Google is expanding a verification program for financial services ads that it launched in the UK last summer after seeing what it describes as a “pronounced decline” in reports of ads promoting financial scams.

First in line to get the requirement, as part of a phased expansion of the policy, are Australia, Singapore and Taiwan. But Google says it plans to further expand the verification requirements to advertisers in additional countries and regions “in the coming months”.

The verification layer sits atop Google’s financial products and services policy — looping in a local financial regulator which advertisers must demonstrate they are authorized by in order to have their financial services ads accepted by Google — thereby adding a layer of security against the adtech giant accepting and running ads for crypto investment scams and the like.

In the UK the Financial Conduct Authority (FCA) is the regulatory body that financial services advertisers must demonstrate they are authorized by. Equivalent oversight bodies will come into play in the three new markets.

Google said advertisers wanting to promote financial products and services in these markets will be able to apply for verification at the end of June — with the policy slated to go into effect on August 30, 2022.

“Advertisers that have not completed the new verification process by this date will no longer be allowed to promote financial services,” it warns in a blog post penned by Alejandro Borgia, a Google director of ads privacy and safety.

“We work tirelessly to make sure the ads we serve are safe and trustworthy, and we know that partnering and collaborating with government regulators is critical to our success. That’s why we’re closely coordinating with regulators in these three markets to make sure this program is effective at scale,” he added.

Google hasn’t offered any data to back up its claim that the policy change has led to a substantial decline in reports of financial scam ads in the UK market — offering only an overall (global) figure for ads that it blocked or removed in 2021 (58.9 million) for violating its financial services policies, culled from its 2021 Ads Safety Report.

Prior to launching the financial ads verification policy in the UK, Google had been under pressure from the FCA to tackle scams — with the regulator threatening legal action if Google continued to accept unscreened financial ads.

The e-commerce market is on track to pass $5.5 trillion in revenues this year, which speaks not only to how much consumers are shopping online these days, but also to how many businesses there are out there now selling to them. Today, a startup from Gothenburg, Sweden called Juni is announcing $206 million in funding — a $100 million Series B and a further $106 million in debt — to build out e-commerce-focused neobank, designed specifically to cater to that growing group of retailers with tools to help them run their business.

Mubadala Capital led the $100 million equity round, with previous backers EQT Ventures, Felix Capital, Cherry Ventures and Partners of DST Global also participating. Meanwhile, the $106 million in debt funding — which Juni will use to fuel its credit products — is coming from TriplePoint Capital.

Founded in 2020 and launched in 2021, Juni closed off its Series A only in October of last year (it raised $21.5 million in July and a further $52 million in October), but it’s been on a very strong pace of growth — “multiple hundred percent”, CEO Samir El-Sabini said in an interview. (It didn’t give actual customer numbers.) It’s not disclosing its valuation but sources close to the company tell me it is now in the region of $800 million. 

Most incumbent banks, and now a fair number of neobanks, target small and medium businesses as customers. But the gap in the market that Juni identified and built to fill is that the needs of e-commerce SMBs, and those doing business online in general, are unique among them.

E-commerce businesses have potentially huge incoming and outgoing sums in their accounts, and that money does not necessarily come in a consistent stream. They likely do business in multiple geographies and multiple suppliers. And in addition to potentially selling across a number of platforms and marketplaces (all of which also add complexity to the finances and managing them), they use a number of other digital tools both to sell, and to run and to help grow their operations.

El-Sabini, who co-founded the company with CTO Anders Orsedal and Jonathan Sanders (who is no longer with the company but remains a ‘silent partner’ El-Sabini said), all had track records of working in digital businesses where they saw, not just for themselves but their customers, an opportunity to build a bank that took all of that into account (so to speak) and built a financial management service that fit those dynamics. 

So around basic banking, Juni’s credit cards and capital advance/cashback services (which is where the debt funding will be put to use), accounting, and analytics are all optimized for the kind of incomings and outgoings e-commerce companies have. The platform includes some 2,400 integrations with tools (and the data that those tools generate) that companies might potentially use for their accounting, their digital advertising, their payments on websites, and more.

And while that sounds like a very large product with a lot of tentacles, Juni has actually narrowed its scope in the last year. The company initially launched catering to both e-commerce retailers and digital marketers, since the latter group also has a lot of similar dynamics, spending money in multiple jurisdictions and leveraging a variety of marketing and advertising tech. Now, it has shifted its target customer, and the tools it’s building, more specifically to the e-commerce vertical and the marketing that they undertake.

“We are focusing on e-commerce companies,” El-Sabini said. “However marketing is an important function in all e-commerce companies.”

The company launched during the pandemic, which was a windfall of sorts: there were suddenly a lot more consumers buying a lot more online, and e-commerce companies were scrambling both to connect with and sell to those audiences without going bust, so having a banking partner that could assist in that was partly what drove such strong growth for Juni.

Interestingly, and as you might expect, that need doesn’t go away as the pandemic subsides. Growth is definitely now slowing down in that sector (dropping by at least four percent globally and continuing that way for the next few years, says eMarketer) and so e-commerce companies have to manage that, too.

“The cost base is generally under pressure, and we can offer credit with great insights into our customers’ forecasting, so they understand the cash flow,” and cash flow is king for these customers, he continued. “Something that we also see is fear in the markets. So if you can have a partner that is long term and can help you and understand your position that is obviously very important. We want long relationships with our customers.”

Abu Dhabi’s Mubadala Investment Company, the parent of Mubadala Capital, is a prolific fintech investor (it has backed Brex, SpotOn, GoCardless, and many others), and Fatou Bintou Sagnang, the partner who led the investment, said that she and the firm evaluated a number of other players in the banking space focusing on SMBs before coming to invest in Juni.

“It started with looking at SMBs and fintech enablement and we were looking for companies that fit that thesis,” she said in an interview. “We like companies that use tech in smart ways to decrease costs.” She said they spent more than nine months getting to know the young Juni and liked its focus on e-commerce. “We actually see a lot of parallels with Brex in the US. We came in with some experience doing this for sectors, and our thesis is that the next iteration in fintechs challenging incumbents will be more verticalization.” 

The UK’s competition watchdog has just announced another investigation into Google over potential antitrust abuses around adtech.

This is the Competition and Markets Authority’s (CMA) second probe of Google’s adtech practices — after said it would investigate an ad deal between Google and Facebook referred to internally as ‘Jedi Blue’, back in March. (That deal also features in a major antitrust complaint against Google’s adtech over the pond, led by the US State of Texas.)

The CMA did also open a probe of Google’s ad-related Privacy Sandbox plan last year, triggered by complaints over its planned deprecation of tracking cookies to migrate to an alternative stack of ad targeting technologies — a development that remains under external monitoring after a settlement between Google and the regulator which looks, at very least, to have slowed the pace of any switch. (Google also recently revised its approach to push for topic-based ad targeting, rather than cohorts.)

The latest Google probe by the CMA focuses on what it describes as “strong” positions Google holds in adtech intermediation, aka the adtech tech stack, which the regulator suspects could be distorting competition — since the tech giant owns the largest service provider in three key parts of the chain.

The parts where it’ll be examining Google’s dominance are: DSPs (aka demand side platforms which enable advertisers and media agencies to buy publishers’ available ad space from many sources); ad exchanges (which provide the tech to automate the sale of publishers’ ad inventory via real-time auctions); and publisher ad servers (which manage publisher inventory and determine which ad to show based on bids received from exchanges and/or direct deals between publishers and advertisers).

“The CMA is assessing whether Google’s practices in these parts of the ad tech stack may distort competition. These include whether Google limited the interoperability of its ad exchange with third-party publisher ad servers and/or contractually tied these services together, making it more difficult for rival ad servers to compete,” the regulator wrote in a press release. “The CMA is also concerned that Google may have used its publisher ad server and its DSPs to illegally favour its own ad exchange services, while taking steps to exclude the services offered by rivals.”

Google has a dominant share across key parts of the adtech tech stack, as an earlier CMA market study established (see chart below). But its ad products have evolved and merged over the years, as well as undergoing some rebranding — such as when Google sought to move away from the DoubleClick brand back in 2018 — all of which makes what is already a complex and even opaque market structure even more difficult for outsiders to get a handle on.

Image credit: CMA final report on online advertising and platforms market study, July 2020

Among a number of concerning characteristics the CMA found were inhibiting competition in the ad market in its 2020 study, was a lack of transparency — which it suggested made it difficult for market participants to “understand or challenge how decisions are made and to exercise choice effectively”.

Other characteristics it suggested were undermining “effective competition” in the digital ad market were network effects and economies of scale; consumer decision making and the power of defaults; unequal access to user data; the importance of ecosystems; and vertical integration, and resultant conflicts of interest.

However, despite making a damning assessment of the state of the online ad market almost two full years ago — when it recommended substantial reforms — the CMA has not taken any enforcement action against Google to crack the market open. (Although a 2019 consultation, following publication of its preliminary report, featured breaking up the adtech giant as one of a number of potential remedies.)

Instead, in the final market report the CMA opted to push for new powers so it could make pro-competition interventions to remedy structural problems attached to tech giants with strategic market power.

But, years on, the CMA is still waiting for the UK government to legislation to empower the Digital Markets Unit (DMU) — which started work in shadow form last year. And it looks likely to have years more to wait, as the government has not made rebooting the competition regime an immediate priority.

Hence the CMA resorting to flexing its existing powers by opening investigations into specific adtech practices.

The regulator’s PR also reiterates that while it’s waiting on the government to empower the DMU it will “forge ahead using its existing powers in the tech sector” — so there’s a bit of a shot across Whitehall’s bows to get on with it.

On the Google probe specifically, Andrea Coscelli, the CMA’s CEO, said today that it’s opening a new investigation as it’s concerned Google is unfairly leveraging its dominant position to favor its own services — harming rivals, customers and consumers.

In the statement he added:

“Weakening competition in this area could reduce the ad revenues of publishers, who may be forced to compromise the quality of their content to cut costs or put their content behind paywalls. It may also be raising costs for advertisers which are passed on through higher prices for advertised goods and services.

“It’s vital that we continue to scrutinise the behaviour of the tech firms which loom large over our lives and ensure the best outcomes for people and businesses throughout the UK.”

The CMA also makes a point of noting that the investigation of Google’s adtech practices will “further consider” the “significant issues” and “possible solutions” that its 2020 market study had identified for addressing market power in adtech.

Google was contacted for comment on the latest CMA probe.

It told us it hasn’t seen the full CMA complaint yet so can’t respond in detail — but in a statement attributed to a spokesperson it said:

“Advertising tools from Google and many competitors help websites and apps fund their content, and help businesses of all sizes effectively reach their customers. Google’s tools alone have supported an estimated £55 billion in economic activity for over 700,000 businesses in the UK and when publishers choose to use our advertising services, they keep the majority of revenue. We will continue to work with the CMA to answer their questions and share the details on how our systems work.”

The European Union announced its own wide-ranging probe of Google’s adtech practices last summer — and that investigation remains ongoing. But France’s antitrust watchdog has already conducted its own investigation of Google’s self-preferencing in adtech and, last summer, the national authority hit it with a $268M penalty for a string of abuses.

The tech giant requested a settlement in France — proposing a series of interoperability commitments that the regulator accepted as part of its binding decision. So the country has been ahead of the pack on the adtech antitrust issue.

Adtech ops are also subject to privacy scrutiny in Europe — where Google’s lead data protection regulator, the Irish Data Protection Commission, has — since 2019 — had an enquiry open into its ad exchange, following complaints about the security of real-time bidding’s processing of personal data.

However the DPC is being sued for inaction over complaints that date back to 2018.

Other EU privacy complaints about real-time bidding have focused on the validity of consent/legal basis for the mass processing of web users’ data — and a major decision by Belgium’s data protection authority earlier this year identified a laundry list of problems with an industry standard framework that could force some reform of certain privacy-hostile adtech practices.

If you’re working for an advertising agency or you’re in charge of a brand, editing and exporting a video ad that works across all social and web platforms can be a lengthy and time consuming task. French startup Aive speeds up the process quite drastically as it can automatically generate all formats and all durations from one source video.

When you create a new video to showcase your brand, you usually start with a 16:9 video with a duration of a couple of minutes. It can be a good first step to create shorter versions for TV spots for instance.

But the advertising industry has changed — 30-second TV spots are no longer as relevant as they used to be. Many brands now want to advertise across different platforms, which means that you need to provide a video that integrates natively with these platforms.

For instance, on Snapchat, brands need a vertical 9:16 video if they want to insert ads in between user stories. If a company wants to create a video for the Instagram newsfeed, a square 1:1 video will work better.

Each platform has different requirements when it comes to format, duration and even content emphasis. On YouTube, you can create very short videos that last just a few seconds or longer videos that can be skipped after a few seconds. In that case, you need to display your brand’s logo as quickly as possible to make sure that people don’t skip too quickly or get the message as quickly as possible.

Image Credits: Aive

When Aive users upload a video, they get an overall creative score and a breakdown of all the strengths and weaknesses in the video. For instance, the platform tells you if the video will work well on mobile, if the brand is showcased appropriately and more.

After that, users can create automated tasks to repackage that video. You can select multiple lengths and formats at once for your output videos. Once the service has finished processing your videos, you can see the result and manually adjust some details that don’t work as well as expected.

For instance, if you think the algorithm deleted an important scene, you can replace a scene in the output video with a deleted one. Once this is done, you can download the output videos to your computer and use it across several platforms.

The startup recently raised a $3.2 million (€3 million) seed round from dozens of business angels, including Pauline Duval, Renaud Visage, Kevin Polizzi, Jean-Paul Brunier, Aurélie Jean, Julien Chaumond, Jérémie Rosseli, etc.

With this funding round, the company plans to double the size of its team from 15 to 30 people. If you add previous funding and public funding from Région Occitanie, Bpifrance and La French Tech, Aive has scored $7.5 million (€7 million) since its inception.

Because it is a software-as-a-service product, Aive also works well as a team. Users can leave comments and annotate videos for other users. There is also a built-in user rights management system, which can be useful for freelancers, clients and agencies.

While the most expensive ad agencies can already generate variations of the same video for their clients, Aive makes this process more accessible to different teams and companies. It means that you don’t have to restrict yourself to a couple of ad campaigns per year as it’s easier to refresh your ads more frequently.

It’s still early days for the startup as Aive has been testing its product in private beta with a handful of companies, such as Club Med, L’Oréal, Monoprix, Nissan and Swile. So it’s going to be interesting to see how the product evolves in the coming years.

Image Credits: Aive

DuckDuckGo, the self-styled “internet privacy company” — which, for years, has built a brand around a claim of non-tracking web search and, more recently, launched its own ‘private’ browser with built-in tracker blocking — has found itself in hot water after a researcher found hidden limits on its tracking protection that create a carve-out for certain advertising data requests by its search syndication partner, Microsoft.

Late yesterday, the researcher in question, Zach Edwards, tweeted the findings of his audit — saying he had found DDG’s mobile browsers do not block advertising requests made by Microsoft scripts on non-Microsoft web properties. (NB: This is a separate matter to what happens if you actually click on an ad when using DDG — as its privacy policy clearly discloses all privacy bets are off at that point.)

Edwards tested browser data flows on a Facebook-owned site, Workplace.com, and found that while DDG informed users it had blocked Google and Facebook trackers, it did not prevent Microsoft from receiving data flows linked to their browsing on the non-Microsoft website.

Edwards had some Twitter back and forth with DDG’s founder and CEO Gabe Weinberg, who initially appeared to be attempting to play down the finding by emphasizing all the stuff he said DDG’s browser does block (e.g., third-party tracking cookies, including those from Microsoft).

Weinberg was also especially keen to make it clear the data flows issue is not related to DuckDuckGo search.

However the limitation on DDG’s browser’s tracker blocking does amount to an exemption from protection against certain advertising data transfers to Microsoft subsidiaries (Bing, LinkedIn) — which could be used for cross-site tracking of web users for ad targeting purposes. Or, in other words, to undermine DDG browser users’ privacy.

In Twitter back and forth, Weinberg confirmed Edwards’ audit was correct — “fessing up to a contactual agreement that he said limited DDG’s ability to block trackers in this scenario by writing that DDG’s ‘search syndication agreement’ with Microsoft, which owns and operates the Bing search engine and index, prevents us from stopping Microsoft-owned scripts from loading.”

He added that DDG was “working to change that.”

Asked via Twitter whether DDG’s contract included a clause that prevents it from publicly complaining about the limitations imposed upon it by Microsoft, a tech giant with a growing adtech business, Weinberg told us: “Our syndication contract has broad confidentiality requirements, and the specific requirement documents themselves are additionally explicitly marked confidential.”

Discussing his findings and DDG’s response with TechCrunch, Edwards described himself as “pretty shocked” by Weinberg’s public response to his audit — and for having what he summed up as “no public solutions for the problems created through the secret partnership between DuckDuckgo and Microsoft.”

The issue has blown up on Hacker News over the day — where Weinberg (aka yegg) has been doing more firefighting in the comments, reiterating that DDG’s hands are tied by its contract with Microsoft and further claiming it has continued to press for changes to “this limited restriction.”

“This is just about non-DuckDuckGo and non-Microsoft sites in our browsers, where our search syndication agreement currently prevents us from stopping Microsoft-owned scripts from loading, though we can still apply our browser’s protections post-load (like 3rd party cookie blocking and others mentioned above, and do). We’ve also been tirelessly working behind the scenes to change this limited restriction,” Weinberg wrote on the site.

“I also understand this is confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That’s because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement. Our syndication agreement also has broad confidentially provisions and the requirement documents themselves are explicitly marked confidential,” he added.

While DDG’s browser clearly does not block all scripts — and no tracker blocker is going to be 100% effective as tracking techniques are ever evolving — this carve-out for Microsoft scripts looks different on merit of it being a specific exemption attached to a contractual agreement that’s linked to a commercial deal which allows DDG to use Microsoft’s search index in its core product — none of which was (seemingly) public knowledge prior to Edwards’ audit.

In further public remarks on the issue, Weinberg implied that DDG is trying to balance a goal of giving browser users a very easy tracker blocker experience (i.e., to maximize accessibility), with beefing up protections that might further enhance user privacy but with a potential cost to the experience (e.g., broken webpages).

However the lack of a disclosure by DDG to browser users of the Microsoft-related restriction to its protections is particularly concerning — especially in light of the stark contrast with its privacy-focused marketing which tells users they will “escape website tracking” (which clearly isn’t happening in the specific Microsoft-related instances identified by Edwards). So DDG risks misleading users and undermining its own reputation as a pro-privacy business.

In a more recent response posted in response to Hacker News comments, Weinberg appears to have accepted the need for DDG to make fuller disclosure, writing: “We will work diligently today to find a way to say something in our app store descriptions in terms of a better disclosure — will likely have something up by the end of the day.”

“I understand the concern here that we are working to address in a variety of ways but to be clear no app will provide 100% protection for a variety of reasons, and the scripts in question here do currently have significant protection on them in our browser,” he added. 

We reached out to Weinberg with questions. He sent us this statement:

We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft. We’re talking here about an above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they even load on 3rd party websites. Because this can cause websites to break, we cannot do this as much as we want to in any case. Our goal, however, has always been to provide the most privacy we can in one download, by default without any complicated settings, so we took this on.

We also put questions to Microsoft about the limitation it imposes on search syndication partners but at the time of writing the tech giant had not responded.

Privacy trade-offs are never great but one conclusion looks inescapable here: Antitrust regulators need to closely examine the search syndication market — given it’s essentially comprised of two gatekeeping adtech giants, Google and Microsoft, which are fully empowered to enforce (unfair) terms on anyone else wanting to offer a competitive search product, or, indeed in certain cases, an alternative web browser.

European regulators have recently agreed a new ex ante competition regime that’s aimed at the most powerful intermediating platforms — which the Digital Markets Act refers to as internet “gatekeepers.” The DMA is clearly applicable to search engines but it remains to be seen whether the Commission will spot the opportunity to use the incoming regulation to crack open the search market by enforcing fair usage terms around search syndication on the only two indexes that count.

The IPO window has all but closed for technology companies in the wake of a massive downturn in the market, but an opening still remains for some, in the form of SPACs. Near — a data intelligence company that has amassed 1.6 billion anonymized user profiles attached to 70 million locations in 44 countries — today announced that it would be listing on Nasdaq by way of a merger with KludeIn I Acquisition Corp., one of the many blank check companies that have been set up for the purposes of taking privately held companies public, at a valuation “near” $1 billion. It will trade on Nasdaq using the “NIR” ticker.

Alongside that, the company is picking up a $100 million equity investment into its business from CF Principal Investments, an affiliate of Cantor Fitzgerald. 

If you’ve been following Near or the SPAC market, you might recall that there were rumors of KludeIn talking to Near back in December. At the time Near was reportedly aiming at a valuation of between $1 billion and $1.2 billion with the listing. The last several months, however, have seen the IPO market virtually shut down alongside a massive drop in technology stocks across the board and a wider downturn in tech investing overall, even in much smaller, earlier-stage startups.

Near, originally founded in Singapore in 2012 and now based out of Pasadena, had raised around $134 million in funding, including a $100 million round in 2019 — which had been the company’s last big raise.

Its investors include the likes of Sequoia India, JP Morgan, Cisco and Telstra (which have agreed to a one-year lock-up according to KludeIn’s SEC filings). Company data from PitchBook notes that Near had tried but cancelled a fundraise in May 2021.

All in all, Near is an interesting example when considering the predicament that a lot of later-stage startups might be finding themselves at the moment.

On the one hand, the company has some big customers and some potentially interesting technology, especially in light of the swing from regulators and the public toward demanding more privacy in data intelligence products overall.

It works with major brands and companies including McDonald’s, Wendy’s, Ford, the CBRE Group and 60% of the Fortune 500, which use Near’s interactive, cloud-based AI platform (branded Allspark) to tap into anonymised, location-based profiles of users based on a trove of information that Near sources and then merges from phones, data partners, carriers and its customers. It claims the database has been built “with privacy by design.”

It describes its approach as “stitching” and says that it’s patent-protected, giving it a kind of moat against other competitors, and potentially some value as an asset for others that are building big data businesses and need more privacy-based approaches.

On the other hand, while financials detailed in KludeIn’s SEC filings show growth, it is at a very modest pace — numbers may not look that great to investors especially in the current climate. In 2020, Near posted revenues of $33 million, with estimated revenues of $46 million for 2021, $63 million for 2022 and $91 million for 2023. The company estimates that its gross profit margin for this year will be 72% ($44 million) but equally estimates that EBITDA has been negative and will continue to be until at least 2024.

Image Credits: Near

Looking out further than Near, it will be interesting to see how many others follow the company in taking the SPAC exit route, which has proven to be a controversial vehicle overall.

On the plus side, SPACs are lauded by supporters for being a faster, more efficient route for strong startups to enter the public markets and thus raise money from more investors (and giving sight of an exit to private investors): this is very much the position Near and KludeIn are taking.

“Enterprises around the world have trusted Near to answer their critical questions that help drive and grow their business for more than a decade. The market demand for data around human movement and consumer behavior to understand changing markets and consumers is growing exponentially and now is the time to accelerate the penetration of the large and untapped $23 billion TAM,” Anil Mathews, founder and CEO of Near, said in a statement. “Going public provides us the credibility and currency to double-down on growth and to continue executing on our winning flywheel for enhanced business outcomes over the next decade.”

“I am thrilled to partner with Anil and the entire team at Near as they continue to help global enterprises better understand consumer behavior and derive actionable intelligence from their global, full-stack data intelligence platform,” added Narayan Ramachandran, the chairman and CEO of KludeIn. “We believe this merger is highly compelling based on the diversified global customer base, superior SaaS flywheel and network effects of Near’s business, highlighted by the company’s strong customer net retention.”

On the minus side, those positives are also the very reasons for some of SPAC’s problems: Simply put, they have enabled public listings for companies that might have found it much harder, if not impossible, to do so through the scrutiny of more traditional channels. Sometimes that has played out okay anyway, but sometimes it has ended badly for everyone. Just this week, Enjoy — which also listed by way of a SPAC — said that it was on course to run out of money by June and was reviewing its strategic options.

Time, the appetite for more data intelligence and potentially some factors out of its control like the investment climate, ultimately will show which way Near will go. The transaction is expected to generate $268 million of gross proceeds, assuming there are no redemptions and a successful private placement of $95 million of KludeIn common stock, KludeIn said.

Apple is doubling down on raising consumer awareness of privacy risks in a new ad campaign, unveiled today, which puts the spotlight on how the data broker industry trades in mobile users’ personal data — from selling browsing history and shopping habits, to location data, contacts and plenty more besides.

The campaign also highlights a number of features Apple has developed to counter this background trade in web users’ information by giving iOS users’ tools they can use to counter tracking — such as Mail Privacy Protection, which helps users combat email trackers; and App Tracking Transparency (ATT), which lets them request that third party apps do not track their mobile activity.

The new 90 second ad spot will run globally this summer on broadcast and social media across 24 countries, per Apple, which also said the campaign will include related creative being splashed across billboards.

In a press screening of the ad ahead of today’s launch the iPhone maker said the goal is to show how features it’s developed can help iOS users protect their privacy by taking back control over their personal data.

The ad (which can be seen in the embedded video below) casts the data broker industry as a gaggle of “dubious” ‘human trackers’ — who the protagonist, a consumer called Ellie, whom we meet as she’s shopping for records, stumbles upon engaged in a backroom auction.

Shock horror! — or, well, zero surprise to those of us who are more than casually online — it’s her personal data that’s going under the hammer…

In the ad, the smirking audience of data brokers can be seen making bids for Ellie’s ‘digital items’ — including her drug store purchases, emails she’s opened, details of her late night messaging habits and the contact data of her nana (as well as, presumably, the rest of her address book). With mounting horror at the sale of her private information, Ellie is shown activating features on her iPhone, including the aforementioned Mail Privacy Protection — which result in the data brokers vanishing in a puff of smoke, until, eventually, the room has been cleaned out.

The advert makes a decent stab at trying to get consumers to understand — and thus care — about a murky trade that’s designed to strip away their privacy by tracking their daily activity and trading and triangulating different bundles of information gleaned about them to create highly detailed per-person profiles — which may contain thousands of inferred characteristics.

It does this by dramatizing what is undoubtedly an exceptionally intrusive trade as an in-person auction for a single consumer’s data. Of course the reality is that most tracking (and trading) is done at scale, with trackers invisibly baked into everyday services, both online (via technologies such as tracking cookies and pixels) and offline (data gathered via card payment firms can and is sold to brokers) — so it can be hard for consumers to understand the real-world implications of technologies like cookies. Or know there’s an entire data broker industry that’s busy buying and selling their info for a fat profit.

The ad is perhaps not as instantly powerful as an earlier tracking-focused ad — in which Apple depicted trackers as an ever-crowding crowd of stalkers, who inserted themselves, rudely and without asking, into an iPhone user’s personal space — watching them and taking notes on their daily activity.

One narrative challenge for Apple with this latest privacy-focused ad is it can’t shown Ellie using a rival device — which could help explain how come so much of her info is being tracked in the first place.

That said, many of Apple’s privacy features do require the user to opt in to obtain the slated protections — not all, though (Safari’s Intelligent Tracking Prevention feature is on by default, for example) — so even iOS users need to take proactive action to get the best level of protection possible. Hence there’s value in Apple shelling out to drive awareness of privacy — both for existing iOS users, as well as in the hopes of encouraging Android users to make the switch.

The tech giant has made pro-privacy messaging an increasingly important plank of its brand over the past five years or so, leaning into blistering attacks on what CEO Tim Cook memorably dubbed the “data industrial complex” back in a major 2018 keynote speech.

It’s a stance that has become an essential differentiator for a premium brand in a world of commoditized mobile devices and services. But it also brings Cupertino into conflict not only with adtech giants like Google and Facebook — the latter’s revenue was reported to have taken a hit after Apple launched ATT, for example — but with developers themselves, many of whom rely on ads to monetize free apps and do that by being plugged into the tracking and targeting adtech ecosystem Apple is busy warning consumers against.

The company also risks straining relations with carriers — many of whom are themselves implicated in privacy-hostile tracking of users — after it debuted a VPN-like, network proxy encrypted browsing feature for iCloud+, called Private Relay last year. The feature, which is still in beta, is designed to prevent ISPs from loggings web users’ browsing data — and it’s notable that certain carriers (and countries) have been reported blocking access.

Private Relay does not feature in Apple’s new ad on data brokers. Asked about this Apple said it necessarily had to limit the number of features it focused on to fit the 90 second ad format. It also noted that as well as the feature still being in beta it needs in-region partners for it to work as smoothly as possible — which is a network Apple said it’s still building out.

Certain of Apple’s privacy flexes — most notably ATT — have also drawn attention from competition regulators, following ad industry complaints. So there are wider reasons for Cupertino to be keen for its pro-consumer actions to be viewed through a privacy (rather than an anti-competition) lens.

Earlier this year, an interesting research paper found that Apple and other large companies had been able to increase their market power as a result of the ATT feature giving individual users more control over what third parties could do with their data — linking better consumer privacy to more concentrated data collection. Although the researchers also found evidence of the tracking industry trying to evolve its tactics to circumvent a user denial of tracking.

New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.

“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”

The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across US states and European countries which suggests that web users in Colorado and the UK are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.

But even online individuals living in bottom of the chart, District of Columbia or Romania, have their information exposed by RTB an estimated 486 times per day or 149 times per day respectively, per the report.

The ICCL calculates that people living in the U.S. have their online activity and real-world location exposed 57% more often than people in Europe — likely as a result of differences in privacy regulation across the two regions.

Collectively, the ICCL estimates that U.S. Internet users’ online behaviour and locations are tracked and shared 107 trillion times a year, while Europeans’ data is exposed 71 trillion times a year.

“On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day,” it also writes, adding: “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.”

The report’s figures are likely a conservative estimate of the full extent of RTB since the ICCL includes the caveat that: “[T]he figures presented for RTB broadcasts as a low estimate. The industry figures on which we rely do not include Facebook or Amazon RTB broadcasts.”

Per the report, Google, the biggest player in the RTB system, allows 4,698 companies to receive RTB data about people in the U.S., while Microsoft — which ramped up its involvement in RTB in December last year when it bought adtech firm Xandr from AT&T — says it may send data to 1,647 companies.

That too is likely just the tip of the iceberg since RTB data is broadcast across the Internet — meaning it’s ripe for interception and exploitation by non-officially listed RTB ‘partners’, such as data brokers whose businesses involve people farming by compiling dossiers of data to reidentify and profile individual web users for profit, using info like device IDs, device fingerprinting, location etc to link web activity to a named individual, for example.

Privacy and security concerns have been raised about RTB for years — especially in Europe where there are laws in place that are supposed to prevent such a systematic abuse of people’s information. But awareness of the issue has been rising in the US too, following a number of location-tracking and data-sharing scandals.

The leaked Supreme Court opinion earlier this month which suggested the US’ highest court is preparing to overturn Roe v Wade — removing the constitutional protection for abortion — has further dialled up concern and sent shock waves through the country, with some commentators immediately urging women to delete their period tracking apps and pay close attention to their digital security and privacy hygiene.

The concern is ad tracking could expose personal data that can be used to identify women and people who are pregnant and/or seeking abortion services.

Many US states have already heavily restricted access to abortion. But if the Supreme Court overturns Roe v Wade a number of states are expected to ban abortion entirely — which means people who can get pregnant will be at increased risk from online surveillance as any online searches for abortion services or location tracking or other types of data mining of their digital activity could be used to built a case against them for obtaining or seeking to obtain an illegal abortion.

Highly sensitive personal data on web users is, meanwhile, routinely sucked up and shared for ad targeting purposes, as previous ICCL reports have detailed in hair-raising detail. The data broker industry also collects information on individuals to trade and sell — and in the US, especially, people’s location data appears all too easy to obtain.

Last year, for example, a top Catholic priest in the US was reported to have resigned after allegations were made about his sexuality based on a claim that data on his phone had been obtained which indicated use of the location-based gay hook-up app, Grindr.

A lack of online privacy could also negatively impinge on women’s health issues — making it easier to gather information to criminalize pregnant people who seek an abortion in a post-Roe world.

“There is no way to restrict the use of RTB data after it is broadcast,” emphasizes the ICCL in the report. “Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.”

The report raises especially cutting question for European regulators since, unlike the US, the region has a comprehensive data protection framework. The General Data Protection Regulation (GDPR) has been in force across the EU since May 2018 and regulators should have been enforcing these privacy rights against out-of-control adtech for years.

Instead, there has been a collective reluctance to do so — likely as a result of how extensively and pervasively individual tracking and profiling tech has been embedded into web infrastructure, coupled with loud claims by the adtech industry that the free web cannot survive if Internet users’ privacy is respected. (Such claims ignore the existence of alternative forms of ad targeting, such as contextual, which do not require tracking and profiling of individual web users’ activity to function and which have been shown to be profitable for years, such as for non-tracking search engine, DuckDuckGo.)

An investigation opened by the Irish Data Protection Commission (DPC) into Google’s adtech three years ago (May 2019), following a number of RTB complaints, is — ostensibly — ongoing. But no decision has been issued.

The UK’s ICO also repeatedly fumbled enforcement action against RTB following complaints filed back in 2018, despite voicing a view publicly since 2019 that the behavioral ad industry is wildly out of control. And in a parting shot last fall, the outgoing information commissioner, Elizabeth Denham, urged the industry to undertake meaningful privacy reforms.

Since then, a flagship adtech industry mechanism for gathering web users’ consent to ad tracking — the IAB Europe’s self-styled Transparency and Consent Framework (TCF) — has itself been found in breach of the GDPR by Belgian’s data protection authority.

Its February 2022 decision, also found the IAB itself at fault, giving the industry body two months to submit a reform plan and six months to implement it. (NB: Google and the IAB are the two bodies that set standards for RTB.)

That consent issue is one (solid) complaint against RTB under Europe’s GDPR. However the ICCL’s concern has been focused on security — as it argues that high velocity, massive scale trading of people’s data to place ads by broadcasting it over the Internet to thousands of ‘partners’ (but also with the clear risk of interception and appropriation by scores of unknown others) is inherently insecure. And, regardless of the consent issues, the GDPR requires people’s information is adequately protected — hence its framing of RTB as the “biggest ever data breach”.

In March, the ICCL announced it intended to sue the DPC — accusing the regulator of years of inaction over RTB complaints (some of which were lodged the same year the GDPR came into application). That litigation is still pending.

It has also approached the EU ombudsperson to complaint that the European Commission is failing to properly monitor application of the regulation — which led to the former opening an enquiry to look at the Commission’s claims to the contrary earlier this year.

A requested deadline for the EU’s executive to submit information to the ombudsperson passed yesterday without a submission, per the ICCL, with the Commission reportedly asking for 10 more days to provide the requested data — which suggests the four-year anniversary of the GDPR coming into force (May 25, 2018) will pass by in the meanwhile (perhaps a little more quietly than it might have done if the ombudsperson had been in a position to issue a verdict)…

“As we approach the four year anniversary of the GDPR we release data on the biggest data breach of all time. And it is an indictment of the European Commission, and in particular commissioner [Didier] Reynders, that this data breach is repeated every day,” Johnny Ryan, senior fellow at the ICCL, told TechCrunch.

“It is time that the Commission does its job and compels Ireland to apply the GDPR correctly,” he added.

We also contacted Google, Microsoft, the DPC and the European Commission with questions about the ICCL’s report but at the time of writing none had not responded.

Ryan told us the ICCL is also writing to US lawmakers to highlight the scale of the “privacy crisis in online advertising” — and specifically pressing the Senate Subcommittee on Competition Policy, Antitrust and Consumer Rights to ensure adequate enforcement resources are provided to the FTC — so it can take urgent action “against this enormous breach”.

In the letter, which we’ve reviewed, the ICCL points out that private data on US citizens is sent to firms across the globe, including to Russia and China — “without any means of controlling what is then done with the data”.

War in Europe certainly adds a further dimension to this surveillance adtech story.

Russia’s invasion of Ukraine earlier this year has fuelled added concern about adtech’s mass surveillance of web users — i.e. if citizens’ data is finding its way back, via online tracking, to hostile third countries like Russia and its ally China.

Back in March, the Financial Times reported that scores of apps contain SDK technology made by the Russian search giant Yandex — which was accused of sending user data back to servers in Russia where it might be accessible to the Russian government. 

In Europe, the GDPR requires that exports of personal data out of the bloc are protected to the same standard as citizens’ information should be wrapped with when it’s being processed or stored in Europe.

A landmark EU ruling in July 2020 saw the bloc’s top court strike down a flagship EU-US data transfer agreement over security concerns attached to US government mass surveillance programs — creating ongoing legal uncertainty around international data flows to risky third countries as the court underscored the need for EU regulators to proactively monitor data exports and step in to suspend any data flows to jurisdictions that lack adequate data protection.

Many of the key players in adtech are US-based — raising questions about the legality of any processing of Europeans’ data by the sector that’s taking place over the pond too, given the high standard that EU law requires for data to be legally exported.

At Google’s I/O developer conference, the company introduced a new tool that, later this year, will allow users more control and visibility over how their ads are personalized across Google’s apps and sites, including Google Search, YouTube, and the Discover feed in the Google app.

From a new three-dot menu that will appear on all the ads across the different sites, users will be able to engage with the ad in a number of ways. They’ll be able to like it or share it, block it or report it, see who’s paid for it, and find out why they were targeted with it.

And if users don’t want to see ads of that kind, they can use embedded tools from this menu or visit the new My Ad Center hub to inform Google of that preference. To get to the hub, users just have to click the menu option that says “customize more of the ads you see” to be directed to the new experience.

Image Credits: Google

Within the new My Ad Center hub, users will be able to learn more about how ads are personalized and gain control over how their data is used, says Google. It’s specifically meant to address ads appearing on Google’s owned and operated sites, like Search, YouTube, and Discover, but doesn’t extend to the Google Display Network.

Image Credits: Google

From the hub’s home screen, users will be able to turn on or off various categories of ads by clicking plus and minus buttons across a variety of categories — like fitness, vacation rentals, skincare, and many others. For example, if you wanted to see fewer beauty ads, you could just click to remove them from your lineup.

You can also browse a screen featuring brands you like and then click to either add or remove them from your personalized ad round-up.

Image Credits: Google

Another screen lets users limit ads on more sensitive topics, like ads about alcohol, gambling, and, as of April’s expansion, dating, pregnancy, parenting, and weight loss. These are the types of ads that could be welcome by some users, but could feel harmful to others.

Image Credits: Google

For instance, if someone was struggling to conceive, they may not want to see any ads related to pregnancy or parenting. Previously, Google allowed users to adjust those ad preferences in the Ads Settings section on their Google Account dashboard. But now these toggles are consolidated into the new My Ad Center tool.

Most notably, the new My Ad Center hub includes a big button at the top of the screen where users can choose to turn off personalized ads altogether.

But Google believes most users won’t take that more extreme step.

“We see personalized ads as valuable and useful — just like personalized movie recommendations, personalized news recommendations, personalized commerce recommendations,” says Google’s Director of Ads Privacy and Trust, David Temkin.

He additionally explains this feature offers users for the first time the ability to control the content of the ads they see, beyond just sensitive ads, and make that process easy to navigate.

The tool, of course, follows a larger set of changes impacting the ads industry. Google earlier this year introduced the idea of Topics, a way for the browser to learn a user’s interests as they move around the web. The system came about after complaints from EU antitrust regulators over Google’s plan to deprecate cookies using a different method that they said would entrench Google’s market power. With Topics, Google categorizes the sites a user visits by categorizing them within one of 300 topics. This Topics-based system began testing in March, alongside other related privacy tools.

As a part of those trials, Google had said it would offer tools where users could remove interests assigned to them by this Topics-based surveillance of their browsing activities. This new My Ad Center tool combines Google’s existing tools with the ability to customize the types of ads you’re shown more specifically.

The My Ad Center Hub is still in development so the preview offered at Google I/O today could change between now and when the product ships to the public later this year.

The UK government has confirmed it will move forward on a major ex ante competition reform aimed at Big Tech, as it set out its priorities for the new parliamentary session earlier today.

However it has only said that draft legislation will be published over this period — booting the prospect of passing updated competition rules for digital giants further down the road.

At the same time today it confirmed that a “data reform bill” will be introduced in the current parliamentary session.

This follows a consultation it kicked off last year to look at how the UK might diverge from EU law in this area, post-Brexit, by making changes to domestic data protection rules.

There has been concern that the government is planning to water down citizens’ data protections. Details the government published today, setting out some broad-brush aims for the reform, don’t offer a clear picture either way — suggesting we’ll have to wait to see the draft bill itself in the coming months.

Read on for an analysis of what we know about the UK’s policy plans in these two key areas… 

Ex ante competition reform

The government has been teasing a major competition reform since the end of 2020 — putting further meat on the bones of the plan last month, when it detailed a bundle of incoming consumer protection and competition reforms.

But today, in a speech setting out prime minister Boris Johnson’s legislative plans for the new session at the state opening of parliament, it committed to publish measures to “create new competition rules for digital markets and the largest digital firms”; also saying it would publish “draft” legislation to “promote competition, strengthen consumer rights and protect households and businesses”.

In briefing notes to journalists published after the speech, the government said the largest and most powerful platform will face “legally enforceable rules and obligations to ensure they cannot abuse their dominant positions at the expense of consumers and other businesses”.

A new Big Tech regulator will also be empowered to “proactively address the root causes of competition issues in digital markets” via “interventions to inject competition into the market, including obligations on tech firms to report new mergers and give consumers more choice and control over their data”, it also said.

However another key detail from the speech specifies that the forthcoming Digital Markets, Competition and Consumer Bill will only be put out in “draft” form over the parliament — meaning the reform won’t be speeding onto the statue books.

Instead, up to a year could be added to the timeframe for passing laws to empower the Digital Markets Unit (DMU) — assuming ofc Johnson’s government survives that long. The DMU was set up in shadow form last year but does not yet have legislative power to make the planned “pro-competition” interventions which policymakers intend to correct structural abuses by Big Tech.

(The government’s Online Safety Bill, for example — which was published in draft form in May 2021 — wasn’t introduced to parliament until March 2022; and remains at the committee stage of the scrutiny process, with likely many more months before final agreement is reached and the law passed. That bill was included in the 2022 Queen’s Speech so the government’s intent continues to be to pass the wide-ranging content moderation legislation during this parliamentary session.)

The delay to introducing the competition reform means the government has cemented a position lagging the European Union — which reached political agreement on its own ex ante competition reform in March. The EU’s Digital Markets Act is slated to enter into force next Spring, by which time the UK may not even have a draft bill on the table yet. (While Germany passed an update to its competition law last year and has already designated Google and Meta as in scope of the ex ante rules.)

The UK’s delay will be welcomed by tech giants, of course, as it provides another parliamentary cycle to lobby against an ex ante reboot that’s intended to address competition and consumer harms in digital markets which are linked to giants with so-called “Strategic Market Status”.

This includes issues that the UK’s antitrust regulator, the CMA, has already investigated and confirmed (such as Google and Facebook’s anti-competitive dominance of online advertising); and others it suspects of harming consumers and hampering competition too (like Apple and Google’s chokepoint hold over their mobile app stores).

Any action in the UK to address those market imbalances doesn’t now look likely before 2024 — or even later.

Recent press reports, meanwhile, have suggested Johnson may be going cold on the ex ante regime — which will surely encourage Big Tech’s UK lobbyists to seize the opportunity to spread self-interested FUD in a bid to totally derail the plan.

The delay also means tech giants will have longer to argue against the UK introducing an Australian-style news bargaining code — which the government appears to be considering for inclusion in the future regime.

One of the main benefits of the bill is listed as [emphasis ours]:

“Ensuring that businesses across the economy that rely on very powerful tech firms, including the news publishing sector, are treated fairly and can succeed without having to comply with unfair terms.”

“The independent Cairncross Review in 2019 identified an imbalance of bargaining power between news publishers and digital platforms,” the government also writes in its briefing note, citing a Competition and Markets Authority finding that “publishers see Google and Facebook as ‘must have’ partners as they provide almost 40 per cent of large publishers’ traffic”.

Major consumer protection reforms which are planned in parallel with the ex ante regime — including letting the CMA decide for itself when UK consumer law has been broken and fine violating platforms over issues like fake reviews, rather than having to take the slow route of litigating through the courts — are also on ice until the bill gets passed. So major ecommerce and marketplace platforms will also have longer to avoid hard-hitting regulatory action for failures to purge bogus reviews from their UK sites.

Consumer rights group, Which?, welcomed the government’s commitment to legislate to strengthen the UK’s competition regime and beef up powers to clamp down on tech firms that breach consumer law. However it described it as “disappointing” that it will only publish a draft bill in this parliamentary session.

“The government must urgently prioritise the progress of this draft Bill so as to bring forward a full Bill to enact these vital changes as soon as possible,” added Rocio Concha, Which? director of policy and advocacy, in a statement.

Data reform bill

In another major post-Brexit policy move, the government has been loudly flirting with ripping up protections for citizens’ data — or, at least, killing off cookie banners.

Today it confirmed it will move forward with ‘reforming’ the rules wrapping people’s data — just without being clear about the exact changes it plans to make. So where exactly the UK is headed on data protection still isn’t clear.

That said, in briefing notes on the forthcoming data reform bill, the government appears to be directing most focus at accelerating public sector data sharing instead of suggesting it will pass amendments that pave the way for unfettered commercial data-mining of web users.

Indeed, it claims that ensuring people’s personal data “is protected to a gold standard” is a core plank of the reform.

A section on the “main benefits” of the reform also notably lingers on public sector gains — with the government writing that it will be “making sure that data can be used to empower citizens and improve their lives, via more effective delivery of public healthcare, security, and government services”.

But of course the devil will be in the detail of the legislation presented in the coming months. 

Here’s what else the government lists as the “main elements” of the upcoming data reform bill:

• Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
• Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

Discussing other “main benefits” for the reform, the government touts increased “competitiveness and efficiencies” for businesses, via a suggested reduction in compliance burdens (such as “by creating a data protection framework that is focused on privacy outcomes rather than box-ticking”); a “clearer regulatory environment for personal data use” which it suggests will “fuel responsible innovation and drive scientific progress”; “simplifying the rules around research to cement the UK’s position as a science and technology superpower”, as it couches it; and ensuring the data protection regulator (the ICO) takes “appropriate action against organisations who breach data rights and that citizens have greater clarity on their rights”.

The upshot of all these muscular-sounding claims boils down to whatever the government means by an “outcomes-focused” approach to data protection vs “tick-box” privacy compliance. (As well as what “responsible innovation” might imply.)

It’s also worth mulling what the government means when it says it wants the ICO to take “appropriate” action against breaches of data rights. Given the UK regulator has been heavily criticized for inaction in key areas like adtech you could interpret that as the government intending the regulator to take more enforcement over privacy breaches, not less.

(And its briefing note does list “modernizing” the ICO, as a “purpose” for the reform — in order to “[make] sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public”.)

However, on the flip side, if the government really intends to water down Brits’ privacy rights — by say, letting businesses overrule the need to obtain consent to mine people’s info via a more expansive legitimate interest regime for commercial entities to do what they like with data (something the government has been considering in the consultation) — then the question is how that would square with a top-line claim for the reform ensuing “UK citizens’ personal data is protected to a gold standard”?

The overarching question here is whose “gold standard” the UK is intending to meet? Brexiters might scream for their own yellow streak — but the reality is there are wider forces at play once you’re talking about data exports.

Despite Johnson’s government’s fondness for ‘Brexit freedom’ rhetoric, when it comes to data protection law the UK’s hands are tied by the need to continue meeting the EU’s privacy standards, which require the an equivalent level of protection for citizens’ data outside the bloc — at least if the UK wants data to be able to flow freely into the country from the bloc’s ~447M citizens, i.e. to all those UK businesses keen to sell digital services to Europeans. 

This free flow of data is governed by a so-called adequacy decision which the European Commission granted the UK in June last year, essentially on account that no changes had (yet) been made to UK law since it adopted the bloc’s General Data Protection Regulation (GDPR) in 2018 by incorporating it into UK law.

And the Commission simultaneously warned that any attempt by the UK to weaken domestic data protection rules — and thereby degrade fundamental protections for EU citizens’ data exported to the UK — would risk an intervention. Put simply, that means the EU could revoke adequacy — requiring all EU-UK data flows to be assessed for legality on a case-by-case basis, vastly ramping up compliance costs for UK businesses wanting to import EU data.

Last year’s adequacy agreement also came with a baked in sunset clause of four years — meaning it will be up for automatic review in 2025. Ergo, the amount of wiggle room the UK government has here is highly limited. Unless it’s truly intent on digging ever deeper into the lunatic sinkhole of Brexit by gutting this substantial and actually expanding sunlit upland of the economy (digital services).

The cost — in pure compliance terms — of the UK losing EU adequacy has been estimated at between £1BN-£1.6BN. But the true cost in lost business/less scaling would likely be far higher.

The government’s briefing note on its legislative program itself notes that the UK’s data market represented around 4% of GDP in 2020; also pointing out that data-enabled trade makes up the largest part of international services trade (accounting for exports of £234BN in 2019).

It’s also notable that Johnson’s government has never set out a clear economic case for tearing up UK data protection rules.

The briefing note continues to gloss over that rather salient detail — saying that analysis by the Department for Digital, Culture, Media and Sport (DCMS) “indicates our reforms will create over £1BN in business savings over ten years by reducing burdens on businesses of all sizes”; but without specifying exactly what regulatory changes it’s attaching those theoretical savings to.

And that’s important because — keep in mind — if the touted compliance savings are created by shrinking citizens’ data protections that risks the UK’s adequacy status with the EU — which, if lost, would swiftly lead to at least £1BN in increased compliance costs around EU-UK data flows… thereby wiping out the claimed “business savings” from ‘less privacy red tape’.

The government does cite a 2018 economic analysis by DCMS and a tech consultancy, called Ctrl-Shift, which it says estimated that the “productivity and competition benefits enabled by safe and efficient data flows would create a £27.8BN uplift in UK GDP”. But the keywords in that sentence are “safe and efficient”; whereas unsafe EU-UK data flows would face being slowed and/or suspended — at great cost to UK GDP…

The whole “data reform bill” bid does risk feeling like a bad-faith PR exercise by Johnson’s thick-on-spin, thin-on-substance government — i.e. to try to claim a Brexit ‘boon’ where there is, in fact, none.

See also this “key fact” which accompanies the government’s spiel on the reform — claiming:

“The UK General Data Protection Regulation and Data Protection Act 2018 are highly complex and prescriptive pieces of legislation. They encourage excessive paperwork, and create burdens on businesses with little benefit to citizens. Because we have left the EU, we now have the opportunity to reform the data protection framework. This Bill will reduce burdens on businesses as well as provide clarity to researchers on how best to use personal data.”

Firstly, the UK chose to enact those pieces of legislation after the 2016 Brexit vote to leave the EU. Indeed, it was a Conservative government (not led by Johnson at that time) that passed these “highly complex and prescriptive pieces of legislation”.

Moreover, back in 2017, the former digital secretary Matt Hancock described the EU GDPR as a “decent piece of legislation” — suggesting then that the UK would, essentially, end up continuing to mirror EU rules in this area because it’s in its interests to do so to in order to keep data flowing.

Fast forward five years and the Brexit bombast may have cranked up to Johnsonian levels of absurdity but the underlying necessity for the government to “maintain unhindered data flows”, as Hancock put it, hasn’t gone anywhere — or, well, assuming ministers haven’t abandoned the idea of actually trying to grow the economy.

But there again the government lists creating a “pro-growth” (and “trusted”) data protection framework as a key “purpose” for the data reform bill — one which it claims can both reduce “burdens” for businesses and “boosts the economy”. It just can’t tell you how it’ll pull that Brexit bunny out of the hat yet.

TikTok is introducing a new way to lure advertisers to its platform by giving them the ability to showcase their brands’ content next to the best videos on TikTok. Ahead of its NewFronts presentation to advertisers scheduled for this afternoon, TikTok announced the launch of TikTok Pulse, a new contextual advertising solution that ensures brands’ ads are placed next to the top 4% of all videos on TikTok. Notably, the solution will also be the first ad product that involves a revenue share with creators,

The company said creators and publishers with at least 100,000 followers on TikTok will be eligible for the revenue share program during the initial stage of the TikTok Pulse program.

TikTok told TechCrunch the Pulse program will launch to U.S. advertisers in June 2022 with additional markets to follow in the fall.

TikTok didn’t say how many creators it would actually approve for the program in the early phases. But longer-term, the move could help TikTok to attract more creators to its social video app, following its earlier investments in creator monetization. Last December, TikTok debuted an online “Creator Next” portal where it organized all the tools creators can use to make money on its app in one place. Here, creators can learn about how to accept virtual gifts and payments from fans viewing their videos and their TikTok LIVE content. They can also apply to the Creator Marketplace to be connected with brands for sponsored content if they have at least 10,000 followers.

Now, TikTok will be able to add advertising revenue share to that list of creator monetization opportunities.

Image Credits: TikTok

The new program isn’t just about helping creators, however. It’s also about ensuring advertisers a more “brand-safe” environment for their content, similar to something like YouTube’s Partner Program (YPP).

On YouTube, the YouTube Partner Program allows creators to earn ad revenue from display, overlay, and video ads on their channel, in addition to providing access to other features like channel memberships, Super Chat, a merch shelf, and more. For advertisers, meanwhile, YPP allows them to reach videos from creators with more traction and subscribers, whose channels have also been vetted by YouTube for adhering to its content policies. This helps brands control their ads’ placement, so they don’t accidentally end up posted alongside hate speech or misinformation, for example.

TikTok says its new TikTok Pulse program will also be focused on making sure the creator content is “suitable” for advertisements.

“Our proprietary inventory filter ensures that TikTok Pulse ads are running adjacent to verified content with our highest level of brand suitability applied on the platform,” an announcement from TikTok states. “Additional post-campaign measurement tools such as third-party brand suitability and viewability verification provide advertisers the opportunity and transparency to analyze and understand the impact of their campaigns,” it noted.

The company says the program will additionally offer brands a way to target their ads to particular areas of TikTok. Through Pulse, brands can place their ads alongside videos across 12 categories of content, including things like beauty, fashion, cooking, gaming, and more.

At launch, only advertisers TikTok invited to join the program will have access to TikTok Pulse. But a TikTok spokesperson said the plan is to roll out the solution to more brands in the months that follow.

TikTok declined to share other specific details about the new program, like the revenue share percentage for creators, ad pricing, or information about how soon someone browsing their For You page would see Pulse ads appear, among other things.

Later this afternoon, TikTok is scheduled to pitch its platform to advertisers at the NewFronts, where TikTok’s GM for its North America Global Business Solutions, Sandie Hawkins, and its Global Head of Business Marketing, Sofia Hernandez, will talk about TikTok Pulse as well as explain to advertisers why TikTok should be a part of their media buy considerations.

Motherboard/Vice had an explosive report on Facebook’s business yesterday that’s sure to raise fresh questions over the lack of enforcement of European privacy laws against the adtech giant.

The report is based on a leaked internal document written last year by privacy engineers on its Ad and Business product team.

The document, which is entitled “ABP Privacy Infra, Long Range Investments [A/C Priv],” appears to show engineers at the tech giant now known as Meta scratching their heads at the nightmarish task they’re facing: Trying to make Facebook’s data-ingesting ads business compliant with a “tsunami” of global privacy regulations that need it to know how user data flows through its systems so the company can apply policies that control what’s done with people’s information and perform basic stuff like reflect people’s privacy choices. So next time Sheryl Sandberg talks about Meta’s “regulatory headwinds” this is the contextual meat to graft on those euphemistic bones.

Meta’s text deploys some internal business shorthand/acronyms whose literal meanings aren’t always clear. But the gist of the read — and it’s worth reading in full if you can spare the time for 15-pages of text, diagrams and a few colorful analogies such as one comparing a person’s information to a bottle of ink being poured into a giant lake (oopsy!) — is that Meta has ‘designed’ its ad system in such a totally unsiloed way that it’s very, very, very far from being able to comply with (even existing) laws like Europe’s General Data Protection Regulation (GDPR) which has a purpose limitation principle meaning you need a legal basis for each use of personal data. Nor, per the document, do Meta’s engineers sound confident of being able to transform the mess and achieve timely compliance with a bunch of other, incoming global regulations either. (And don’t even get them started on what AI regulations might mean for the business.)

Meta disputes that the document shows non-compliance with any privacy laws, of course.

In a statement to Motherboard, the company claims the document “does not describe our extensive processes and controls to comply with privacy regulations”; adding therefore that “it’s simply inaccurate to conclude that it demonstrates non-compliance”; and further claiming: “New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.” 

But, well, they would say that, wouldn’t they? 

Independent privacy researcher, Wolfie Christl — an expert in forensic analysis of ad data flows — takes a different view of what the leaked document reveals — dubbing it “dynamite” and a “confession” (albeit one not intended by Meta for public consumption) that it does not comply with the GDPR. See his detailed Twitter thread here — where he unpacks and contextualizes the implications of the engineers’ observations, as he sees it.

“The document is a straight and clear confession that Facebook’s whole business is based on a massive GDPR violation at the most fundamental level,” Christl tells TechCrunch. “Purpose limitation is one of the most basic principles in the GDPR. A company can generally only collect personal data for a specified purpose. If a company cannot specify the purpose it collects personal data for, it is simply not allowed to process it under the GDPR.”

Asked what Meta’s lead data protection regulator in the EU should do, Christl adds: “The Irish regulator must take action now. If Facebook cannot make clear how exactly its surveillance advertising machine uses personal data, it must be ordered to stop processing it.”

TechCrunch contacted the Irish Data Protection Commission (DPC) to ask whether it will be opening an investigation into Meta’s ad data flows in light of what the document appears to show is, basically, an ads system that, either by design or systemic build creep, exists (or existed in 2021) in a state that’s antithetical to regulation — and, indeed, whether the document is of relevance to any of the (several) ongoing investigations it has into aspects of Facebook’s business.

The regulator did not provide a statement but deputy commissioner Graham Doyle confirmed it had only seen the document for the first time when Motherboard/Vice published it.

That may raise further questions, given the DPC has — on paper — been investigating whether Facebook’s ads business complies with the GDPR’s requirement to have a valid legal basis for processing people’s data for almost four years now.

For example, the DPC has been considering a complaint against Facebook, focused on its legal basis for processing user data for ads, since May 2018, when the regulation entered into force.

A draft DPC decision on that inquiry, which was published (not by the DPC) last fall, was quickly branded a joke by privacy campaigners as the regulator appeared to be intending to accept a tactic by Meta to evade the GDPR’s standard for consent-based processing by claiming a cunning contractual bypass.

The tl;dr here is that for consent to be valid under the GDPR, data subjects must be given a free choice. Consent must also be purpose specific (aka no bundling); and it must be informed.

None of which happens if you use Facebook — where the platform makes processing your information for ad targeting a condition of use. Click ‘agree to ads’ or no Facebook account for you.

But, per last year’s leaked draft DPC decision, Facebook claims users are actually in a contract with it to receive targeted ads — and the DPC didn’t appear to see reason to object to that GDPR-bypassing construction.

Given GDPR complaints are still floundering on such legal basics, is it any wonder that the deep, dark, underbelly of Meta’s ad-targeting machinery contains, as this document tells it, a vast ocean of surveillance data on web users but so little apparatus to order this information according to people’s own wishes?

The bottom line is that the EU is almost four years into enforcement of its ‘flagship’ data protection regime and Facebook itself remains untouched by GDPR enforcement. (Its messaging platform WhatsApp was hit by a fine last year.)

The European Union also didn’t suddenly invent privacy regulation in 2018, when the GDPR came into force. Before that law there was the Data Protection Directive, which included many of the same principles.

So — in Europe at least — if a company like Facebook had actually been paying attention to legal requirements around privacy by design — and if EU regulators had been muscularly enforcing these long-standing rules — Meta might not now be warning investors about the ‘regulatory headwinds’ coming for their shareholder value. Nor facing what sounds to be a monumentally expensive and resource intensive re-engineering challenge — not so much akin to landing on the moon as more like needing to reconstruct the whole of the planet from pulverized moondust in a way that ensures every tiny piece of rock and dust is put back in exactly the place it originated for. Oh, and — guess what! — the deadline for doing all that already passed. Call it the ‘Zuckerberg’s moonshot.’

A Meta spokesperson did not respond to a question asking whether, following the Motherboard report, it had contacted the DPC to provide its lead EU regulator with information on how its ads system functions.

The company sent us the same statement it provided Motherboard earlier, which concludes with this lament: “This analogy lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations.”

The European Commission is ultimately responsible for monitoring the application of the GDPR by EU Member State agencies.

We asked the Commission if it had any concerns in light of the leaked document and/or a view on whether the DPC should open an investigation into Meta’s ads data flows. But at the time of writing it had not responded.

In February, following a complaint against the Commission by the Irish Council for Civil Liberties — which accuses the EU’s executive of neglecting its duty to act on Ireland’s “failure to properly apply” the GDPR — the EU’s ombudsperson opened an inquiry — giving the Commission until May 15 to provide it with a “detailed and comprehensive” account of the information it has collected so far around whether the regulation is applied “in all respects” in Ireland.