DSA Dating Compliance Guide: EU Obligations 2026

Why Regulations Vary by Country

Different regions have different concerns and different levels of regulatory maturity.

The US has historically treated internet platforms with light regulation (Section 230 immunity). Europe takes a privacy-first, consumer-protection approach. The UK is developing online harms regulation. Australia is tightening requirements on foreign platforms.

None of these approaches are inherently better; they reflect regional values and history. Europe's stronger privacy stance comes from historical surveillance. Australia's local presence requirement reflects foreign tech skepticism. The US approach reflects tech-friendly policy.

For operators, this means:

• You can't have one global compliance framework
• Major regions require region-specific compliance
• Conflicting requirements sometimes force uncomfortable choices
• Operating globally costs 20-40% more for compliance than single-region operation

United States

The US has the lightest regulatory requirements among developed countries, but that's changing.

Key Regulations

Section 230 (Communications Decency Act): Platforms aren't liable for user-generated content. This gives dating apps significant protection from lawsuits about user behavior. However, this protection doesn't apply to your own actions (if you negligently fail to verify age, you can be sued).

FTC Act Section 5: Prohibits unfair or deceptive practices. Dating apps must have clear policies, honest representations, and reasonable security. Examples of violations:

• Claiming "real members" while mostly using bots (Match, eHarmony have been fined)
• Overstating success rates
• Unclear billing or cancellation policies

State laws: Dating apps are increasingly regulated at state level:

• California: CCPA (privacy), consumer protection laws
• Illinois: BIPA (biometric privacy, applies to photo verification)
• Texas, Florida: Age verification requirements for some platforms

AML/KYC (if you handle payments): Anti-money laundering requirements apply to money transmitters.

Age verification: Increasingly, states require platforms used by minors to implement age verification. Some states require this by default (assuming your platform might attract underage users).

Practical Requirements for US Operations

• Clear, honest terms of service
• Privacy policy explaining data collection and sharing
• Easy-to-use reporting system
• "Know your customer" for payment features
• Age verification (if your platform might be used by minors)
• Transparent cancellation policies
• Basic safety measures (you're not liable for everything, but gross negligence loses protection)

FTC Enforcement Examples

FTC has fined dating apps for:

• Misleading success rates (Match Group, $49M settlement)
• Bot messaging (Match Group, included in above)
• Unclear billing (Plenty of Fish, Badoo, others)
• Fake profiles (eHarmony, others)

Pattern: If you misrepresent your service or platform, FTC will fine you. If you're honest, you're mostly protected.

Cost of US Compliance

For early-stage: Basic terms, privacy policy, reporting system. Total cost: $5-10k (legal review).

For scaling: Add payment compliance, state-specific law analysis, ongoing legal counsel. Cost: $25-50k/year.

European Union

The EU has the most comprehensive regulatory framework for dating platforms.

Key Regulations

GDPR (General Data Protection Regulation): Applies to any platform collecting personal data from EU residents. Core requirements:

• Legal basis for processing: You need consent, legitimate interest, or contract to collect data
• Data minimization: Collect only what you need
• Right to erasure: Users can request their data deleted
• Data portability: Users can request data in portable format
• Privacy by design: Build privacy into your system, not as afterthought
• Data Protection Impact Assessment: For high-risk processing (facial recognition, behavioral analysis)
• Data Processing Agreement: If using vendors, have written agreements

Non-compliance penalties: Up to 20 million euros or 4% of global revenue, whichever is higher.

5AMLD and 6AMLD (Anti-Money Laundering): If you handle payments, you need KYC, transaction monitoring, and SAR filing (covered separately in this pillar).

Digital Services Act (DSA): Enacted 2024, applies to platforms with 45+ million EU users. Requires:

• Clear community guidelines
• Transparent moderation processes
• Appeals mechanism for moderation decisions
• Annual compliance reports

Digital Markets Act (DMA): If you're a "gatekeeper" (significant market power), you face additional requirements. Most dating apps aren't gatekeepers (you're not a dominant player), but large companies should assess.

ePrivacy Directive: Governs email marketing, cookies, and tracking. Key requirement: explicit consent before placing cookies.

Age Verification in EU

No EU-wide age verification requirement yet, but individual countries are moving toward it:

• Germany: Age verification required for adult content
• France: Exploring age verification requirements

Expect EU-wide requirement soon. Current practice: robust age verification for users claiming 18+.

GDPR Compliance Costs

• Initial compliance: $30-100k (legal review, policy development, technical implementation)
• Ongoing: $15-50k/year (DPA management, breach notification procedures, impact assessments)

Data Transfer Challenges

GDPR has restrictions on transferring EU resident data outside the EU. Post-Schrems II ruling (2020), transfers to US are legally uncertain. Common approaches:

1. Store EU data in EU: Operate separate EU database (expensive, complex)
2. Standard Contractual Clauses (SCC): Enter data processing agreements using EU-approved SCCs (requires legal review, some uncertainty remains)
3. Data residency: Use EU-based cloud providers (AWS EU regions, etc.)

Most platforms use SCC approach with EU-based servers for primary data, accepting residual legal risk.

United Kingdom

Post-Brexit, the UK has its own regulatory path diverging from EU.

Key Regulations

Online Safety Bill / Online Safety Act: Passed 2023, takes effect 2025. First dedicated "online harms" regulation.

Core requirements:

• User safety duty: Platforms must protect users from harm (illegal content, online harassment, harmful behavior)
• Duty of care: Implement reasonable safeguarding measures
• Transparency: Explain how you moderate content, who your moderation team is
• Complaints system: Handle user complaints about moderation decisions
• Age-appropriate design: If your platform is used by children, design it for safety

Enforcement: Ofcom (regulator) can fine up to 5% of revenue or 50 million pounds, whichever is higher. Can potentially block the platform.

GDPR/UK GDPR: Post-Brexit, UK has its own GDPR version. Functionally similar but slightly different enforcement.

Online Pornography Age Verification: Online adult content (which some dating profiles might be) requires age verification mechanisms.

Key Differences from EU

• Less prescriptive (DSA has detailed requirements; UK approach is principles-based)
• Faster pace (Ofcom enforcing aggressively from day one)
• Age verification more explicitly required

Cost of UK Compliance

Similar to EU but add:

• Ofcom impact assessments
• Age verification implementation
• Enhanced user safety documentation
• Cost: $40-60k initial, $20-40k ongoing

Australia

Australia is increasingly tightening requirements on foreign platforms and requiring local presence.

Key Regulations

eSafety Commissioner: Regulates online safety. Can issue removal notices for harmful content and fine companies up to 50 million AUD (about 33 million USD).

Age Verification: Age restrictions on adult content and social media platforms with many underage users. Law passed in 2024 requires age verification for social media access (though implementation is debated).

News Media Bargaining Code: If your platform shares news content, you may owe payments to news publishers.

Notifiable Data Breaches: Notify users of data breaches affecting personal information.

Australian Consumer Law: Prohibits misleading conduct, requires honest representations, and consumer protection.

Local Presence Requirement: No explicit legal requirement, but Australian regulators increasingly expect platforms to have local presence (registered office, local customer service, local compliance contact).

Practical Requirements

• Comply with eSafety Commissioner (if contacted, you must respond)
• Age verification for access (if targeting users 18+)
• Data breach notification
• Local privacy policy in plain Australian English
• Australian business registration or local registered agent
• Responsive customer service (don't ignore Australian user complaints)

Cost of Australia Compliance

• Initial: $10-20k (privacy policy, age verification research, local registration)
• Ongoing: $5-15k/year (monitoring eSafety Commissioner guidance, updates)

Australia's requirements are lighter than EU or UK but enforcement is tightening.

Quick Comparison Table

!International regulatory landscape showing differences by region *International regulatory landscape showing differences by region*

Building a Global Compliance Strategy

You can't serve global users with global compliance. You need region-specific strategies.

Approach 1: Geo-blocking

Easiest but limits market: Block users from high-regulation countries, serve only low-regulation regions.

Pros: Simple, low cost Cons: Lose 50% of potential market; competitors serve those regions

Not recommended unless you're very early stage.

Approach 2: Regional Implementation

Serve global users but implement region-specific features/policies:

US approach: Minimal moderation, basic age verification, payment compliance EU approach: Strong data protection, transparent moderation, age verification UK approach: Strong online harms framework, user safety investment Australia approach: Basic compliance plus local presence

Same platform, different feature sets by region.

Implementation: Feature flags or server-side logic based on user location.

Cost: 20-30% additional engineering and compliance

Approach 3: Separate Platforms

Different branded platforms for different regions, each optimized for that region's regulations.

E.g., your platform operates as "DatingCo US" in America, "DatingCo EU" in Europe with separate data, moderation, and policies.

Pros: Maximum optimization for each region Cons: High cost, complex operations, brand confusion

Not recommended unless you're large and well-funded.

Recommended Strategy for Startups

1. Launch in US: Easiest regulatory path, largest market, lowest compliance cost
2. Expand to UK: Similar language, comparable user base, moderate compliance cost
3. Expand to EU: Highest compliance cost, but largest addressable market
4. Expand to Australia: Smaller market, wait until you have infrastructure

Timeline: 18-24 months between each major region. Don't try to launch globally day one.

Key Takeaways

• Dating platform regulation is fragmenting globally. You need region-specific compliance, not global one-size-fits-all.
• US is lightest regulation (Section 230 protection, minimal data protection) but state laws are tightening.
• EU is most rigorous (GDPR, DSA, coming age verification). Budget 40% of compliance budget just for EU.
• UK has new Online Safety Act requiring strong moderation transparency and user safety investment.
• Australia is emerging with eSafety Commissioner powers and local presence expectations.
• Start with one region (US is easiest), expand methodically. Don't try to launch globally day one.
• When expanding, conduct legal analysis for each region and budget 15-30% of engineering time for compliance work.
• The regulatory environment is tightening everywhere. What's optional today may be required next year.

Global scale is valuable but expensive. Plan for it.

Cross-link to: GDPR Compliance for Dating, Online Safety Act, Age Verification for Dating