Year: 2020

Another batch of complaints has been filed with European Union data protection agencies urging enforcement action against the adtech industry’s abuse of Internet users’ information to target ads.

The complaints argue that behavioural ads are both harmful and unlawful.

Earlier complaints over the same Real-Time Bidding (RTB) programmatic advertising issue were filed across the EU in 2018 and 2019 but have yet to result in any substantive regulatory action.

Ireland did open a probe into Google’s ad exchange last year. While Belgium’s DPA has been progressing an investigation into a flagship industry tool that’s used for gathering consents to ad targeting — making a preliminary finding of non-compliance in October. But litigation to reach a final verdict on the IAB Europe’s ‘Transparency and Consent’ (TCF) framework won’t take place until next year.

(Related: The UK’s data protection agency is facing a legal challenge over its failure to act on RTB complaints, despite repeatedly expressing concern about the industry’s lawfulness problem.)

Both Google and the IAB continue to deny any problems with their adtech. Last year Google said authorised buyers that use its systems are subject to “stringent policies and standards”. While the IAB Europe rejected the Belgium DPA’s findings — saying its preliminary report “fundamental misunderstand[s]” the TCF tech.

The latest GDPR complaints target how the RTB component of programmatic advertising broadcasts Internet users’ personal data to scores of entities involved in these high speed eyeball auctions — arguing it runs counter to core security requirements in the General Data Protection Regulation (GDPR), as well as being horrible for people’s privacy.

A key principle of the GDPR is security by design and default — with the regulation placing legal requirements on personal data handlers to make sure people’s information is properly secured.

The complaints, which target Google and the IAB in their capacity as RTB standard setters, have been filed by civil society groups in six European countries — namely: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Institute of Information Cyprus.

They’re being coordinated by a consortium led by the Civil Liberties Union for Europe (Liberties), the ORG (Open Rights Group) and the Panoptykon Foundation. 

“Real-time bidding, which is the bedrock of the online advertising industry, is an abuse of people’s right to privacy,” said Dr Orsolya Reich, senior advocacy officer at Liberties, in a supporting statement. “The GDPR has been in place since 2018 and it is there precisely to give people a greater say about what happens to their data online.

“Today, more civil society groups are saying enough with this invasive advertising model and are asking data protection authorities to stand up against the harmful and unlawful practices they use.”

The consortium is asking for a joint investigation by their respective national DPAs — and for regulators to join with ongoing adtech investigations in Ireland (into Google’s adtech) and Belgium (into the IAB Europe’s TCF framework).

It’s not clear how far the Irish DPC’s investigation of Google has progressed — but it continues to face criticism for the lack of decisions on cross-border GDPR cases, some 2.5 years after the regulation technically begun being applied.

A mechanism in the GDPR means cross-border cases (basically anything related to mainstream consumer tech) get passed to a lead agency to investigate. However other agencies also remain involved, as interested parties, and must agree with any final decision made.

The system has led to a bottleneck of cases in certain EU locations, such as Ireland, where many tech giants base their European HQ. So the concern is this one-stop-shop mechanism is adding an unworkable level of friction to GDPR investigations — delaying decisions and enforcement action so much it risks the entire framework.

The Commission has acknowledged weakness in GDPR enforcement. Most obviously because it’s working on a massive package of new digital regulations. Though its strategy for fixing the enforcement problem is less clear as EU Member States look set to remain responsible for the bulk of this additional oversight, just as they’re responsible for resourcing their own DPAs now. (And yet more complaints have been filed this year accusing European governments of a GDPR resourcing failure.)

Ireland’s DPC is slated to issue its first cross-border GDPR decision in a case that relates to a Twitter security breach very shortly. But last year its commissioner, Helen Dixon, suggested it would come with its first such decisions early in 2020 — so the gap between GDPR expectation and reality is running almost 12 months late at this point.

 

The consortium filing the latest RTB complaints writes in a press release that while some of the earlier adtech complaints were referred to lead authorities it has no knowledge of “any meaningful cooperation or joint operations between national authorities and the lead authorities”.

“This suggests that cooperation and consistency mechanisms as envisioned in the GDPR are yet to be implemented fully,” the group adds, calling for a joint investigation into the RTB issue because the technology functions in the same way across borders — and “produces the same negative effects in all EU member states”, as they put it.

However it’s not clear how extra joint working — if indeed that’s really what’s being called for — would help to speed up GDPR enforcement. Nor how referring additional complaints to Ireland and Belgium would work to speed up their current investigations.

Most likely, the intent is to keep up pressure on the regulators to act.

Asked about the call for joint working, a Liberties spokesman told us: “The problem is that Google and IAB are big players, standard-setters in the market, and they affect all Internet users. Given the geographical scope of the issues raised in the complaints, we think it’s better for supervisory authorities to act in unison, not to be working alone in their corner.  This is why national partners are inviting their national DPAs to refer this complaint to the lead supervisory authorities who are already investigating Google’s and IAB’s compliance with the GDPR.”

Commenting in another supporting statement, Mariano delli Santi, legal and policy officer at the ORG, added: “These new complaints show that the GDPR is working. Individuals are increasingly aware of their rights, and they demand change. Now, it is up to the authorities to support this process, and make sure these laws are properly and consistently enforced against the widespread abuses of the adtech industry.”

At the time of writing, the only extant example of enforcement against a tech giant under the updated regulation was a January 2019 decision to fine Google $57M by France’s CNIL. That investigation was limited to having a national scope, though, rather than being treated as a cross-border case.

Since then Google has shifted its legal base in Europe to Ireland — so now falls under the lead jurisdiction of the DPC.

This arrangement appears to suit big tech, enabling it to avoid the risk of speedier investigations conducted by single Member State agencies acting faster alone. (So it’s very interesting to see TikTok ramping up its business infrastructure and headcount in Ireland — as it’s also now on CNIL’s radar… )

 

As noted earlier, EU lawmakers have conceded GDPR enforcement has been a weakness thus far.

In a review of the two year old regulation this summer the Commission highlighted a lack of universally vigorous enforcement.

Last week the values and transparency commissioner, Vera Jourouv, also raised the problem as she set out the bloc’s plan to bolster democratic values against a range of online risks, such as algorithmically amplified or microtargeted disinformation and election interference — acknowledging GDPR alone isn’t enough to fix myriad intersecting tech-fuelled problems.

“[After the Cambridge Analytica scandal] we said that we are relieved that after GDPR came into force we are protected against this kind of practice — that people have to give consent and be aware of that — but we see that it might be a weak measure only to rely on consent or leave it for the citizens to give consent,” she said.

“Enforcement of privacy rules is not sufficient — that’s why we are coming in the European Democracy Action Plan with the vision for the next year to come with the rules for political advertising, where we are seriously considering to limit the microtargeting as a method which is used for the promotion of political powers, political parties or political individuals.”

The European Commission is in the progress of drafting an ambitious and interlocking package of digital regulations, that it wants to fuel a regional data economy and set firm online rules to engender the necessary trust — and has said it wants this major digital policymaking effort to serve Europe for decades.

But without effective enforcement of its Internet rulebook it’s not clear how the bloc’s digital strategy will deliver as intended.

 

Papercup, the U.K.-based AI startup that has developed speech technology that translates people’s voices into other languages and is already being used in the video and television industry, has raised £8 million in funding.

The round was led by LocalGlobe and Sands Capital Ventures, alongside Sky, GMG Ventures, Entrepreneur First (EF) and BDMI. Papercup says the new capital will be used to invest further into machine learning research and to expand its “human-in-the-loop” quality control functionality, which is used to improve and customise the quality of its AI-translated videos.

Meanwhile, Papercup’s existing angel investors include William Tunstall-Pedoe, the founder of Evi Technologies — the company acquired by Amazon to create Alexa — and Zoubin Ghahramani, former chief scientist and VP of AI at Uber and now part of the Google Brain leadership team.

Founded in 2017 by Jesse Shemen and Jiameng Gao while going through EF’s company builder program, Papercup is building out an AI and machine learning-based system that it says is capable of translating a person’s voice and expressiveness into other languages. Unlike a lot of text-to-speech, the startup claims the resulting voice translation is “indistinguishable” from human speech, and, perhaps uniquely, it attempts to retain the characteristics of the original speaker’s voice.

Initially, the tech is being targeted at video producers, including already being used by Sky News, Discovery and YouTube stars Yoga with Adriene, along with DIY content creators. It is pitched as a much more scalable and therefore lower-cost alternative to pure human dubbing.

“Most of the world’s video and audio content is shackled to a single language,” says Papercup co-founder and CEO Shemen. “That includes billions of hours of videos on YouTube, millions of podcast episodes, tens of thousands of classes on Skillshare and Coursera, and thousands of hours of content on Netflix. Almost every content owner is scrambling to go international, but there is yet no simple and cost-effective way to translate content beyond subtitling”.

For “deep pocketed studios,” there is of course the option to employ high-end dubbing via a professional dubbing studio and voice actors, but this is far too expensive for most content owners. And even wealthy studios are often constrained in terms of how many languages they can accommodate.

“That leaves the mid and long tail of content owners — literally 99% of all content — stranded and incapable of reaching international audiences beyond subtitling,” says Shemen, which, of course, is where Papercup comes into play. “Our aim is to generate translated voices that sound as close to the original speaker as possible”.

To do that, he says that Papercup will need to tackle four things. First up is creating “natural sounding” voices, i.e. how clear and human-like the synthetic voices sound. The second challenge is retaining emotion and pacing to reflect how the original speaker expressed themselves (think: happy, sad, angry etc.). Third is capturing the uniqueness of someone’s voice (e.g. Morgan Freeman, but in German). Lastly, the resulting translation needs the correct alignment of the audio to the video itself.

Explains Shemen: “We started off by making our voices as human-like and natural sounding as possible, where we’ve made quite a significant leap in terms of quality by honing our technology to the task, and today we have one of the best Spanish speech synthesis systems in production.

“We’re now focusing on better retainment and transfer of the original emotion and expressiveness in the original speaker across languages, and meanwhile figuring out what it is exactly that makes for quality dubbing”.

The next challenge and arguably the toughest nut to crack is “speaker adaptation,” described as capturing the uniqueness of someone’s voice. “This is the last layer of adaptation,” notes the Papercup CEO, “but it was also one of our first breakthroughs in our research. While we have models that can accomplish this, we’re focusing more of our time on emotion and expressiveness”.

That’s not to say Papercup is entirely machine-powered, even if it might be one day. The company also employs a “human-in-the-loop” process to make corrections and adjustments to the translated audio track. This includes correcting for any speech recognition or machine translation errors that come up, making adjustments to the timings of the audio, as well as enforcing emotions (e.g. happy, sad) and changing the speed of the generated voice.

How much human-in-the-loop is required depends on the type of content and priorities of the content owners, i.e. how realistic or perfect they need the resulting video to be. In other words, it isn’t a zero-sum game, as good enough will be more than enough for a swathe of content owners at scale.

Asked about the technology’s beginnings, Shemen says Papercup started with research conducted by co-founder and CTO Jiameng Gao “who is incredibly smart and oddly obsessed with speech processing”. Gao completed two Masters at University of Cambridge (in machine learning and speech language technology) and wrote a thesis on speaker adaptive speech processing. It was at Cambridge that he realised that something like Papercup was possible.

“When we started working together at Entrepreneur First at the end of 2017, we built our initial prototype systems that showed that this technology was even possible despite there being no precedent for it,” says Shemen. “Based on early conversations, the demand was clearly overwhelming for what we were building — it was just a function of actually building something that could be used in a production environment”.

Papercup, the U.K.-based AI startup that has developed speech technology that translates people’s voices into other languages and is already being used in the video and television industry, has raised £8 million in funding.

The round was led by LocalGlobe and Sands Capital Ventures, alongside Sky, GMG Ventures, Entrepreneur First (EF) and BDMI. Papercup says the new capital will be used to invest further into machine learning research and to expand its “human-in-the-loop” quality control functionality, which is used to improve and customise the quality of its AI-translated videos.

Meanwhile, Papercup’s existing angel investors include William Tunstall-Pedoe, the founder of Evi Technologies — the company acquired by Amazon to create Alexa — and Zoubin Ghahramani, former chief scientist and VP of AI at Uber and now part of the Google Brain leadership team.

Founded in 2017 by Jesse Shemen and Jiameng Gao while going through EF’s company builder program, Papercup is building out an AI and machine learning-based system that it says is capable of translating a person’s voice and expressiveness into other languages. Unlike a lot of text-to-speech, the startup claims the resulting voice translation is “indistinguishable” from human speech, and, perhaps uniquely, it attempts to retain the characteristics of the original speaker’s voice.

Initially, the tech is being targeted at video producers, including already being used by Sky News, Discovery and YouTube stars Yoga with Adriene, along with DIY content creators. It is pitched as a much more scalable and therefore lower-cost alternative to pure human dubbing.

“Most of the world’s video and audio content is shackled to a single language,” says Papercup co-founder and CEO Shemen. “That includes billions of hours of videos on YouTube, millions of podcast episodes, tens of thousands of classes on Skillshare and Coursera, and thousands of hours of content on Netflix. Almost every content owner is scrambling to go international, but there is yet no simple and cost-effective way to translate content beyond subtitling”.

For “deep pocketed studios,” there is of course the option to employ high-end dubbing via a professional dubbing studio and voice actors, but this is far too expensive for most content owners. And even wealthy studios are often constrained in terms of how many languages they can accommodate.

“That leaves the mid and long tail of content owners — literally 99% of all content — stranded and incapable of reaching international audiences beyond subtitling,” says Shemen, which, of course, is where Papercup comes into play. “Our aim is to generate translated voices that sound as close to the original speaker as possible”.

To do that, he says that Papercup will need to tackle four things. First up is creating “natural sounding” voices, i.e. how clear and human-like the synthetic voices sound. The second challenge is retaining emotion and pacing to reflect how the original speaker expressed themselves (think: happy, sad, angry etc.). Third is capturing the uniqueness of someone’s voice (e.g. Morgan Freeman, but in German). Lastly, the resulting translation needs the correct alignment of the audio to the video itself.

Explains Shemen: “We started off by making our voices as human-like and natural sounding as possible, where we’ve made quite a significant leap in terms of quality by honing our technology to the task, and today we have one of the best Spanish speech synthesis systems in production.

“We’re now focusing on better retainment and transfer of the original emotion and expressiveness in the original speaker across languages, and meanwhile figuring out what it is exactly that makes for quality dubbing”.

The next challenge and arguably the toughest nut to crack is “speaker adaptation,” described as capturing the uniqueness of someone’s voice. “This is the last layer of adaptation,” notes the Papercup CEO, “but it was also one of our first breakthroughs in our research. While we have models that can accomplish this, we’re focusing more of our time on emotion and expressiveness”.

That’s not to say Papercup is entirely machine-powered, even if it might be one day. The company also employs a “human-in-the-loop” process to make corrections and adjustments to the translated audio track. This includes correcting for any speech recognition or machine translation errors that come up, making adjustments to the timings of the audio, as well as enforcing emotions (e.g. happy, sad) and changing the speed of the generated voice.

How much human-in-the-loop is required depends on the type of content and priorities of the content owners, i.e. how realistic or perfect they need the resulting video to be. In other words, it isn’t a zero-sum game, as good enough will be more than enough for a swathe of content owners at scale.

Asked about the technology’s beginnings, Shemen says Papercup started with research conducted by co-founder and CTO Jiameng Gao “who is incredibly smart and oddly obsessed with speech processing”. Gao completed two Masters at University of Cambridge (in machine learning and speech language technology) and wrote a thesis on speaker adaptive speech processing. It was at Cambridge that he realised that something like Papercup was possible.

“When we started working together at Entrepreneur First at the end of 2017, we built our initial prototype systems that showed that this technology was even possible despite there being no precedent for it,” says Shemen. “Based on early conversations, the demand was clearly overwhelming for what we were building — it was just a function of actually building something that could be used in a production environment”.

Another batch of complaints has been filed with European Union data protection agencies urging enforcement action against the adtech industry’s abuse of Internet users’ information to target ads.

The complaints argue that behavioural ads are both harmful and unlawful.

Earlier complaints over the same Real-Time Bidding (RTB) programmatic advertising issue were filed across the EU in 2018 and 2019 but have yet to result in any substantive regulatory action.

Ireland did open a probe into Google’s ad exchange last year. While Belgium’s DPA has been progressing an investigation into a flagship industry tool that’s used for gathering consents to ad targeting — making a preliminary finding of non-compliance in October. But litigation to reach a final verdict on the IAB Europe’s ‘Transparency and Consent’ (TCF) framework won’t take place until next year.

(Related: The UK’s data protection agency is facing a legal challenge over its failure to act on RTB complaints, despite repeatedly expressing concern about the industry’s lawfulness problem.)

Both Google and the IAB continue to deny any problems with their adtech. Last year Google said authorised buyers that use its systems are subject to “stringent policies and standards”. While the IAB Europe rejected the Belgium DPA’s findings — saying its preliminary report “fundamental misunderstand[s]” the TCF tech.

The latest GDPR complaints target how the RTB component of programmatic advertising broadcasts Internet users’ personal data to scores of entities involved in these high speed eyeball auctions — arguing it runs counter to core security requirements in the General Data Protection Regulation (GDPR), as well as being horrible for people’s privacy.

A key principle of the GDPR is security by design and default — with the regulation placing legal requirements on personal data handlers to make sure people’s information is properly secured.

The complaints, which target Google and the IAB in their capacity as RTB standard setters, have been filed by civil society groups in six European countries — namely: Asociatia pentru Tehnologie si Internet (ApTi), Romania; D3 – Defesa dos Direitos Digitais, Portugal; GONG, Croatia; Global Human Dignity Foundation, Malta; Homo Digitalis, Greece; and the Institute of Information Cyprus.

They’re being coordinated by a consortium led by the Civil Liberties Union for Europe (Liberties), the ORG (Open Rights Group) and the Panoptykon Foundation. 

“Real-time bidding, which is the bedrock of the online advertising industry, is an abuse of people’s right to privacy,” said Dr Orsolya Reich, senior advocacy officer at Liberties, in a supporting statement. “The GDPR has been in place since 2018 and it is there precisely to give people a greater say about what happens to their data online.

“Today, more civil society groups are saying enough with this invasive advertising model and are asking data protection authorities to stand up against the harmful and unlawful practices they use.”

The consortium is asking for a joint investigation by their respective national DPAs — and for regulators to join with ongoing adtech investigations in Ireland (into Google’s adtech) and Belgium (into the IAB Europe’s TCF framework).

It’s not clear how far the Irish DPC’s investigation of Google has progressed — but it continues to face criticism for the lack of decisions on cross-border GDPR cases, some 2.5 years after the regulation technically begun being applied.

A mechanism in the GDPR means cross-border cases (basically anything related to mainstream consumer tech) get passed to a lead agency to investigate. However other agencies also remain involved, as interested parties, and must agree with any final decision made.

The system has led to a bottleneck of cases in certain EU locations, such as Ireland, where many tech giants base their European HQ. So the concern is this one-stop-shop mechanism is adding an unworkable level of friction to GDPR investigations — delaying decisions and enforcement action so much it risks the entire framework.

The Commission has acknowledged weakness in GDPR enforcement. Most obviously because it’s working on a massive package of new digital regulations. Though its strategy for fixing the enforcement problem is less clear as EU Member States look set to remain responsible for the bulk of this additional oversight, just as they’re responsible for resourcing their own DPAs now. (And yet more complaints have been filed this year accusing European governments of a GDPR resourcing failure.)

Ireland’s DPC is slated to issue its first cross-border GDPR decision in a case that relates to a Twitter security breach very shortly. But last year its commissioner, Helen Dixon, suggested it would come with its first such decisions early in 2020 — so the gap between GDPR expectation and reality is running almost 12 months late at this point.

 

The consortium filing the latest RTB complaints writes in a press release that while some of the earlier adtech complaints were referred to lead authorities it has no knowledge of “any meaningful cooperation or joint operations between national authorities and the lead authorities”.

“This suggests that cooperation and consistency mechanisms as envisioned in the GDPR are yet to be implemented fully,” the group adds, calling for a joint investigation into the RTB issue because the technology functions in the same way across borders — and “produces the same negative effects in all EU member states”, as they put it.

However it’s not clear how extra joint working — if indeed that’s really what’s being called for — would help to speed up GDPR enforcement. Nor how referring additional complaints to Ireland and Belgium would work to speed up their current investigations.

Most likely, the intent is to keep up pressure on the regulators to act.

Asked about the call for joint working, a Liberties spokesman told us: “The problem is that Google and IAB are big players, standard-setters in the market, and they affect all Internet users. Given the geographical scope of the issues raised in the complaints, we think it’s better for supervisory authorities to act in unison, not to be working alone in their corner.  This is why national partners are inviting their national DPAs to refer this complaint to the lead supervisory authorities who are already investigating Google’s and IAB’s compliance with the GDPR.”

Commenting in another supporting statement, Mariano delli Santi, legal and policy officer at the ORG, added: “These new complaints show that the GDPR is working. Individuals are increasingly aware of their rights, and they demand change. Now, it is up to the authorities to support this process, and make sure these laws are properly and consistently enforced against the widespread abuses of the adtech industry.”

At the time of writing, the only extant example of enforcement against a tech giant under the updated regulation was a January 2019 decision to fine Google $57M by France’s CNIL. That investigation was limited to having a national scope, though, rather than being treated as a cross-border case.

Since then Google has shifted its legal base in Europe to Ireland — so now falls under the lead jurisdiction of the DPC.

This arrangement appears to suit big tech, enabling it to avoid the risk of speedier investigations conducted by single Member State agencies acting faster alone. (So it’s very interesting to see TikTok ramping up its business infrastructure and headcount in Ireland — as it’s also now on CNIL’s radar… )

 

As noted earlier, EU lawmakers have conceded GDPR enforcement has been a weakness thus far.

In a review of the two year old regulation this summer the Commission highlighted a lack of universally vigorous enforcement.

Last week the values and transparency commissioner, Vera Jourouv, also raised the problem as she set out the bloc’s plan to bolster democratic values against a range of online risks, such as algorithmically amplified or microtargeted disinformation and election interference — acknowledging GDPR alone isn’t enough to fix myriad intersecting tech-fuelled problems.

“[After the Cambridge Analytica scandal] we said that we are relieved that after GDPR came into force we are protected against this kind of practice — that people have to give consent and be aware of that — but we see that it might be a weak measure only to rely on consent or leave it for the citizens to give consent,” she said.

“Enforcement of privacy rules is not sufficient — that’s why we are coming in the European Democracy Action Plan with the vision for the next year to come with the rules for political advertising, where we are seriously considering to limit the microtargeting as a method which is used for the promotion of political powers, political parties or political individuals.”

The European Commission is in the progress of drafting an ambitious and interlocking package of digital regulations, that it wants to fuel a regional data economy and set firm online rules to engender the necessary trust — and has said it wants this major digital policymaking effort to serve Europe for decades.

But without effective enforcement of its Internet rulebook it’s not clear how the bloc’s digital strategy will deliver as intended.

 

France’s data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.

Google has been hit with a total of €100 million ($120M) for dropping cookies on Google.fr and Amazon €35M (~42M) for doing so on the Amazon .fr domain under the penalty notices issued today.

The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.

In Google’s case the CNIL has found three consent violations related to dropping non-essential cookies.

“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice [which we’ve translated from French].

Amazon was found to have made two violations, per the CNIL penalty notice.

CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.

Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.

In Amazon’s case its French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.

The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time sites that failed to ask for consent to track were risking a big fine under EU privacy laws.

Google and Amazon are now finding that out to their cost, it seems.

We’ve reached out to Amazon and Google for comment on the CNIL’s action.

In Google’s case the CNIL also found that when a user selected to deactivate personalized advertising — via an option that Google’s cookie notice presented them with — the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.

This story is developing — refresh for updates…

France’s data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.

Google has been hit with a total of €100 million ($120M) for dropping cookies on Google.fr and Amazon €35M (~42M) for doing so on the Amazon .fr domain under the penalty notices issued today.

The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.

In Google’s case the CNIL has found three consent violations related to dropping non-essential cookies.

“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice [which we’ve translated from French].

Amazon was found to have made two violations, per the CNIL penalty notice.

CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.

Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.

In Amazon’s case its French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.

The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time sites that failed to ask for consent to track were risking a big fine under EU privacy laws.

Google and Amazon are now finding that out to their cost, it seems.

We’ve reached out to Amazon and Google for comment on the CNIL’s action.

In Google’s case the CNIL also found that when a user selected to deactivate personalized advertising — via an option that Google’s cookie notice presented them with — the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.

This story is developing — refresh for updates…

The rise of U.S.-China tensions has accelerated the bifurcation of global technology, with the two superpowers each working on their own tech systems. While the rift might be discouraging cross-border investment and business expansion between the rivals, the countries that are in-between — like those in Southeast Asia and Europe — are still finding opportunities.

Sweden’s Dirac is such an example. The 15-year-old firm has been licensing sound optimization technology to mobile, home entertainment, AR/VR, automotive, and other businesses where sounds are critical. The geopolitical complications “have not impacted” the company at all, its founder and chief executive Mathias Johansson told TechCrunch in an interview.

Based in the university city Uppsala of Sweden, Dirac has deep ties to China, offering solutions to the country’s smartphone leaders from Huawei, Oppo, Xiaomi, to Africa-focused Transsion. More than 50% of its revenue come from China today.

Dirac’s interest in China stems in part from the founder’s early fascination with the country. When Johansson visited China for the first time through his PhD program two decades ago, he was impressed by the “rapid evolution” in the tech industry there.

“The audio industry put a lot of manufacturing in China first, but then more and more on development and design. We realized this is a market that’s absolutely key for the entire consumer electronics ecosystem,” Johansson said.

The entrepreneur had since been traveling to Asia, especially Japan and China where electronics were flourishing. In 2010, he hired Dirac’s first China manager Tony Ye, who previously worked for Swedish software firm IAR Systems in Shanghai. At the time, the revolutionary iPhone 4 was making waves across the world, but Johansson and his team were also bullish about China.

“We thought that China is going to be the leader in smartphones eventually. We thought that with Android and with Arm processors [China] is going to be a very different market. So we really went in there and focused on the market. And we thought that [Chinese] would be more hungry, more interested in trying out new things, simply because they were newcomers just like we were pioneers,” the founder said.

“It turned out to be the right bet.”

Though the Chinese government has been advocating for technological autonomy, the national efforts are prioritizing strategic areas like 5G and AI. In smaller and less politically charged fields, imported technologies are still seeing demand. These solutions are often cutting-edge and built upon years of research and development, but they are too niched for big corporations to invest the money and time. That is true for certain video enhancement solutions (see TechCrunch’s profile of Imint, also an Uppsala-based company), or advanced sound optimization in the case of Dirac.

Johansson began researching the audio technology behind Dirac some 20 years ago during university, which made it harder for latecomers to catch up, the founder asserted. Dirac fixes audio like how glasses correct vision. Its team would first send out a test signal through the target speaker system, records it with a microphone, generates a digital fingerprint of audio, and measures the acoustic information. It then makes an exact “mirror universe” of the distortions created by the system, sends pre-distorted audio back to the speakers and the users will eventually get the distortion-free version of the sound.

The research and development cycle at Dirac is long, but working with Chinese companies has forced the Swedish firm to adapt.

“It challenged us to come up with new, more efficient ways of doing the same thing and to keep that innovation pace ahead of the competitor, whether it’s domestic Chinese, or the U.S., or wherever,” the founder admitted.

Dirac maintains its cashflow by licensing its intellectual property to clients and charges royalty fees per unit of device shipped. It also operates a B2B2C model, whereby the end-user can upgrade the sound system of a device, say, a speaker, by paying a fee, which is then divided between Dirac and its client, i.e. the device maker. Its latest big-name customer is the Chinese electric carmaker BYD, a deal that the company sees as an important step in furthering its automotive ambitions.

“Traditional carmakers are being challenged and the whole ecosystem is changing,” Johansson observed. “With software upgrades, cars are becoming something very different. They’re becoming much more like mobile phones and much more software-centric. The whole entertainment aspect and the audio experience in cars are becoming almost the most important part of the car because the noise is so low, the car is so quiet and you’re maybe driving a self-driving car. The audio experience you will get from cars will be outstanding in a couple of years.”

A startup that is improving the way construction and real estate companies in India procure materials and handle logistics for their projects has received the backing of three new investors.

Mumbai-headquartered Infra.Market said on Thursday it has raised $20 million in a Series B financing round. The round was led by Evolvence India Fund, Sistema Asia Fund, and Foundamental Gmbh, while existing investors Accel, Tiger Global, and Nexus also participated in it. The four-year-old startup has raised about $50 million to date.

Infra.Market helps small businesses such as manufacturers of paints and cements improve the quality of their production and meet various compliances. The startup adds its load cells to the manufacturing facilities of these small businesses to ensure there is no lapse in quality, and also helps them work with other businesses that can provide them with better raw material and provide guidance on pricing. It also works closely with businesses to ensure that their deliveries are made on time.

These improvements, explained co-founder Souvik Sengupta, help small manufacturers land larger clients that have higher expectations from the businesses with which they engage.

“We are bringing a service layer to these small manufacturers, enabling them to grow their business. We don’t own the asset and are creating private label brands,” he said in an interview with TechCrunch. Infra.Market today works with over 170 small manufacturers and counts the vast majority of major construction and real estate companies such as giants Larsen & Toubro and Tata Sons as its clients. Sengupta said the startup sells to over 400 large clients and 3,000 small retailers.

Sengupta said the startup was on track to hit the ARR (annual recurring revenue) of $100 million before the pandemic, which for at least two months nearly cut its business in half. But the startup has picked up pace again, and is now on track to hit the ARR of $180 million.

“As an enabler to this sector, Infra.Market has emerged as one of the most disruptive companies through pioneering technological innovation in the procurement and distribution of building materials catering to the infrastructure and construction industry by improving logistics, financing, procurement and project management of large scale projects in key markets across India. The company has very quickly demonstrated remarkable growth backed by a solid business model and deep sector domain knowledge of its founders and management team,” said Rohit Batra, Partner at Evolvence India, in a statement.

More to follow…

Demand for contactless payments and e-commerce has grown in South Korea during the COVID-19 pandemic. This is good news for payment service operators, but the market is very fragmented, so adding payment options is a time-consuming process for many merchants. CHAI wants to fix this with an API that enables companies to accept over 20 payment systems. The Seoul-based startup announced today it has raised a $60 million Series B.

The round was led by Hanhwa Investment & Securities, with participation from SoftBank Ventures Asia (the early-stage venture capital arm of SoftBank Group), SK Networks, Aarden Partners and other strategic partners. It brings CHAI’s total funding to $75 million, including a $15 million Series A in February.

Last month, the Bank of Korea, South Korea’s central bank, released a report showing that ()contactless payments increased 17% year-over-year since the start of COVID-19.

CHAI serves e-commerce companies with an API called I’mport, that allows them to accept payments from over twenty options, including debit and credit cards through local payment gateways, digital wallets, wire transfers, carrier billings and PayPal. It is now used by 2,200 merchants, including Nike Korea and Philip Morris Korea.

CHAI chief executive officer Daniel Shin told TechCrunch that businesses would usually have to integrate each kind of online payment type separately, so I’mport saves its clients a lot of time.

The company also offers its own digital wallet and debit card called the CHAI Card, which launched in June 2019 and now has 2.5 million users, a small number compared South Korea’s leading digital wallets, which include Samsung Pay, Naver Pay, Kakao Pay and Toss.

“CHAI is a late comer to Korea’s digital payments market, but we saw a unique opportunity to offer value,” said Shin. The CHAI Card offers merchants a lower transaction fee than other cards and users typically check its app about 20 times to see new cashback offers and other rewards based on how often they pay with their cards or digital wallet.

“We’ve digitized the plastic card experience, and this is the first step towards creating a robust online rewards platform,” Shin added.

In press statement, Hanhwa Investment & Securities director SeungYoung Oh director said, “I’mport has reduced what once took e-commerce businesses weeks to complete into a simple copy-and-paste task, radically reducing costs. It is a first-of-its-kind business model in Korea, and I have no doubt that CHAI will continue to grow this service into an essential infrastructure of the global fintech landscape.”

LabCorp has now become the first company to receive approval to sell its COVID-19 test kit over-the-counter without a prescription, according to a statement form the company.

One of the largest diagnostics testing companies in the U.S., LabCorp could be a significant competitor to companies like EverlyWell, which received approvals for its at-home testing kits in May; MyLab Box, which announced a partnership with Walmart earlier this week to sell COVID-19 test kits with the giant retailer; or LetsGetChecked, which has its own at-home test.

LabCorp was actually the first company to receive approval from the FDA for its test kit, and now the company can sell the product through retail channels without a prescription.

“With the first over-the-counter at-home collection kit ever authorized by the FDA for COVID-19, we are empowering people to learn about their health and make confident decisions,” said Dr. Brian Caveney, chief medical officer and president of LabCorp Diagnostics, in a statement. “With this authorization, we can help more people get tested, reduce the spread of the virus and improve the health of our communities.”

It’s pretty inarguable that anything that reduces the friction consumers face in getting tested for SARS-CoV-2, the virus that causes COVID-19, is a good thing. It’s also in line with a broader push to increase healthcare access for consumers in an effort to reduce costs.

When customers purchase the COVID-19 test kit, they register the kit on the company’s website and then follow the instructions given there. Tests results are delivered through a corporate portal and a healthcare provider is available to assist customers who test positive on how to proceed with a course of treatment.

The company said its kit should not be viewed as a substitute for visits to a healthcare professional and is intended for use by adults 18 or older.

It’s important to note that the LabCorp PCR test has not been cleared or approved by the FDA and is being authorized under an emergency use authorization.