Cookie pop-ups getting you down? Complaints that the web is ‘unusable’ in Europe because of frustrating and confusing ‘data choices’ notifications that get in the way of what you’re trying to do online certainly aren’t hard to find.

What is hard to find is the ‘reject all’ button that lets you opt out of non-essential cookies which power unpopular stuff like creepy ads. Yet the law says there should be an opt-out clearly offered. So people who complain that EU ‘regulatory bureaucracy’ is the problem are taking aim at the wrong target.

EU law on cookie consent is clear: Web users should be offered a simple, free choice — to accept or reject.

The problem is that most websites simply aren’t compliant. They choose to make a mockery of the law by offering a skewed choice: Typically a super simple opt-in (to hand them all your data) vs a highly confusing, frustrating, tedious opt-out (and sometimes even no reject option at all).

Make no mistake: This is ignoring the law by design. Sites are choosing to try to wear people down so they can keep grabbing their data by only offering the most cynically asymmetrical ‘choice’ possible.

However since that’s not how cookie consent is supposed to work under EU law sites that are doing this are opening themselves to large fines under the General Data Protection Regulation (GDPR) and/or ePrivacy Directive for flouting the rules.

See, for example, these two whopping fines handed to Google and Amazon in France at the back end of last year for dropping tracking cookies without consent…

While those fines were certainly head-turning, we haven’t generally seen much EU enforcement on cookie consent — yet.

This is because data protection agencies have mostly taken a softly-softly approach to bringing sites into compliance. But there are signs enforcement is going to get a lot tougher. For one thing, DPAs have published detailed guidance on what proper cookie compliance looks like — so there are zero excuses for getting it wrong.

Some agencies had also been offering compliance grace periods to allow companies time to make the necessary changes to their cookie consent flows. But it’s now a full three years since the EU’s flagship data protection regime (GDPR) came into application. So, again, there’s no valid excuse to still have a horribly cynical cookie banner. It just means a site is trying its luck by breaking the law.

There is another reason to expect cookie consent enforcement to dial up soon, too: European privacy group noyb is today kicking off a major campaign to clean up the trashfire of non-compliance — with a plan to file up to 10,000 complaints against offenders over the course of this year. And as part of this action it’s offering freebie guidance for offenders to come into compliance.

Today it’s announcing the first batch of 560 complaints already filed against sites, large and small, located all over the EU (33 countries are covered). noyb said the complaints target companies that range from large players like Google and Twitter to local pages “that have relevant visitor numbers”.

“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button,” said noyb chair and long-time EU privacy campaigner, Max Schrems, in a statement.

“Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than fifteen common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page,” he added. “We focus on popular pages in Europe. We estimate that this project can easily reach 10,000 complaints. As we are funded by donations, we provide companies a free and easy settlement option — contrary to law firms. We hope most complaints will quickly be settled and we can soon see banners become more and more privacy friendly.”

To scale its action, noyb developed a tool which automatically parses cookie consent flows to identify compliance problems (such as no opt out being offered at the top layer; or confusing button coloring; or bogus ‘legitimate interest’ opt-ins, to name a few of the many chronicled offences); and automatically create a draft report which can be emailed to the offender after it’s been reviewed by a member of the not-for-profit’s legal staff.

It’s an innovative, scalable approach to tackling systematically cynical cookie manipulation in a way that could really move the needle and clean up the trashfire of horrible cookie pop-ups.

noyb is even giving offenders a warning first — and a full month to clean up their ways — before it will file an official complaint with their relevant DPA (which could lead to an eye-watering fine).

Its first batch of complaints are focused on the OneTrust consent management platform (CMP), one of the most popular template tools used in the region — and which European privacy researchers have previously shown (cynically) provides its client base with ample options to set non-compliant choices like pre-checked boxes… Talk about taking the biscuit.

A noyb spokeswoman said it’s started with OneTrust because its tool is popular but confirmed the group will expand the action to cover other CMPs in the future.

The first batch of noyb’s cookie consent complaints reveal the rotten depth of dark patterns being deployed — with 81% of the 500+ pages not offering a reject option on the initial page (meaning users have to dig into sub-menus to try to find it); and 73% using “deceptive colors and contrasts” to try to trick users into clicking the ‘accept’ option.

noyb’s assessment of this batch also found that a full 90% did not provide a way to easily withdraw consent as the law requires.

Cookie compliance problems found in the first batch of sites facing complaints (Image credit: noyb)

It’s a snapshot of truly massive enforcement failure. But dodgy cookie consents are now operating on borrowed time.

Asked if it was able to work out how prevalent cookie abuse might be across the EU based on the sites it crawled, noyb’s spokeswoman said it was difficult to determine, owing to technical difficulties encountered through its process, but she said an initial intake of 5,000 websites was whittled down to 3,600 sites to focus on. And of those it was able to determine that 3,300 violated the GDPR.

That still left 300 — as either having technical issues or no violations — but, again, the vast majority (90%) were found to have violations. And with so much rule-breaking going on it really does require a systematic approach to fixing the ‘bogus consent’ problem — so noyb’s use of automation tech is very fitting.

More innovation is also on the way from the not-for-profit — which told us it’s working on an automated system that will allow Europeans to “signal their privacy choices in the background, without annoying cookie banners”.

At the time of writing it couldn’t provide us with more details on how that will work (presumably it will be some kind of browser plug-in) but said it will be publishing more details “in the next weeks” — so hopefully we’ll learn more soon.

A browser plug-in that can automatically detect and select the ‘reject all’ button (even if only from a subset of the most prevalent CMPs) sounds like it could revive the ‘do not track’ dream. At the very least, it would be a powerful weapon to fight back against the scourge of dark patterns in cookie banners and kick non-compliant cookies to digital dust.

The European Union plans to beef up its response to online disinformation, with the Commission saying today it will step up efforts to combat harmful but not illegal content — including by pushing for smaller digital services and adtech companies to sign up to voluntary rules aimed at tackling the spread of this type of manipulative and often malicious content.

EU lawmakers pointed to risks such as the threat to public health posed by the spread of harmful disinformation about COVID-19 vaccines as driving the need for tougher action.

Concerns about the impacts of online disinformation on democratic processes are another driver, they said.

A new more expansive code of practice on disinformation is now being prepared — and will, they hope, be finalized in September, to be ready for application at the start of next year.

The Commission’s gear change is a fairly public acceptance that the EU’s voluntary code of practice — an approach Brussels has taken since 2018 — has not worked out as hope. And, well, we did warn them.

A push to get the adtech industry on board with demonetizing viral disinformation is certainly overdue.

It’s clear the online disinformation problem hasn’t gone away. Some reports have suggested problematic activity — like social media voter manipulation and computational propaganda — have been getting worse in recent years, rather than better.

However getting visibility into the true scale of the disinformation problem remains a huge challenge given those best placed to know (ad platforms) don’t freely open their systems to external researchers. And that’s something else the Commission would like to change.

Signatories to the EU’s current code of practice on disinformation are:

Google, Facebook, Twitter, Microsoft, TikTok, Mozilla, DOT Europe (Former EDiMA), the  World  Federation  of Advertisers  (WFA) and its Belgian counterpart, the  Union  of  Belgian  Advertisers  (UBA);  the  European Association of Communications Agencies (EACA), and its national members from France, Poland and the Czech Republic — respectively, Association   des   Agences   Conseils   en   Communication   (AACC), Stowarzyszenie Komunikacji Marketingowej/Ad Artis Art Foundation (SAR), and Asociace Komunikacnich Agentur (AKA); the Interactive Advertising Bureau (IAB Europe), Kreativitet & Kommunikation, and Goldbach Audience (Switzerland) AG.

EU lawmakers said they want to broaden participation by getting smaller platforms to join, as well as recruiting all the various players in the adtech space whose tools provide the means for monetizing online disinformation.

Commissioners said they want to see the code covering a “whole range” of actors in the online advertising industry (i.e. rather than the current handful).

It’s certainly notable that the digital advertising industry body Internet Advertising Bureau is not on that list. (We’ve reached out to the IAB Europe to ask if it’s planning to join the code and will update this report with any response.)

In its press release today the Commission also said it wants platforms and adtech players to exchange information on disinformation ads that have been refused by one of them — so there can be a more coordinate response to shut out bad actors.

As for those who are signed up already, the Commission’s report card on their performance was bleak.

Speaking during a press conference, internal market commissioner Thierry Breton said that only one of the five platform signatories to the code has “really” lived up to its commitments — which was presumably a reference to the first five tech giants in the above list (aka: Google, Facebook, Twitter, Microsoft and TikTok).

Breton demurred on doing an explicit name-and-shame of the four others — who he said have not “at all” done what was expected of them — saying it’s not the Commission’s place to do that.

Rather he said people should decide among themselves which of the platform giants that signed up to the code have failed to live up to their commitments. (Signatories since 2018 have pledged to take action to disrupt ad revenues of accounts and websites that spread disinformation; to enhance transparency around political and issue-based ads; tackle fake accounts and online bots; to empower consumers to report disinformation and access different news sources while improving the visibility and discoverability of authoritative content; and to empower the research community so outside experts can help monitor online disinformation through privacy-compliant access to platform data.)

Frankly it’s hard to imagine who from the above list of five tech giants might actually be meeting the Commission’s bar. (Microsoft perhaps, on account of its relatively modest social activity vs the others.)

Safe to say, there’s been a lot of more hot air (in the form of selective PR) on the charged topic of disinformation vs hard accountability from the major social platforms over the past three years.

So it’s perhaps no accident that Facebook chose today to puff up its historical efforts to combat what it refers to as “influence operations” — aka “coordinated efforts to manipulate or corrupt public debate for a strategic goal” — by publishing what it couches as a “threat report” detailing what it’s done in this area between 2017 and 2000.

Influence ops refer to online activity that may be being conducted by hostile foreign governments or by malicious agents seeking, in this case, to use Facebook’s ad tools as a mass manipulation tool — perhaps to try to skew an election result or influence the shape of looming regulations. And Facebook’s ‘threat report’ states that the tech giant took down and publicly reported only 150 such operations over the report period.

Yet as we know from Facebook whistleblower Sophie Zhang, the scale of the problem of mass malicious manipulation activity on Facebook’s platform is vast and its response to it is both under-resourced and PR-led. (A memo written by the former Facebook data scientist, covered by BuzzFeed last year, detailed a lack of institutional support for her work and how takedowns of influence operations could almost immediately respawn — without Facebook doing anything.)

NB: If it’s Facebook’s “broader enforcement against deceptive tactics that do not rise to the level of [Coordinate Inauthentic Behavior]” that you’re looking for, rather than efforts against ‘influence operations’, it has a whole other report for that — the Inauthentic Behavior Report! — because of course Facebook gets to mark its own homework when it comes to tackling fake activity, and shapes its own level of transparency since there are no legally binding reporting rules on disinformation.

Legally binding rules on handling online disinformation aren’t in the EU’s pipeline either — but commissioners said today that they wanted a beefed up and “more binding” code.

They do have some levers to pull here via a wider package of digital reforms that’s coming (aka the Digital Services Act).

The DSA will bring in legally binding rules for how platforms handle illegal content and they intend the tougher disinformation code to plug into that (in the form of what they call a “co-regulatory backstop for the measures that will be included in the revised and strengthened Code”).

It still won’t be legally binding but it may earn compliant platforms wider DSA ‘credit’. So it looks like disinformation-muck-spreaders’ arms are set to be twisted in a pincer regulatory move by making sure this stuff is looped into the legally binding DSA.

Still, Brussels maintains that it does not want to legislate around disinformation.

The risks are that a centralized approach might smell like censorship — and it sounds keen to avoid that charge at all costs.

The digital regulation packages the EU has put forward since the 2019 collage took up its mandate aim generally to increase transparency, safety and accountability online, its values and transparency commissioner, Vera Jourova, said today.

Breton also said that now is the “right time” to deepen obligations under the disinformation code — with the DSA incoming — and also to give the platforms time to adapt (and involve themselves in discussions on shaping additional obligations).

In another interesting remark he also talked about regulators needing to “be able to audit platforms” — in order to be able to “check what is happening with the algorithms that push these practices”. Though quite how audit powers can be made to fit with a voluntary, non-legally binding code of practice remains to be seen.

Discussing areas where the current code has fallen short Jourova pointed to inconsistencies of application across different EU Member States and languages.

She also said the Commission is keen for the beefed up code to do more to enable and empower users to act when they see something dodgy online — such as by providing users with tools to flag problem content.

Platforms should also provide users with the ability to appeal disinformation content takedowns (to avoid the risk of opinions being incorrectly removed).

The focus for the code would be on tackling false “facts not opinions”, she emphasized, saying the Commission wants platforms to “embed fact-checking into their systems” and for the code to work towards a “decentralized care of facts”.

She went on to say that the current signatories to the code haven’t provided external researchers with the kind of data access the Commission would like to see — to support greater transparency into (and accountability around) the disinformation problem.

The code does require either monthly (for COVID-19 disinformation), six monthly or yearly reports from signatories (depending on the size of the entity) but what’s being provided so far doesn’t add up to a comprehensive picture of disinformation activity and platform reaction, she said.

She also warned that online manipulation tactics are fast evolving and highly innovative — while saying the Commission would nonetheless like to see signatories agree on a set of identifiable “problematic techniques” to help speed up responses.

EU lawmakers will be coming with a specific plan for tackling political ads transparency in November, she noted.

They are also, in parallel, working on how to respond to the threat posed to European democracies by foreign interference cyberops — such as the aforementioned influence operations often found hosted on Facebook’s platform.

The commissioners did not give many details of those plans today but Jourova said it’s “high time to impose costs on perpetrators” — suggesting that some interesting possibilities may be being considered, such as trade sanctions for state-backed disops (although attribution would be one challenge).

Breton said countering foreign influence over the “informational space” is important work to defend the values of European democracy.

He also said the Commission’s anti-disinformation efforts would focus on support for education to help equip citizens with the necessary critical thinking capabilities to navigate the huge quantities of variable quality information that now surrounds them.

Salesforce dominates the world of CRM today, but while it’s a popular and well-used tool for organizing contacts and information, it doesn’t have all the answers when it comes to helping salespeople and marketers sell better, especially when meetings are not in person. Today, one of the startups that has emerged to help fill the gap is announcing a round of growth funding on the back of a huge year for its business.

Qualified — which builds better interactions for B2B sales and marketing teams that already use Salesforce by tapping into extra data sources to develop a better profile of those visiting your website, in aid of improving and personalizing the outreach (hence the name: you’re building “qualified” leads) — has picked up $51 million in funding. The startup will be using the Series B to continue building out its business with more functionality in the platform, and hiring across the board to expand business development and more.

Led by Salesforce Ventures, the funding round also included Norwest Venture Partners and Redpoint Ventures, both previous backers, among others. As with so many rounds at the moment — the venture world is flush with funding at the moment — this one is coming less than a year after Qualified’s last raise. It closed a $12 million Series A in August of last year.

Qualified was co-founded by two Salesforce veterans — ex-Salesforce CMO Kraig Swensrud and ex-SVP of Salesforce.com Sean Whiteley — serial entrepreneurs who you could say have long been hammering away at the challenges of building digital tools for sales and marketing people to do their jobs better online. The pair have founded and sold two other startups filling holes to that end: GetFeedback, acquired by SurveyMonkey; and Kieden, acquired by Salesforce.

The gap that they’re aiming to fill with this latest venture is the fact that when sales and marketing teams want to connect with prospects directly through, say, a phone call, they might have all of that contact’s information at their disposal. But if those teams want to make a more engaged contact when someone is visiting their site — a sign that a person is actually interested and thinking already about engaging with a company — usually the sales and marketing teams are in the dark about who those visitors are.

“We founded Qualified on the premise that a website should be more than a marketing brochure, but not just a sales site,” Swensrud, who is the CEO, said in an interview.

Qualified has built a tool that essentially takes several signals from Salesforce as well as other places to build up some information about the site visitor. It then uses it to give the sales and marketing teams more of a steer so that when they reach out via a screen chat to say “how can I help?” they actually have more information and can target their questions in a better way. A sales or marketing rep might know which pages a person is also visiting, and can then use the conversation that starts with an online chat to progress to a voice or video call, or a meeting.

If a person is already in your Salesforce rolodex, you get more information; but even without that there is some detail provided to be slightly less impersonal. (Example: when I logged into Qualified to look around the site, a chat popped up with a person greeing me “across the pond”… I’m in London.)

Qualified also integrates with a number of other tools that are used to help source data and build its customer profiles, including Slack, Microsoft Teams, 6sense, Demandbase, Marketo, HubSpot, Oracle Eloqua, Clearbit, ZoomInfo and Outreach.

Additional data is part and parcel of the kinds of information that sales and marketing people always need when reaching out to prospective customers, whether it’s via a “virtual” digital channel or in person. However, in the last year — where in-person meetings, team meetings, and working side-by-side with those who can give advice have all disappeared — having extra tools like these arguably have proven indispensable.

“Sales reps would heavily rely on their ‘road warrior’ image,” Swensrud said. “But all that stuff is gone, so as a result every seller is sitting at an office, at home, expecting digital interactions to happen that never existed before.”

And it seems some believe that even outside of Covid-19 enforcing a different way of doing things, the trend for “virtual selling”, as it’s often called, is here to stay: Gartner forecasts that by 2025, some 80% of B2B sales interactions will take place in digital channels. (So long to the expense account lunch, I guess.)

It’s because of the events of 2020, plus those bigger trends, that Qualified has seen revenues in the last year grow some 800% and its net customer revenue retention rate hover at 175%, with funding rounds come in relatively close succession in the wake of that.

There is something interesting to Qualified that reminds me a bit of more targeted ad retargeting, as it were, and in that, you can imagine a lot of other opportunities for how Qualified might expand in scenarios where it would be more useful to know why someone is visiting your site, without outright asking them and bothering them with the question. That could include customer service, or even a version that might sell better to consumers coming to, say, a clothes site after reading something about orange being the new black.

For now, though, it’s focused on the B2B opportunity.

There are a number of tools on the market that are competing with Salesforce as the go-to platform for people to organise and run CRM operations, but Swensrud is bullish for now on the idea of building specifically for the Salesforce ecosystem.

“Our product is being driven by and runs on Salesforce,” he noted, pointing out that it’s through Salesforce that you’re able to go from chatting to a phone call by routing the information to the data you have on file there. “Our roots go very deep.”

The funding round today is a sign that Salesforce is also happy with that close arrangement, which gives it a customization that its competitors lack.

“Qualified represents an entirely new way for B2B companies to engage buyers,” said Bill Patterson, EVP of CRM Applications at Salesforce, in a statement. “When marketing and inbound sales teams use this solution with Sales Cloud… they see a notable impact on pipeline. We are thrilled about our growing partnership with Qualified and their success within the Salesforce ecosystem.”

Germany’s national competition regulator, the Bundeskartellamt, has continued its investigative charge against big tech — announcing that it’s opened two proceedings into Google.

The move follows earlier proceedings targeting Amazon and Facebook — both of which are also looking to determine whether their businesses are of “paramount significance for competition across markets”, as German competition law puts it. (The regulator is also probing Facebook’s tying of Oculus to Facebook accounts.)

In Google’s case, one of the Bundeskartellamt’s new proceedings will confirm whether amended competition rules, which came into force in January, apply in its case — which would enable the FCO to target it with proactive interventions in the interests of fostering digital competition.

The second, parallel procedure will see the Federal Cartel Office (FCO) undertake an in-depth analysis of Google’s data processing terms in a move that looks intended to avoid wasting time — i.e. that its working assumption is that Google/Alphabet’s business meets the legal bar in the GWB Digitalisation Act.

By running the two Google procedures in parallel the German competition regulator will be in a position to act faster — assuming the first proceeding confirms it can indeed intervene.

The second probe running alongside would then identify potential problems to shape any intervention — with the FCO saying for example that it will look at whether Google/Alphabet “makes the use of services conditional on the users agreeing to the processing of their data without giving them sufficient choice as to whether, how and for what purpose such data are processed”.

It also says it will “examine the extent to which the terms provide Google with an opportunity to process data on an extensive cross-service basis” and will seek to clarify “how the company’s data processing policy applies to the processing of user data obtained from third-party websites and apps” (such as through Google’s advertising services).

Another key element of the proceeding will aim to establish what choice users actually have with regard to Google’s processing of their data, with the FCO noting that protecting consumer choice is a primary aim of competition law.

Given those point of focus it’s possible to imagine a future order from the FCO to Google could require it to simplify how it asks users for consent, to ensure genuine choice — and also shrink its ability to link first party user data with information obtained on people elsewhere online.

Commenting in a statement, Andreas Mundt, president of the Bundeskartellamt said: “An ecosystem which extends across various markets may be an indication that a company holds such a market position [i.e. whether it is of paramount significance across markets]. It is often very difficult for other companies to challenge this position of power. Due to the large number of digital services offered by Google, such as the Google search engine, YouTube, Google Maps, the Android operating system or the Chrome browser, the company could be considered to be of paramount significance for competition across markets.”

“Google’s business model relies to a very large extent on processing data relating to its users. Due to its established access to data relevant for competition, Google enjoys a strategic advantage. We will therefore take a close look at the company’s data processing terms. A key question in this context is whether consumers wishing to use Google’s services have sufficient choice as to how Google will use their data,” he added.

Reached for comment on the FCO proceedings, Google said it will fully cooperate with the FCO’s process but rejected the charge that people are forced to use its services — further claiming in a statement attributed to spokesperson, Ralf Bremer, that it offers “simple controls” so people can “limit” its use of their information:

“People choose Google because it’s helpful, not because they’re forced to, or because they can’t find alternatives. German consumers have enormous choice online and we give people simple controls to manage their information and limit the use of personal data. We will cooperate fully with the German Competition Authority and look forward to answering their questions.”

The Bundeskartellamt‘s in-depth prove of Google’s data processing terms picks up on long running criticism that the tech giant relies on forced and/or manipulative consent from users to obtain their data. Whereas the pan-EU legal standard if consent is used as a legal basis to process people’s information is that it should be clear, informed and freely given.

Back in 2019 Google was fined $57M by France’s data protection watchdog under the EU’s General Data Protection Regulation (GDPR) over a failure to provide “sufficiently clear” information to Android users when it sought their consent to use their data for targeted ads.

However, subsequent to the CNIL’s action, the tech giant limited its exposure to the privacy regulation by changing the legal jurisdiction of where it processes European users’ data to Ireland.

The Irish Data Protection Commission (DPC) then became Google’s lead data supervisor under the GDPR’s one-stop-shop mechanism. And the DPC has not decided a single GDPR complaint against Google — though it has a number of open investigations. It continues to face high level criticism over its enforcement record on key cross-border cases against big tech.

The awakening of European competition regulators to the issue of how abuse of user privacy is an anti-competitive tactic that can lock in the dominance of digital giants by unfairly enabling them to grab and link people’s data is thus a very important development in the regulation of big tech — and one where the Bundeskartellamt has already been a pioneer.

In an earlier FCO ‘super profiling’ case against Facebook — which predates the amendments to national digital competition law — it ordered the social media behemoth not to combine user data from across its different products.

Facebook has sought to block the order in the German courts. And, back in March, the case was referred to Europe’s top court — meaning the FCO’s order to it remains on hold pending the CJEU’s ruling (which could take years to be handed down).

The FCO confirmed today that the Facebook case is still pending before the court, reiterating the decision of the Düsseldorf Higher Regional Court to refer certain issues relating to the application of the GDPR to the European Court of Justice — which means that a decision on the merits of the case “can only be rendered after these issues have been clarified”.

The Bundeskartellamt’s investigation of Facebook’s data practices started all the way back in in March 2016. So it’s a safe bet that the regulator’s experience of digging into the detail of how tech giants process people’s data — and how hard it is to make cases stick against them — has helped inform the amendments to Germany’s competition law that introduce ex ante powers to tackle digital giants deemed to be of “paramount significance for competition across markets”.

Although there is still another waiting period baked in to this approach — as the regulator must first assess whether tech giants meet that legal bar.

The EU has proposed a similar ex ante approach for what it dubs as digital “gatekeepers”, under the Digital Markets Act, which it introduced at the end of last year.

Although with the bloc’s co-legislative process ongoing that regulation is likely some years away from adoption and pan-EU application — meaning Germany’s national law and the energetic FCO could be a significant actor in the meanwhile.

The EU’s competition commission are also digging into Google’s adtech practices — though they’re having to do so under existing powers, for now, which have been shown to be a painstakingly slow and not very effective route to tackle digital market power.

Elsewhere in Europe, the UK, which now sits outside the bloc, is also shaping its own an ex ante regime to curb the market power of digital giants. So regardless of political cross-currents in the region — and the problem of patchy privacy enforcement — there is growing consensus that European competition authorities must be empowered to step in proactively to tackle digital market abuses.

On the heels of expanding its marketing call analytics platform last year to provide more insights to help those in sales, e-commerce and customer experience, Invoca is making its first acquisition to widen the net of companies that it targets. The company has acquired DialogTech, a startup that builds tools for marketers to analyze inbound phone calls and other contacts, in what TechCrunch understands to be a $100 million deal.

As part of the transaction, Santa Barbara-based Invoca will be divesting Swydo, a company that Chicago-based Dialog acquired in 2018. Swydo — originally from The Netherlands — will remain a partner of Invoca’s, the company said.

Invoca has up to now focused on larger consumer-facing enterprises — its customers include the likes of ADT, AutoNation, DISH, TELUS, and The Home Depot — providing them with an AI-based platform that lets their marketing, sales and other teams analyze calls from consumer customers and provide call tracking, coaching, and other insights in real time and in the form of post-call reports to help those teams do their jobs more easily.

Gregg Johnson, Invoca’s CEO and one of growing pool of Salesforce veterans that are reinventing the marketing and sales technology landscape, described Dialog as “complementary” to what Invoca does, but will specifically help Invoca better target mid-market companies.

The opportunity that both Invoca and Dialog have identified is that, despite the growth of digital media advertising, social media and other channels for brands to connect to would-be customers, inbound calls remain a very key part of how companies sell goods and services, especially when the sale is of a complex item.

“About 40% to 80% of revenues come through contact centers,” Johnson said. “Brands can do all the retargeting they want but the same strategies in digital don’t work there.”

For those working at the other end of the line, the need for tools to do their jobs better became even more pressing in the last year, a time when customers stayed home and away from physical stores, shifting all of their interactions to virtual and remote channels. Subsequently, they demanded and expected better levels of service there.

“This move enables us to be an even better partner to enterprises and agencies looking to optimize their marketing and drive sales,” said DialogTech CEO, Doug Kofoid, in a statement. “Together as Invoca, our combined company will deliver an unrivaled solution for conversation intelligence, with the most innovative technology, expertise, experience, and resources in our industry.”

The combined business will become one of the bigger “martech” startups focusing on conversational insights, with 2,000 customers, over 300 employees and on track to make more than $100 million this year in revenue. This is, however, just the tip of the iceberg: the conversational intelligence market was estimated to be worth some $4.8 billion in 2020 and is expected to balloon to nearly $14 billion by 2025.

Given how many startups we’ve seen launch in the name of better sales intelligence, it’s likely that this will not be the last piece of consolidation in the area. Combining to expand the functionality of a platform, or to expand the scale and reach of a business, or simply to bring on interesting tech that is easier to acquire than build from scratch, are three areas that will likely drive more M&A.

Invoca last raised funding in October 2019, a $56 million round just ahead of the world shifting into Covid-19 pandemic mode. Johnson confirmed that Invoca — which has to date raised $116 million from Accel, Upfront Ventures, H.I.G. Growth Partners, Morgan Stanley, Salesforce Ventures and others — is in a strong enough position as a business not to need to raise more for this acquisition.

However, I suspect that scaling up like this will help it bid for bigger money and a bigger valuation when it does, as will the fact that peers in the market like Gong (which Johnson described as the “B2B version of Invoca” to me) have seen their valuations catapult in the last year, spurred by the changes in how customers interact with businesses, and sales and marketing can work to better serve them.

Well, that was fast.

Just a few months after raising its seed round, Unfolded.ai announced today that it is being acquired by Foursquare. Terms of the deal were not disclosed. The startup had raised a total of about $6 million when we last checked in with them.

The company, founded by a group of ex-Uber geospatial engineers, was building on top of popular open-source libraries that its founders had created including Kepler.gl, a web application that can take geospatial datasets and visualize them, and Deck.gl, which offers an extensible application framework for processing geospatial datasets and preparing them for visualization.

As I wrote earlier this year:

The startup’s main product is called Unfolded Studio, which acts as a backend-as-a-service for applications built on top of Kepler.gl (which is only a frontend library itself) handling components like data management and server communications. In particular, the product is designed to bring different geospatial datasets together and allow them all to interact with each other in one unified view.

The acquisition by Foursquare is designed to bring Unfolded’s geospatial technology into Foursquare Everywhere, the company’s new brand and product focus on delivering scalable location services to all sorts of customers.

Foursquare has evolved significantly in recent years to become a location-focused advertising and marketing platform. It announced that it was merging with Factual back in April 2020, and switched out CEO David Shim with Gary Little in November, who assumed the titles of CEO and president. This acquisition appears to be the first for Little since he took the helm.

Foursquare CEO and president Gary Little. Image Credits: Foursquare

In its press statement, the company said that “this acquisition propels Foursquare’s evolution into the singular source companies turn to for high quality, easy-to-use location data and the technology they need to make sense of it.”

As consumer behavior and expectations around privacy have shifted — and operating systems and browsers have adapted to this — the age of cookies as a means of tracking user behavior is coming to an end. Few people will bemoan this, but advertisers and marketers rely on having insights into how their efforts translate into sales (and publishers like to know how their content performs as well). Google is obviously aware of this and it is now looking to machine learning to ready its tools like Google Analytics for this post-cookie future.

Last year, the company brought several machine learning tools to Google Analytics already. At the time, the focus was on alerting users to significant changes in their campaign performance, for example. Now, it is taking this a step further by using its machine learning systems to model user behavior when cookies are not available.

Vidhya Srinivasan, VP/GM, Advertising at Google

It’s hard to underestimate the importance of this shift, but according to Vidhya Srinivasan, Google’s VP and GM for Ads Buying, Analytics and Measurement who joined the company after a long stint at Amazon two years ago (and IBM before that), it’s also the only way to go.

“The principles we outlined to drive our measurement roadmap are based on shifting consumer expectations and ecosystem paradigms. Bottom line: the future is consented. It’s modeled. It’s first-party. So that’s what we’re using as our guide for the next gen of our products and solutions,” she said in her first media interview after joining Google.

It’s still early days and a lot of users may yet consent and opt in to tracking and sharing their data in some form or another. But the early indications are that this will be a minority of users. Unsurprisingly, first-party data and the data Google can gather from users who consent becomes increasingly valuable in this context.

Because of this, Google is now also making it easier to work with this so-called ‘consented data’ and to create better first-party data through improved integrations with tools like the Google Tag Manager.

Last year, Google launched Consent Mode, which helps advertisers manage cookie behavior based on local data-protection laws and user preferences. For advertisers in the EU and in the U.K., Consent Mode allows them to adjust their Google tags based on a user’s choices and soon, Google will launch a direct integration with Tag Manager to make it easier to modify and customize these tags.

How Consent Mode works today.

What’s maybe more important, though, is that Consent Mode will now use conversion modeling for users who don’t consent to cookies. Google says this can recover about 70% of ad-click-to-conversion journeys that would otherwise be lost to advertisers.

In addition, Google is also making it easier for bring in first-party data (in a privacy-forward way) to Google Analytics to improve measurements and its models.

“Revamping a popular product with a long history is something people are going to have opinions about – we know that. But we felt strongly that we needed Google Analytics to be relevant to changing consumer behavior and ready for a cookie-less world – so that’s what we’re building,” Srinivasan said. “The machine learning that Google has invested in for years — that experience is what we’re putting in action to drive the modeling underlying this tech. We take having credible insights and reporting in the market seriously. We know that doing the work on measurement is critical to market trust. We don’t take the progress we’ve made for granted and we’re looking to continue iterating to ensure scale, but above all we’re prioritizing user trust.”

Months after Apple’s App Store introduced privacy labels for apps, Google announced its own mobile app marketplace, Google Play, will follow suit. The company today pre-announced its plans to introduce a new “safety” section in Google Play, rolling out next year, which will require app developers to share what sort of data their apps collect, how it’s stored, and how it’s used.

For example, developers will need to share what sort of personal information their apps collect, like users’ names or emails, and whether it collects information from the phone, like the user’s precise location, their media files or contacts. Apps will also need to explain how the app uses that information — for example, for enhancing the app’s functionality or for personalization purposes.

Developers who already adhere to specific security and privacy practices will additionally be able to highlight that in their app listing. On this front, Google says it will add new elements that detail whether the app uses security practices like data encryption; if the app follows Google’s Families policy, related to child safety; if the app’s safety section has been verified by an independent third party; whether the app needs data to function or allows users to choose whether or not share data; and whether the developer agrees to delete user data when a user uninstalls the app in question.

Apps will also be required to provide their privacy policies.

While clearly inspired by Apple’s privacy labels, there are several key differences. Apple’s labels focus on what data is being collected for tracking purposes and what’s linked to the end user. Google’s additions seem to be more about whether or not you can trust the data being collected is being handled responsibility, by allowing the developer to showcase if they follow best practices around data security, for instance. It also gives the developer a way to make a case for why it’s collecting data right on the listing page itself. (Apple’s “ask to track” pop-ups on iOS now force developers to beg inside their apps for access user data).

Another interesting addition is that Google will allow the app data labels to be independently verified. Assuming these verifications are handled by trusted names, they could help to convey to users that the disclosures aren’t lies. One early criticism of Apple’s privacy labels was that many were providing inaccurate information — and were getting away with it, too.

Google says the new features will not roll out until Q2 2022, but it wanted to announce now in order to give developers plenty of time to prepare.

Image Credits: Google

There is, of course, a lot of irony to be found in an app privacy announcement from Google.

The company was one of the longest holdouts on issuing privacy labels for its own iOS apps, as it scrambled to review (and re-review, we understand) the labels’ content and disclosures. After initially claiming its labels would roll out “soon,” many of Google’s top apps then entered a lengthy period where they received no updates at all, as they were no longer compliant with App Store policies.

It took Google months after the deadline had passed to provide labels for its top apps. And when it did, it was mocked by critics — like privacy-focused search engine DuckDuckGo — for how much data apps like Chrome and the Google app collect.

Google’s plan to add a safety section of its own to Google Play gives it a chance to shift the narrative a bit.

It’s not a privacy push, necessarily. They’re not even called privacy labels! Instead, the changes seem designed to allow app developers to better explain if you can trust their app with your data, rather than setting the expectation that the app should not be collecting data in the first place.

How well this will resonate with consumers remains to be seen. Apple has made a solid case that it’s a company that compares about user privacy, and is adding features that put users in control of their data. It’s a hard argument to fight back against — especially in an era that’s seen too many data breaches to count, careless handling of private data by tech giants, widespread government spying, and a creepy adtech industry that grew to feel entitled to user data collection without disclosure.

Google says when the changes roll out, non-compliant apps will be required to fix their violations or become subject to policy enforcement. It hasn’t yet detailed how that process will be handled, or whether it will pause app updates for apps in violation.

The company noted its own apps would be required to share this same information and a privacy policy, too.

Snap on Wednesday announced its plan to soon launch a Creator Marketplace, which will make it easier for businesses to find and partner with Snapchat creators, including lens creators, AR creators and later, prominent Snapchat creators known as Snap Stars. At launch, the marketplace will focus on connecting brands and AR creators for AR ads. It will then expand to support all Snap Creators by 2022.

The company had previously helped connect its creator community with advertisers through its Snapchat Storytellers program, which first launched into pilot testing in 2018 — already a late arrival to the space. However, that program’s focus was similar to Facebook’s Brand Collabs Manager, as it focused on helping businesses find Snap creators who could produce video content.

Snap’s new marketplace, meanwhile, has a broader focus in terms of connecting all sorts of creators with the Snap advertising ecosystem. This includes Lens Creators, Developers and Partners, and then later, Snap’s popular creators with public profiles.

Snap says the Creator Marketplace will open to businesses later this month to help them partner with a select group of AR Creators in Snap’s Lens Network. These creators can help businesses build AR experiences without the need for extensive creative resources, which makes access to Snap’s AR ads more accessible to businesses, including smaller businesses without in-house developer talent.

Lens creators have already found opportunity working for businesses that want to grow their Snapchat presence — even allowing some creators to quit their day jobs and just build lens for a living. Snap has been further investing in this area of its business, having announced in December a $3.5 million fund directed towards AR Lens creation. The company said at the time there were tens of thousands of Lens creators who had collectively made over 1.5 million Lenses to date.

Using Lenses has grown more popular, too, the company had noted, saying that over 180 million people interact with a Snapchat Lens every day — up from 70 million daily active users of Lenses when the Lens Explorer section first launched in the app in 2018.

Now, Snap says that over 200 million Snapchat users interact with augmented reality on a daily basis, on average, out of its 280 million daily users. The majority (over 90%) of these users are 13-25 year olds. In total, users are posting over 5 billion Snaps per day.

Snap says the Creator Marketplace will remain focused on connecting businesses with AR Lens Creators throughout 2021.

The following year, it will expand to include the community of professional creators and storytellers who understand the current trends and interests of the Snap user base and can help businesses with their ad campaigns. The company will not take a cut of the deals facilitated through the Marketplace, it says.

This would include the creators making content for Snap’s new TikTok rival, Spotlight, which launched in November 2020. Snap encouraged adoption of the feature by shelling out $1 million per day to creators of top videos. In March 2021, over 125 million Snapchat users watched Spotlight, it says.

Image Credits: Snapchat

Spotlight isn’t the only way Snap is challenging TikTok.

The company also on Wednesday announced it’s snagging two of TikTok’s biggest stars for its upcoming Snap Originals lineup: Charli and Dixie D’Amelio. The siblings, who have gained over 20 million follows on Snapchat this past year, will star in the series “Charli vs. Dixie.” Other new Originals will feature names like artist Megan Thee Stallion, actor Ryan Reynolds, twins and influencers Niki and Gabi DeMartino, and YouTube beauty vlogger Manny Mua, among others.

Snap’s shows were watched by over 400 million people in 2020, including 93% of the Gen Z population in the U.S., it noted.

Disqus, a commenting plugin that’s used by a number of news websites and which can share user data for ad targeting purposes, has got into hot water in Norway for tracking users without their consent.

The local data protection agency said today it has notified the U.S.-based company of an intent to fine it €2.5 million (~$3M) for failures to comply with requirements in Europe’s General Data Protection Regulation (GDPR) on accountability, lawfulness and transparency.

Disqus’ parent, Zeta Global, has been contacted for comment.

Datatilsynet said it acted following a 2019 investigation in Norway’s national press — which found that default settings buried in the Disqus’ plug-in opted sites into sharing user data on millions of users in markets including the U.S.

And while in most of Europe the company was found to have applied an opt-in to gather consent from users to be tracked — likely in order to avoid trouble with the GDPR — it appears to have been unaware that the regulation applies in Norway.

Norway is not a member of the European Union but is in the European Economic Area — which adopted the GDPR in July 2018, slightly after it came into force elsewhere in the EU. (Norway transposed the regulation into national law also in July 2018.)

The Norwegian DPA writes that Disqus’ unlawful data-sharing has “predominantly been an issue in Norway” — and says that seven websites are affected: NRK.no/ytring, P3.no, tv.2.no/broom, khrono.no, adressa.no, rights.no and document.no.

“Disqus has argued that their practices could be based on the legitimate interest balancing test as a lawful basis, despite the company being unaware that the GDPR applied to data subjects in Norway,” the DPA’s director-general, Bjørn Erik Thon, goes on.

“Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent.”

“Our preliminary conclusion is that Disqus has processed personal data unlawfully. However, our investigation also discovered serious issues regarding transparency and accountability,” Thon added.

The DPA said the infringements are serious and have affected “several hundred thousands of individuals”, adding that the affected personal data “are highly private and may relate to minors or reveal political opinions”.

“The tracking, profiling and disclosure of data was invasive and nontransparent,” it added.

The DPA has given Disqus until May 31 to comment on the findings ahead of issuing a fine decision.

Publishers reminded of their responsibility

Datatilsynet has also fired a warning shot at local publishers who were using the Disqus platform — pointing out that website owners “are also responsible under the GDPR for which third parties they allow on their websites”.

So, in other words, even if you didn’t know about a default data-sharing setting that’s not an excuse because it’s your legal responsibility to know what any code you put on your website is doing with user data.

The DPA adds that “in the present case” it has focused the investigation on Disqus — providing publishers with an opportunity to get their houses in order ahead of any future checks it might make.

Norway’s DPA also has some admirably plain language to explain the “serious” problem of profiling people without their consent. “Hidden tracking and profiling is very invasive,” says Thon. “Without information that someone is using our personal data, we lose the opportunity to exercise our rights to access, and to object to the use of our personal data for marketing purposes.

“An aggravating circumstance is that disclosure of personal data for programmatic advertising entails a high risk that individuals will lose control over who processes their personal data.”

Zooming out, the issue of adtech industry tracking and GDPR compliance has become a major headache for DPAs across Europe — which have been repeatedly slammed for failing to enforce the law in this area since GDPR came into application in May 2018.

In the UK, for example (which transposed the GDPR before Brexit so still has an equivalent data protection framework for now), the ICO has been investigating GDPR complaints against real-time bidding’s (RTB) use of personal data to run behavioral ads for years — yet hasn’t issued a single fine or order, despite repeatedly warning the industry that it’s acting unlawfully.

The regulator is now being sued by complainants over its inaction.

Ireland’s DPC, meanwhile — which is the lead DPA for a swathe of adtech giants which site their regional HQ in the country — has a number of open GDPR investigations into adtech (including RTB). But has also failed to issue any decisions in this area almost three years after the regulation begun being applied.

Its lack of action on adtech complaints has contributed significantly to rising domestic (and European) pressure on its GDPR enforcement record more generally, including from the European Commission. (And it’s notable that the latter’s most recent legislative proposals in the digital arena include provisions that seek to avoid the risk of similar enforcement bottlenecks.)

The story on adtech and the GDPR looks a little different in Belgium, though, where the DPA appears to be inching toward a major slap-down of current adtech practices.

A preliminary report last year by its investigatory division called into question the legal standard of the consents being gathered via a flagship industry framework, designed by the IAB Europe. This so-called ‘Transparency and Consent’ framework (TCF) was found not to comply with the GDPR’s principles of transparency, fairness and accountability, or the lawfulness of processing.

A final decision is expected on that case this year — but if the DPA upholds the division’s findings it could deal a massive blow to the behavioral ad industry’s ability to track and target Europeans.

Studies suggest Internet users in Europe would overwhelmingly choose not to be tracked if they were actually offered the GDPR standard of a specific, clear, informed and free choice, without any loopholes or manipulative dark patterns.

PreShow Interactive is giving gamers a new way to earn in-game currency in exchange for watching ads — a concept that’s become familiar in mobile games but hasn’t really made much headway on PCs or consoles.

The startup is led by MoviePass’ founding CEO Stacy Spikes. When I spoke to Spikes about PreShow two years ago, he was beta testing an app that provided users with free movie tickets in exchange for watching ads. But obviously, theatrical moviegoing has taken a big hit in the past year.

Spikes told me yesterday that he’d always hoped to bring the PreShow concept to four categories — theatrical movies, gaming, subscription streaming and video on demand — but the pandemic forced the startup to shift focus more quickly than expected and explore what a gaming experience might look like.

The current plans is to launch a new PreShow Interactive app this summer, where viewers can connect their in-game accounts and identify how much virtual currency they want to earn. Then they watch a package of ads and PreShow will automatically transfer the currency to their account — in other words, it’s buying the currency for them.

Users will have to download a separate app to watch the ads and get the benefits, but Spikes said this is actually better than trying to integrate advertising or branded content into the game itself, which can be a slow process for the developer and the advertiser, while also being distracting for the players. And this means PreShow Interactive should able to support 20,000 games at launch, across PCs, consoles and virtual reality.

Image Credits: PreShow Interactive

“We just didn’t see the purpose of spending the time on integrations when it’s not really necessary,” he added. “Our deal is only with the consumer for their time. We’re saying, ‘This is your time. It has value.'”

One of the key elements to Preshow’s approach is technology that can detect when the viewer is actually looking at their phone screen — the ads will stop playing if you turn away. Critics have described this as “creepy surveillance tech,” but Spikes claimed that early PreShow users have embraced the approach. He also argued that it’s more transparent than the data collection and targeting currently driving online advertising.

“We used to think data was the new oil, but now our feeling is that permission and engagement and attention is the new oil,” he said.

In addition to revealing its new strategy, PreShow is announcing that it has raised $3 million in seed funding led by Harlem Capital, with participation Canaan Partners, Wavemaker Ventures, Front Row Fund, ROC Fund, BK Fulton and Monroe Harris.

And to be clear, Spikes said PreShow isn’t abandoning theatrical movies. He said that the PreShow app will eventually offer both movie and gaming deals “under one roof,” but brands aren’t currently eager to advertise to moviegoers.

“We’re ready to go when the marketplace is ready to go,” he said.

Data intelligence company Near is announcing the acquisition of another company in the data business — UM.

In some ways, this echoes Near’s acquisition of Teemo last fall. Just as that deal helped Singapore-headquartered Near expand into Europe (with Teemo founder and CEO Benoit Grouchko becoming Near’s chief privacy officer), CEO Anil Mathews said that this new acquisition will help Near build a presence in the United States, turning the company into “a truly global organization,” while also tailoring its product to offer “local flavors” in each country.

The addition of UM’s 60-person team brings Near’s total headcount to around 200, with UM CEO Gladys Kong becoming CEO of Near North America.

At the same time, Mathews suggested that this deal isn’t simply about geography, because the data offered by Near and UM are “very complementary,” allowing both teams to upsell current customers on new offerings. He described Near’s mission as “merging two diverse worlds, the online world and the offline world,” essentially creating a unified profile of consumers for marketers and other businesses. Apparently, UM is particularly strong on the offline side, thanks to its focus on location data.

Near CEO Anil Mathews and UM CEO Gladys Kong

“UM has a very strong understanding of places, they’ve mastered their understanding of footfalls and dwell times,” Mathews added. “As a result, most of the use cases where UM is seeing growth — in tourism, retail, real estate — are in industries struggling due to the pandemic, where they’re using data to figure out, ‘How do we come out of the pandemic?'”

TechCrunch readers may be more familiar with UM under its old name UberMedia, which created social apps like Echofon and UberSocial before pivoting its business to ad attribution and location data. Kong said that contrary to her fears, the company had “an amazing 2020” as businesses realized they needed UM’s data (its customers include RAND Corporation, Hawaii Tourism Authority, Columbia University and Yale University).

And the year was capped by connecting with Near and realizing that the two companies have “a lot of synergies.” In fact, Kong recalled that UM’s rebranding last month was partly at Mathews’ suggestion: “He said, ‘Why do you have media in your name when you don’t do media?’ And we realized that’s probably how the world saw us, so we decided to change [our name] to make it clear what we do.”

Founded in 2010, UM raised a total of $34.6 million in funding, according to Crunchbase. The financial terms of the acquisition were not disclosed.