OTAs and digital travel platforms face the convergence of traditional tourism regulation with European digital regulation. The Digital Markets Act (DMA), the Platform-to-Business Regulation (P2B), the Digital Services Act (DSA), the Data Act and the GDPR overlap with sector-specific tourism law to create one of the most complex regulatory frameworks in the European business environment.
At Mylegalinbox we advise OTAs, metasearch engines, booking platforms and digital travel distributors. We understand both tourism regulation and digital regulation — and above all, how they interact in practice. Amadeus is a client of ours.
The European regulation that most affects OTAs
The DMA: impact on OTAs and distribution platforms
The DMA came into application in May 2023 and regulates the practices of large designated gatekeepers. Mid-sized OTAs are not directly gatekeepers, but the DMA affects them in two ways: as businesses that work with gatekeepers (Google, Apple, Amazon) and as business models under close regulatory scrutiny.
Rate parity clauses — prohibited by the DMA for gatekeepers and increasingly challenged by competition authorities for all platforms — are the clearest example. The CNMC’s sanction against Booking.com and proceedings opened in other European countries mark the direction of travel. We audit your contractual terms with hotel suppliers to ensure compliance.
The P2B Regulation: transparency for B2B2C platforms
Regulation (EU) 2019/1150 applies to all online intermediation platforms offering services to businesses. For an OTA, this means concrete obligations: transparency in search result rankings, clear contract termination conditions, access to data generated on the platform and dispute resolution mechanisms.
We review your terms and conditions for business users (hotels, activity providers, etc.) to ensure compliance with the P2B Regulation, and design the dispute resolution system required by the regulation.
The Data Act: travel data as a regulated asset
The Data Act, applicable from September 2025, regulates access to and sharing of data generated by connected devices and digital services. For OTAs, which generate enormous volumes of booking, preference and traveller behaviour data, the Data Act creates new portability and access obligations.
At Mylegalinbox we have published a practical guide to the Data Act for TravelTech businesses. We advise on the review of data supplier contracts, the design of a Data Act-compliant data architecture, and the management of access requests.
GDPR for OTAs: the specificities of travel data
OTAs process particularly sensitive categories of data: payment data, travel data (which can reveal information about health, religion or the personal life of the traveller), data relating to minors in family bookings, and location data. The GDPR requires a specific level of protection for each category.
We design GDPR compliance programmes specifically for OTAs: data flow mapping, data processing agreements, Data Protection Impact Assessments (DPIAs) for higher-risk processing activities, and breach response protocols.
Supplier contracts: hotels and airlines
Hotel contracts: the balance of power in digital distribution
OTAs have a position of power in the relationship with hotels, particularly independent properties. But that position has legal limits: the DMA, competition case law and platform regulation impose restrictions on what conditions can be required and how.
We design your platform’s standard contracts with hotels to ensure compliance with the current regulatory framework, and advise on the management of disputes with suppliers who challenge your terms.
Airline contracts and GDS agreements
OTAs selling flights have additional obligations arising from civil aviation law, Regulation EC 261/2004 on passenger rights, and specific agreements with airlines. We review your contracts with airlines and GDS providers (Amadeus, Sabre, Travelport), and advise on the management of passenger claims arising from cancellations, delays and overbooking.
Legal and tax structure of an OTA in Spain
The legal and tax structure of an OTA depends on its business model: whether it acts as a commission agent, as a principal in its own name, or as an intermediation platform without direct liability. Each model has a different tax treatment — particularly for VAT — and a different legal exposure.
We advise on the choice and documentation of the correct business model, with particular attention to its tax implications in Spain and in the countries where the OTA operates or where its main clients are based.
International expansion of travel platforms
An OTA wishing to operate in new markets requires jurisdiction-specific legal analysis: local establishment requirements, applicable tourism licences, compliance with local consumer protection law, VAT obligations in the client’s country, and adaptation of general terms to local law.
We have experience of expansions into the USA, Latin America, the Middle East and Asia, and work with first-rate local firms in each market.
Frequently asked questions
Are rate parity clauses prohibited for all OTAs in Spain?
The legal position is complex. The DMA prohibits broad parity clauses for designated gatekeepers. The CNMC has acted against Booking.com under Spanish competition law. The regulatory direction is clear, but the precise status of different parity models for mid-sized OTAs requires specific analysis.
Does the Data Act require OTAs to share their booking data with hotels?
The Data Act creates data access rights for users of digital services and, in certain cases, for businesses that generate data using the platform. If a hotel generates data on an OTA’s platform, it may have a right of access to some of that data. The precise scope of this right is currently subject to regulatory interpretation across Europe.
What happens if a traveller claims compensation for a cancelled flight booked through my OTA?
It depends on whether the OTA is acting as a package travel organiser or as a pure intermediary. If there is a package, the OTA has direct liability to the consumer under the Package Travel Directive. If it is acting as an intermediary, primary liability rests with the airline — but the contract with the user must be precisely drafted for that distinction to be effective in the event of a claim.
📩 We discuss your DMA, P2B and Data Act exposure. Free initial consultation. → information@mylegalinbox.com