable result since, at times, the data does not deliver an adequate format, i.e., URLs relating to the content viewed by the user containing a numerical identifier that does not provide any description about the content in particular. Similar concerns were voiced out by stakeholders experiencing significant delays in the communication with the TikTok team to facilitate the porting of data as well as relating to the response times for the applications submitted by third parties exercising the rights enshrined in Article 6(9). ByteDance’s legal representatives did not provide any particular response to those concerns, despite redirecting them to the DMA developer feedback site so that they could be addressed by the appropriate teams (included within a footnote on the compliance report on page 11).

Finally, the gatekeeper also highlighted the changes it had made with respect to its implementation of Article 6(12), requiring it to make the general conditions of access consistent with FRAND principles. ByteDance introduced a Union-based alternative dispute resolution mechanism (ADRM) back in 2024, offering an independent and impartial resolution of disputes (pages 49-50 of the 2024 version and pages 51-52 of the 2025 version of the compliance report). At that time (and until now), ByteDance established two alternatives for business users to choose from; either they could refer the dispute to the International Chamber of Commerce (ICC) or to the Centre for Effective Dispute Resolution (CEDR). Additionally, when using the ADRM, business users bear their own costs limited to their share of fees as attributed by the standardised mediation rules developed by ICC or CEDR and their legal representation costs.

Following its regulatory dialogue with the EC, ByteDance’s legal representatives confirmed that it had reached a formal agreement with CEDR to handle all DMA business user mediations. Additionally, from now on, TikTok will cover all CEDR fees for business users seeking redress via ADRM. The changes had already been published prior to the compliance workshop, and users had been notified on the Main Terms of Service landing page, but the effectiveness of the updated terms was delayed until the 25th of July of this year.

Short and crisp, the compliance workshop was completed in the span of two hours, with more or less the same questions looming on the stakeholders’ (and EC’s) minds since it started.

_____

This is a re-post of the original piece published on The DMA Agora.