Ireland probes TikTok’s handling of kids’ data and transfers to China

Ireland’s Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe to add to its pile: The regulator said yesterday it has opened two investigations into video sharing platform TikTok.

The first covers how TikTok handles children’s data, and whether it complies with Europe’s General Data Protection Regulation.

The DPC also said it will examine TikTok’s transfers of personal data to China, where its parent entity is based — looking to see if the company meets requirements set out in the regulation covering personal data transfers to third countries.

TikTok was contacted for comment on the DPC’s investigation.

A spokesperson told us:

“The privacy and safety of the TikTok community, particularly our youngest members, is a top priority. We’ve implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clauses. We intend to fully cooperate with the DPC.”

The Irish regulator’s announcement of two “own volition” enquiries follows pressure from other EU data protection authorities and consumers protection groups which have raised concerns about how TikTok handles’ user data generally and children’s information specifically.

In Italy this January, TikTok was ordered to recheck the age of every user in the country after the data protection watchdog instigated an emergency procedure, using GDPR powers, following child safety concerns.

TikTok went on to comply with the order — removing more than half a million accounts where it could not verify the users were not children.

This year European consumer protection groups have also raised a number of child safety and privacy concerns about the platform. And, in May, EU lawmakers said they would review the company’s terms of service.

On children’s data, the GDPR sets limits on how kids’ information can be processed, putting an age cap on the ability of children to consent to their data being used. The age limit varies per EU Member State but there’s a hard cap for kids’ ability to consent at 13 years old (some EU countries set the age limit at 16).

In response to the announcement of the DPC’s enquiry, TikTok pointed to its use of age gating technology and other strategies it said it uses to detect and remove underage users from its platform.

It also flagged a number of recent changes it’s made around children’s accounts and data — such as flipping the default settings to make their accounts privacy by default and limiting their exposure to certain features that intentionally encourage interaction with other TikTok users if those users are over 16.

While on international data transfers it claims to use “approved methods”. However the picture is rather more complicated than TikTok’s statement implies. Transfers of Europeans’ data to China are complicated by there being no EU data adequacy agreement in place with China.

In TikTok’s case, that means, for any personal data transfers to China to be lawful, it needs to have additional “appropriate safeguards” in place to protect the information to the required EU standard.

When there is no adequacy arrangement in place, data controllers can, potentially, rely on mechanisms like Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) — and TikTok’s statement notes it uses SCCs.

But — crucially — personal data transfers out of the EU to third countries have faced significant legal uncertainty and added scrutiny since a landmark ruling by the CJEU last year which invalidated a flagship data transfer arrangement between the US and the EU and made it clear that DPAs (such as Ireland’s DPC) have a duty to step in and suspend transfers if they suspect people’s data is flowing to a third country where it might be at risk.

So while the CJEU did not invalidate mechanisms like SCCs entirely they essentially said all international transfers to third countries must be assessed on a case-by-case basis and, where a DPA has concerns, it must step in and suspend those non-secure data flows.

The CJEU ruling means just the fact of using a mechanism like SCCs doesn’t mean anything on its own re: the legality of a particular data transfer. It also amps up the pressure on EU agencies like Ireland’s DPC to be pro-active about assessing risky data flows.

Final guidance put out by the European Data Protection Board, earlier this year, provides details on the so-called ‘special measures’ that a data controller may be able to apply in order to increase the level of protection around their specific transfer so the information can be legally taken to a third country.

But these steps can include technical measures like strong encryption — and it’s not clear how a social media company like TikTok would be able to apply such a fix, given how its platform and algorithms are continuously mining users’ data to customize the content they see and in order to keep them engaged with TikTok’s ad platform.

In another recent development, China has just passed its first data protection law.

But, again, this is unlikely to change much for EU transfers. The Communist Party regime’s ongoing appropriation of personal data, through the application of sweeping digital surveillance laws, means it would be all but impossible for China to meet the EU’s stringent requirements for data adequacy. (And if the US can’t get EU adequacy it would be ‘interesting’ geopolitical optics, to put it politely, were the coveted status to be granted to China…)

One factor TikTok can take heart from is that it does likely have time on its side when it comes to the’s EU enforcement of its data protection rules.

The Irish DPC has a huge backlog of cross-border GDPR investigations into a number of tech giants.

It was only earlier this month that Irish regulator finally issued its first decision against a Facebook-owned company — announcing a $267M fine against WhatsApp for breaching GDPR transparency rules (but only doing so years after the first complaints had been lodged).

The DPC’s first decision in a cross-border GDPR case pertaining to Big Tech came at the end of last year — when it fined Twitter $550k over a data breach dating back to 2018, the year GDPR technically begun applying.

The Irish regulator still has scores of undecided cases on its desk — against tech giants including Apple and Facebook. That means that the new TikTok probes join the back of a much criticized bottleneck. And a decision on these probes isn’t likely for years.

On children’s data, TikTok may face swifter scrutiny elsewhere in Europe: The UK added some ‘gold-plaiting’ to its version of the EU GDPR in the area of children’s data — and, from this month, has said it expects platforms meet its recommended standards.

It has warned that platforms that don’t fully engage with its Age Appropriate Design Code could face penalties under the UK’s GDPR. The UK’s code has been credited with encouraging a number of recent changes by social media platforms over how they handle kids’ data and accounts.

Billogram, provider of a payments platform specifically for recurring billing, raises $45M

Payments made a huge shift to digital platforms during the Covid-19 pandemic — purchasing moved online for many consumers and businesses; and a large proportion of those continuing to buy and sell in-person went cash-free. Today a startup that has been focusing on one specific aspect of payments — recurring billing — is announcing a round of funding to capitalize on that growth with expansion of its own. Billogram, which has built a platform for third parties to build and handle any kind of recurring payments (not one-off purchases), has closed a round of $45 million.

The funding is coming from a single investor, Partech, and will be used to help the Stockholm-based startup expand from its current base in Sweden to six more markets, Jonas Suijkerbuijk, Billogram’s CEO and founder, said in an interview, to cover more of Germany (where it’s already active now), Norway, Finland, Ireland, France, Spain, and Italy.

The company got its start working with SMBs in 2011 but pivoted some years later to working with larger enterprises, which make up the majority of its business today. Suijkerbuijk said that in 2020, signed deals went up by 300%, and the first half of 2021 grew 50% more on top of that. Its users include utilities like Skanska Energi and broadband company Ownit, and others like remote healthcare company Kry, businesses that take invoice and take monthly payments from their customers.

While there has been a lot of attention around how companies like Apple and Google are handling subscriptions and payments in apps, what Billogram focuses on is a different beast, and much more complex: it’s more integrated into the business providing services, and it may involve different services, and the fees can vary over every billing period. It’s for this reason that, in fact, even big companies in the realm of digital payments, like Stripe, which might even already have products that can help manage subscriptions on their platforms, partner with companies like Billogram to build the experiences to manage their more involved kinds of payment services.

I should point out here that Suijkerbuijk told me that Stripe recently became a partner of Billograms, which is very interesting… but he also added that a number of the big payments companies have talked to Billogram. He also confirmed that currently Stripe is not an investor in the company. “We have a very good relationship,” he said.

It’s not surprising to see Stripe and others wanting to more in the area of more complex, recurring billing services. Researchers estimate that the market size (revenues and services) for subscription and recurring billing will be close to $6 billion this year, with that number ballooning to well over $10 billion by 2025. And indeed, the effort to make a payment or any kind of transaction will continue to be a point of friction in the world of commerce, so any kinds of systems that bring technology to bear to make that easier and something that consumers or businesses will do without thinking about it, will be valuable, and will likely grow in dominance. (It’s why the more basic subscription services, such as Prime membership or a Netflix subscription, or a cloud storage account, are such winners.)

Within that very big pie, Suijkerbuijk noted that rather than the Apples and Googles of the world, the kinds of businesses that Billogram currently competes against are those that are addressing the same thornier end of the payments spectrum that Billogram is. These include a wide swathe of incumbent companies that do a lot of their business in areas like debt collection, and other specialists like Scaleworks-backed Chargify — which itself got a big investment injection earlier this year from Battery Ventures, which put $150 million into both it and another billing provider, SaaSOptics, in April.

The former group of competitors are not currently a threat to Billogram, he added.

“Debt collecting agencies are big on invoicing, but no one — not their customers, nor their customers’ customers — loves them, so they are great competitors to have,” Suijkerbuijk joked.

This also means that Billogram is not likely to move into debt collection itself as it continues to expand. Instead, he said, the focus will be on building out more tools to make the invoicing and payments experience better and less painful to customers. That will likely include more moves into customer service and generally improving the overall billing experience — something we have seen become a bigger area also during the pandemic, as companies realized that they needed to address non-payments in a different way from how their used to, given world events and the impact they were having on individuals.

“We are excited to partner with Jonas and the team at Billogram.” says Omri Benayoun, General Partner at Partech, in a statement. “Having spotted a gap in the market, they have quietly built the most advanced platform for large B2C enterprises looking to integrate billing, payment, and collection in one single solution. In our discussion with leading utilities, telecom, e-health, and all other clients across Europe, we realized how valuable Billogram was for them in order to engage with their end-users through a top-notch billing and payment experience. The outstanding commercial traction demonstrated by Billogram has further cemented our conviction, and we can’t wait to support the team in bringing their solution to many more customers in Europe and beyond!”

After years of inaction against adtech, UK’s ICO calls for browser-level controls to fix ‘cookie fatigue’

In the latest quasi-throwback toward ‘do not track‘, the UK’s data protection chief has come out in favor of a browser- and/or device-level setting to allow Internet users to set “lasting” cookie preferences — suggesting this as a fix for the barrage of consent pop-ups that continues to infest websites in the region.

European web users digesting this development in an otherwise monotonously unchanging regulatory saga, should be forgiven — not only for any sense of déjà vu they may experience — but also for wondering if they haven’t been mocked/gaslit quite enough already where cookie consent is concerned.

Last month, UK digital minister Oliver Dowden took aim at what he dubbed an “endless” parade of cookie pop-ups — suggesting the government is eyeing watering down consent requirements around web tracking as ministers consider how to diverge from European Union data protection standards, post-Brexit. (He’s slated to present the full sweep of the government’s data ‘reform’ plans later this month so watch this space.)

Today the UK’s outgoing information commissioner, Elizabeth Denham, stepped into the fray to urge her counterparts in G7 countries to knock heads together and coalesce around the idea of letting web users express generic privacy preferences at the browser/app/device level, rather than having to do it through pop-ups every time they visit a website.

In a statement announcing “an idea” she will present this week during a virtual meeting of fellow G7 data protection and privacy authorities — less pithily described in the press release as being “on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data” — Denham said: “I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.”

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge,” she added.

Contacted for more on this “idea”, an ICO spokeswoman reshuffled the words thusly: “Instead of trying to effect change through nearly 2 billion websites, the idea is that legislators and regulators could shift their attention to the browsers, applications and devices through which users access the web.

“In place of click-through consent at a website level, users could express lasting, generic privacy preferences through browsers, software applications and device settings – enabling them to set and update preferences at a frequency of their choosing rather than on each website they visit.”

Of course a browser-baked ‘Do not track’ (DNT) signal is not a new idea. It’s around a decade old at this point. Indeed, it could be called the idea that can’t die because it’s never truly lived — as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.

However the approach Denham is advocating, vis-a-vis “lasting” preferences, may in fact be rather different to DNT — given her call for fellow regulators to engage with the tech industry, and its “standards organizations”, and come up with “practical” and “business friendly” solutions to the regional Internet’s cookie pop-up problem.

It’s not clear what consensus — practical or, er, simply pro-industry — might result from this call. If anything.

Indeed, today’s press release may be nothing more than Denham trying to raise her own profile since she’s on the cusp of stepping out of the information commissioner’s chair. (Never waste a good international networking opportunity and all that — her counterparts in the US, Canada, Japan, France, Germany and Italy are scheduled for a virtual natter today and tomorrow where she implies she’ll try to engage them with her big idea).

Her UK replacement, meanwhile, is already lined up. So anything Denham personally champions right now, at the end of her ICO chapter, may have a very brief shelf life — unless she’s set to parachute into a comparable role at another G7 caliber data protection authority.

Nor is Denham the first person to make a revived pitch for a rethink on cookie consent mechanisms — even in recent years.

Last October, for example, a US-centric tech-publisher coalition came out with what they called a Global Privacy Standard (GPC) — aiming to build momentum for a browser-level pro-privacy signal to stop the sale of personal data, geared toward California’s Consumer Privacy Act (CCPA), though pitched as something that could have wider utility for Internet users.

By January this year they announced 40M+ users were making use of a browser or extension that supports GPC — along with a clutch of big name publishers signed up to honor it. But it’s fair to say its global impact so far remains limited. 

More recently, European privacy group noyb published a technical proposal for a European-centric automated browser-level signal that would let regional users configure advanced consent choices — enabling the more granular controls it said would be needed to fully mesh with the EU’s more comprehensive (vs CCPA) legal framework around data protection.

The proposal, for which noyb worked with the Sustainable Computing Lab at the Vienna University of Economics and Business, is called Advanced Data Protection Control (ADPC). And noyb has called on the EU to legislate for such a mechanism — suggesting there’s a window of opportunity as lawmakers there are also keen to find ways to reduce cookie fatigue (a stated aim for the still-in-train reform of the ePrivacy rules, for example).

So there are some concrete examples of what practical, less fatiguing yet still pro-privacy consent mechanisms might look like to lend a little more color to Denham’s ‘idea’ — although her remarks today don’t reference any such existing mechanisms or proposals.

(When we asked the ICO for more details on what she’s advocating for, its spokeswoman didn’t cite any specific technical proposals or implementations, historical or contemporary, either, saying only: “By working together, the G7 data protection authorities could have an outsized impact in stimulating the development of technological solutions to the cookie consent problem.”)

So Denham’s call to the G7 does seem rather low on substance vs profile-raising noise.

In any case, the really big elephant in the room here is the lack of enforcement around cookie consent breaches — including by the ICO.

Add to that, there’s the now very pressing question of how exactly the UK will ‘reform’ domestic law in this area (post-Brexit) — which makes the timing of Denham’s call look, well, interestingly opportune. (And difficult to interpret as anything other than opportunistically opaque at this point.)

The adtech industry will of course be watching developments in the UK with interest — and would surely be cheering from the rooftops if domestic data protection ‘reform’ results in amendments to UK rules that allow the vast majority of websites to avoid having to ask Brits for permission to process their personal data, say by opting them into tracking by default (under the guise of ‘fixing’ cookie friction and cookie fatigue for them).

That would certainly be mission accomplished after all these years of cookie-fatigue-generating-cookie-consent-non-compliance by surveillance capitalism’s industrial data complex.

It’s not yet clear which way the UK government will jump — but eyebrows should raise to read the ICO writing today that it expects compliance with (current) UK law when it has so roundly failed to tackle the adtech industry’s role in cynically sicking up said cookie fatigue by failing to take any action against such systemic breaches.

The bald fact is that the ICO has — for years — avoided tackling adtech abuse of data protection, despite acknowledging publicly that the sector is wildly out of control.

Instead, it has opted for a cringing ‘process of engagement’ (read: appeasement) that has condemned UK Internet users to cookie pop-up hell.

This is why the regulator is being sued for inaction — after it closed a long-standing complaint against the security abuse of people’s data in real-time bidding ad auctions with nothing to show for it… So, yes, you can be forgiven for feeling gaslit by Denham’s call for action on cookie fatigue following the ICO’s repeat inaction on the causes of cookie fatigue…

Not that the ICO is alone on that front, however.

There has been a fairly widespread failure by EU regulators to tackle systematic abuse of the bloc’s data protection rules by the adtech sector — with a number of complaints (such as this one against the IAB Europe’s self-styled ‘transparency and consent framework’) still working, painstakingly, through the various labyrinthine regulatory processes.

France’s CNIL has probably been the most active in this area — last year slapping Amazon and Google with fines of $42M and $120M for dropping tracking cookies without consent, for example. (And before you accuse CNIL of being ‘anti-American’, it has also gone after domestic adtech.)

But elsewhere — notably Ireland, where many adtech giants are regionally headquartered — the lack of enforcement against the sector has allowed for cynical, manipulative and/or meaningless consent pop-ups to proliferate as the dysfunctional ‘norm’, while investigations have failed to progress and EU citizens have been forced to become accustomed, not to regulatory closure (or indeed rapture), but to an existentially endless consent experience that’s now being (re)branded as ‘cookie fatigue’.

Yes, even with the EU’s General Data Protection Regulation (GDPR) coming into application in 2018 and beefing up (in theory) consent standards.

This is why the privacy campaign group noyb is now lodging scores of complaints against cookie consent breaches — to try to force EU regulators to actually enforce the law in this area, even as it also finds time to put up a practical technical proposal that could help shrink cookie fatigue without undermining data protection standards. 

It’s a shining example of action that has yet to inspire the lion’s share of the EU’s actual regulators to act on cookies. The tl;dr is that EU citizens are still waiting for the cookie consent reckoning — even if there is now a bit of high level talk about the need for ‘something to be done’ about all these tedious pop-ups.

The problem is that while GDPR certainly cranked up the legal risk on paper, without proper enforcement it’s just a paper tiger. And the pushing around of lots of paper is very tedious, clearly. 

Most cookie pop-ups you’ll see in the EU are thus essentially privacy theatre; at the very least they’re unnecessarily irritating because they create ongoing friction for web users who must constantly respond to nags for their data (typically to repeatedly try to deny access if they can actually find a ‘reject all’ setting).

But — even worse — many of these pervasive pop-ups are actively undermining the law (as a number of studies have shown) because the vast majority do not meet the legal standard for consent.

So the cookie consent/fatigue narrative is actually a story of faux compliance enabled by an enforcement vacuum that’s now also encouraging the watering down of privacy standards as a result of such much unpunished flouting of the law.

There is a lesson here, surely.

‘Faux consent’ pop-ups that you can easily stumble across when surfing the ‘ad-supported’ Internet in Europe include those failing to provide users with clear information about how their data will be used; or not offering people a free choice to reject tracking without being penalized (such as with no/limited access to the content they’re trying to access), or at least giving the impression that accepting is a requirement to access said content (dark pattern!); and/or otherwise manipulating a person’s choice by making it super simple to accept tracking and far, far, far more tedious to deny.

You can also still sometimes find cookie notices that don’t offer users any choice at all — and just pop up to inform that ‘by continuing to browse you consent to your data being processed’ — which, unless the cookies in question are literally essential for provision of the webpage, is basically illegal. (Europe’s top court made it abundantly clear in 2019 that active consent is a requirement for non-essential cookies.)

Nonetheless, to the untrained eye — and sadly there are a lot of them where cookie consent notices are concerned — it can look like it’s Europe’s data protection law that’s the ass because it seemingly demands all these meaningless ‘consent’ pop-ups, which just gloss over an ongoing background data grab anyway.

The truth is regulators should have slapped down these manipulative dark patterns years ago.

The problem now is that regulatory failure is encouraging political posturing — and, in a twisting double-back throw by the ICO! — regulatory thrusting around the idea that some newfangled mechanism is what’s really needed to remove all this universally inconvenient ‘friction’.

An idea like noyb’s ADPC does indeed look very useful in ironing out the widespread operational wrinkles wrapping the EU’s cookie consent rules. But when it’s the ICO suggesting a quick fix after the regulatory authority has failed so spectacularly over the long duration of complaints around this issue you’ll have to forgive us for being sceptical.

In such a context the notion of ‘cookie fatigue’ looks like it’s being suspiciously trumped up; fixed on as a convenient scapegoat to rechannel consumer frustration with hated online tracking toward high privacy standards — and away from the commercial data-pipes that demand all these intrusive, tedious cookie pop-ups in the first place — whilst neatly aligning with the UK government’s post-Brexit political priorities on ‘data’.

Worse still: The whole farcical consent pantomime — which the adtech industry has aggressively engaged in to try to sustain a privacy-hostile business model in spite of beefed up European privacy laws — could be set to end in genuine tragedy for user rights if standards end up being slashed to appease the law mockers.

The target of regulatory ire and political anger should really be the systematic law-breaking that’s held back privacy-respecting innovation and non-tracking business models — by making it harder for businesses that don’t abuse people’s data to compete.

Governments and regulators should not be trying to dismantle the principle of consent itself. Yet — at least in the UK — that does now look horribly possible.

Laws like GDPR set high standards for consent which — if they were but robustly enforced — could lead to reform of highly problematic practices like behavorial advertising combined with the out-of-control scale of programmatic advertising.

Indeed, we should already be seeing privacy-respecting forms of advertising being the norm, not the alternative — free to scale.

Instead, thanks to widespread inaction against systematic adtech breaches, there has been little incentive for publishers to reform bad practices and end the irritating ‘consent charade’ — which keeps cookie pop-ups mushrooming forth, oftentimes with ridiculously lengthy lists of data-sharing ‘partners’ (i.e. if you do actually click through the dark patterns to try to understand what is this claimed ‘choice’ you’re being offered).

As well as being a criminal waste of web users’ time, we now have the prospect of attention-seeking, politically charged regulators deciding that all this ‘friction’ justifies giving data-mining giants carte blanche to torch user rights — if the intention is to fire up the G7 to send a collect invite to the tech industry to come up with “practical” alternatives to asking people for their consent to track them — and all because authorities like the ICO have been too risk averse to actually defend users’ rights in the first place.

Dowden’s remarks last month suggest the UK government may be preparing to use cookie consent fatigue as convenient cover for watering down domestic data protection standards — at least if it can get away with the switcheroo.

Nothing in the ICO’s statement today suggests it would stand in the way of such a move.

Now that the UK is outside the EU, the UK government has said it believes it has an opportunity to deregulate domestic data protection — although it may find there are legal consequences for domestic businesses if it diverges too far from EU standards.

Denham’s call to the G7 naturally includes a few EU countries (the biggest economies in the bloc) but by targeting this group she’s also seeking to engage regulators further afield — in jurisdictions that currently lack a comprehensive data protection framework. So if the UK moves, cloaked in rhetoric of ‘Global Britain’, to water down its (EU-based) high domestic data protection standards it will be placing downward pressure on international aspirations in this area — as a counterweight to the EU’s geopolitical ambitions to drive global standards up to its level.

The risk, then, is a race to the bottom on privacy standards among Western democracies — at a time when awareness about the importance of online privacy, data protection and information security has actually never been higher.

Furthermore, any UK move to weaken data protection also risks putting pressure on the EU’s own high standards in this area — as the regional trajectory would be down not up. And that could, ultimately, give succour to forces inside the EU that lobby against its commitment to a charter of fundamental rights — by arguing such standards undermine the global competitiveness of European businesses.

So while cookies themselves — or indeed ‘cookie fatigue’ — may seem an irritatingly small concern, the stakes attached to this tug of war around people’s rights over what can happen to their personal data are very high indeed.

Apple launches a new iOS app, ‘Siri Speech Study,’ to gather feedback for Siri improvements

Apple recently began a research study designed to collect speech data from study participants. Earlier this month, the company launched a new iOS app called “Siri Speech Study” on the App Store, which allows participants who have opted in to share their voice requests and other feedback with Apple. The app is available in a number of worldwide markets but does not register on the App Store’s charts, including under the “Utilities” category where it’s published.

According to data from Sensor Tower, the iOS app first launched on August 9 and was updated to a new version on August 18. It’s currently available in the U.S., Canada, Germany, France, Hong Kong, India, Ireland, Italy, Japan, Mexico, New Zealand, and Taiwan — an indication of the study’s global reach. However, the app will not appear when searching the App Store by keyword or when browsing through the list of Apple’s published apps.

The Siri Speech Study app itself offers little information about the study’s specific goals, nor does it explain how someone could become a participant. Instead, it only provides a link to a fairly standard license agreement and a screen where a participant would enter their ID number to get started.

Reached for comment, Apple told TechCrunch the app is only being used for Siri product improvements, by offering a way for participants to share feedback directly with Apple. The company also explained people have to be invited to the study — there’s not a way for consumers to sign up to join.

Image Credits: App Store screenshot

The app is only one of many ways Apple is working to improve Siri.

In the past, Apple had tried to learn more about Siri’s mistakes by sending some small portion of consumers’ voice recordings to contractors for manual grading and review. But a whistleblower alerted media outlet The Guardian that the process had allowed them to listen in on confidential details at times. Apple shortly thereafter made manual review an opt-in process and brought audio grading in-house. This type of consumer data collection continues, but has a different aim that what a research study would involve.

Unlike this broader, more generalized data collection, a focus group-like study allows Apple to better understand Siri’s mistakes because it combines the collected data with human feedback. With the Siri Speech Study app, participants provide explicit feedback on per request basis, Apple said. For instance, if Siri misheard a question, users could explain what they were trying to ask. If Siri was triggered when the user hadn’t said “Hey Siri,” that could be noted. Or if Siri on HomePod misidentified the speaker in a multi-person household, the participant could note that, too.

Another differentiator is that none of the participants’ data is being automatically shared with Apple. Rather, users can see a list of the Siri requests they’ve made and then select which to send to Apple with their feedback. Apple also noted no user information is collected or used in the app, except the data directly provided by participants.

WWDC 2021 on device privacy

Image Credits: Apple WWDC 2021

Apple understands that an intelligent virtual assistant that understands you is a competitive advantage.

This year, the company scooped up ex-Google A.I. scientist Samy Bengio to help make Siri a stronger rival to Google Assistant, whose advanced capabilities are often a key selling point for Android devices. In the home, meanwhile, Alexa-powered smart speakers are dominating the U.S. market and compete with Google in the global landscape, outside China. Apple’s HomePod has a long way to go to catch up.

But despite the rapid progress in voice-based computing in recent years, virtual assistants can still have a hard time understanding certain types of speech. Earlier this year, for example, Apple said it would use a bank of audio clips from podcasts where users had stuttered to help it improve its understanding of this kind of speech pattern. Assistants can also stumble when there are multiple devices in a home that are listening for voice commands from across several rooms. And assistants can mess up when trying to differentiate between different family members’ voices or when trying to understand a child’s voice.

In other words, there are still many avenues a speech study could pursue over time, even if these aren’t its current focus.

That Apple is running a Siri speech study isn’t necessarily new. The company has historically run evaluations and studies like this in some form. But it’s less common to find Apple’s studies published directly on the App Store.

Though Apple could have published the app through the enterprise distribution process to keep it more under wraps, it chose to use its public marketplace. This more closely follows the App Store’s rules, as the research study is not an internally-facing app meant only for Apple employees.

Still, it’s not likely consumers will stumble across the app and be confused — the Siri Speech Study app is hidden from discovery. You have to have the app’s direct link to find it. (Good thing we’re nosy!)

Spotify expands its radio DJ-like format, Music + Talk, to global creators

Last fall, Spotify introduced a new format that combined spoken word commentary with music, allowing creators to reproduce the  radio-like experience of listening to a DJ or music journalist who shared their perspective on the tracks they would then play. Today, the company is making the format, which it calls “Music + Talk,” available to global creators through its podcasting software Anchor.

Creators who want to offer this sort of blended audio experience can now do so by using the new “Music” tool in Anchor, which provides access to Spotify’s full catalog of 70 million tracks that they can insert into their spoken-word audio programs. Spotify has said this new type of show will continue to compensate the artist when the track is streamed, the same as it would elsewhere on Spotify’s platform. In addition, users can also interact with the music content within the shows as they would otherwise — by liking the song, viewing more information about the track, saving the song, or sharing it, for example.

The shows themselves, meanwhile, will be available to both free and Premium Spotify listeners. Paying subscribers will hear the full tracks when listening to these shows, but free users will only hear a 30-second preview of the songs, due to licensing rights.

The format is somewhat reminiscent of Pandora’s Stories, which was also a combination of music and podcasting, introduced in 2019. However, in Pandora’s case, the focus had been on allowing artists to add their own commentary to music — like talking about the inspiration for a song — while Spotify is making it possible for anyone to annotate their favorite playlists with audio commentary.

Since launching last year, the product has been tweaked somewhat in response to user feedback, Spotify says. The shows now offer clearer visual distinction between the music and talk segments during an episode, and they include music previews on episode pages. To date, creators have produced “tens of thousands” of shows using the format, Spotify told TechCrunch, but the company isn’t providing exact numbers at this time.

The ability to create Music + Talk shows was previously available in select markets ahead of this global rollout, including in the U.S., Canada, the U.K., Ireland, Australia, and New Zealand.

With the expansion, creators in a number of other major markets are now gaining access, including Japan, India, the Philippines, Indonesia, France, Germany, Spain, Italy, the Netherlands, Sweden, Mexico, Brazil, Chile, Argentina, and Colombia. Alongside the expansion, Spotify’s catalog of Music + Talk original programs will also grow today, as new shows from Argentina, Brazil, Colombia, Chile, India, Japan, and the Philippines will be added.

Spotify will also begin to more heavily market the feature with the launch of its own Spotify Original called “Music + Talk: Unlocked,” which will offer tips and ideas for creators interested in trying out the format.

This Week in Apps: In-app events hit the App Store, TikTok tries Stories, Apple reveals new child safety plan

Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

The app industry continues to grow, with a record 218 billion downloads and $143 billion in global consumer spend in 2020. Consumers last year also spent 3.5 trillion minutes using apps on Android devices alone. And in the U.S., app usage surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours per day on their mobile devices.

Apps aren’t just a way to pass idle hours — they’re also a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus. In 2020, investors poured $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year.

This Week in Apps offers a way to keep up with this fast-moving industry in one place, with the latest from the world of apps, including news, updates, startup fundings, mergers and acquisitions, and suggestions about new apps and games to try, too.

Do you want This Week in Apps in your inbox every Saturday? Sign up here: techcrunch.com/newsletters

Top Stories

Apple to scan for CSAM imagery

Apple announced a major initiative to scan devices for CSAM imagery. The company on Thursday announced a new set of features, arriving later this year, that will detect child sexual abuse material (CSAM) in its cloud and report it to law enforcement. Companies like Dropbox, Google and Microsoft already scan for CSAM in their cloud services, but Apple had allowed users to encrypt their data before it reached iCloud. Now, Apple’s new technology, NeuralHash, will run on users’ devices, tatformso detect when a users upload known CSAM imagery — without having to first decrypt the images. It even can detect the imagery if it’s been cropped or edited in an attempt to avoid detection.

Meanwhile, on iPhone and iPad, the company will roll out protections to Messages app users that will filter images and alert children and parents if sexually explicit photos are sent to or from a child’s account. Children will not be shown the images but will instead see a grayed-out image instead. If they try to view the image anyway through the link, they’ll be shown interruptive screens that explain why the material may be harmful and are warned that their parents will be notified.

Some privacy advocates pushed back at the idea of such a system, believing it could expand to end-to-end encrypted photos, lead to false positives, or set the stage for more on-device government surveillance in the future. But many cryptology experts believe the system Apple developed provides a good balance between privacy and utility, and have offered their endorsement of the technology. In addition, Apple said reports are manually reviewed before being sent to the National Center for Missing and Exploited Children (NCMEC).

The changes may also benefit iOS developers who deal in user photos and uploads, as predators will no longer store CSAM imagery on iOS devices in the first place, given the new risk of detection.

In-App Events appear on the App Store

Image Credits: Apple

Though not yet publicly available to all users, those testing the new iOS 15 mobile operating system got their first glimpse of a new App Store discovery feature this week: “in-app events.” First announced at this year’s WWDC, the feature will allow developers and Apple editors alike to showcase directly on the App Store upcoming events taking place inside apps.

The events can appear on the App Store homepage, on the app’s product pages or can be discovered through personalized recommendations and search. In some cases, editors will curate events to feature on the App Store. But developers will also be provided tools to submit their own in-app events. TikTok’s “Summer Camp” for creators was one of the first in-app events to be featured, where it received a top spot on the iPadOS 15 App Store.

Weekly News

Platforms: Apple

Apple expands support for student IDs on iPhone and Apple Watch ahead of the fall semester. Tens of thousands more U.S. and Canadian colleges will now support mobile student IDs in the Apple Wallet app, including Auburn University, Northern Arizona University, University of Maine, New Mexico State University and others.

Apple was accused of promoting scam apps in the App Store’s featured section. The company’s failure to properly police its store is one thing, but to curate an editorial list that actually includes the scams is quite another. One of the games rounded up under “Slime Relaxations,” an already iffy category to say the least, was a subscription-based slime simulator that locked users into a $13 AUD per week subscription for its slime simulator. One of the apps on the curated list didn’t even function, implying that Apple’s editors hadn’t even tested the apps they recommend.

Tax changes hit the App Store. Apple announced tax and price changes for apps and IAPs in South Africa, the U.K. and all territories using the Euro currency, all of which will see decreases. Increases will occur in Georgia and Tajikistan, due to new tax changes. Proceeds on the App Store in Italy will be increased to reflect a change to the Digital Services Tax effective rate.

Game Center changes, too. Apple said that on August 4, a new certificate for server-based Game Center verification will be available via the publicKeyUrl.

Fintech

Robinhood stock jumped more than 24% to $46.80 on Tuesday after initially falling 8% on its first day of trading last week, after which it had continued to trade below its opening price of $38.

Square’s Cash app nearly doubled its gross profit to $546 million in Q2, but also reported a $45 million impairment loss on its bitcoin holdings.

Coinbase’s app now lets you buy your cryptocurrency using Apple Pay. The company previously made its Coinbase Card compatible with Apple Pay in June.

Social

An anonymous app called Sendit, which relies on Snap Kit to function, is climbing the charts of the U.S. App Store after Snap suspended similar apps, YOLO and LMK. Snap was sued by the parent of child who was bullied through those apps, which led to his suicide. Sendit also allows for anonymity, and reviews compare it to YOLO. But some reviews also complained about bullying. This isn’t the first time Snap has been involved in a lawsuit related to a young person’s death related to its app. The company was also sued for its irresponsible “speed filter” that critics said encouraged unsafe driving. Three young men died using the filter, which captured them doing 123 mph.

TikTok is testing Stories. As Twitter’s own Stories integrations, Fleets, shuts down, TikTok confirmed it’s testing its own Stories product. The TikTok Stories appear in a left-hand sidebar and allow users to post ephemeral images or video that disappear in 24 hours. Users can also comment on Stories, which are public to their mutual friends and the creator. Stories on TikTok may make more sense than they did on Twitter, as TikTok is already known as a creative platform and it gives the app a more familiar place to integrate its effects toolset and, eventually, advertisements.

Facebook has again re-arranged its privacy settings. The company continually moves around where its privacy features are located, ostensibly to make them easier to find. But users then have to re-learn where to go to find the tools they need, after they had finally memorized the location. This time, the settings have been grouped into six top-level categories, but “privacy” settings have been unbundled from one location to be scattered among the other categories.

A VICE report details ban-as-a-service operations that allow anyone to harass or censor online creators on Instagram. Assuming you can find it, one operation charged $60 per ban, the listing says.

TikTok merged personal accounts with creator accounts. The change means now all non-business accounts on TikTok will have access to the creator tools under Settings, including Analytics, Creator Portal, Promote and Q&A. TikTok shared the news directly with subscribers of its TikTok Creators newsletter in August, and all users will get a push notification alerting them to the change, the company told us.

Discord now lets users customize their profile on its apps. The company added new features to its iOS and Android apps that let you add a description, links and emojis and select a profile color. Paid subscribers can also choose an image or GIF as their banner.

Twitter Spaces added a co-hosting option that allows up to two co-hosts to be added to the live audio chat rooms. Now Spaces can have one main host, two co-hosts and up to 10 speakers. Co-hosts have all the moderation abilities as hosts, but can’t add or remove others as co-hosts.

Messaging

Tencent reopened new user sign-ups for its WeChat messaging app, after having suspended registrations last week for unspecified “technical upgrades.” The company, like many other Chinese tech giants, had to address new regulations from Beijing impacting the tech industry. New rules address how companies handle user data collection and storage, antitrust behavior and other checks on capitalist “excess.” The gaming industry is now worried it’s next to be impacted, with regulations that would restrict gaming for minors to fight addiction.

WhatsApp is adding a new feature that will allow users to send photos and videos that disappear after a single viewing. The Snapchat-inspired feature, however, doesn’t alert you if the other person takes a screenshot — as Snap’s app does. So it may not be ideal for sharing your most sensitive content.

Telegram’s update expands group video calls to support up to 1,000 viewers. It also announced video messages can be recorded in higher quality and can be expanded, regular videos can be watched at 0.5 or 2x speed, screen sharing with sound is available for all video calls, including 1-on-1 calls, and more.

Streaming & Entertainment

American Airlines added free access to TikTok aboard its Viasat-equipped aircraft. Passengers will be able to watch the app’s videos for up to 30 minutes for free and can even download the app if it’s not already installed. After the free time, they can opt to pay for Wi-Fi to keep watching. Considering how easy it is to fall into multi-hour TikTok viewing sessions without knowing it, the addition of the addictive app could make long plane rides feel shorter. Or at least less painful.

Chinese TikTok rival Kuaishou saw stocks fall by more than 15% in Hong Kong, the most since its February IPO. The company is another victim of an ongoing market selloff triggered by increasing investor uncertainty related to China’s recent crackdown on tech companies. Beijing’s campaign to rein in tech has also impacted Tencent, Alibaba, Jack Ma’s Ant Group, food delivery company Meituan and ride-hailing company Didi. Also related, Kuaishou shut down its controversial app Zynn, which had been paying users to watch its short-form videos, including those stolen from other apps.

Twitch overtook YouTube in consumer spending per user in April 2021, and now sees $6.20 per download as of June compared with YouTube’s $5.60, Sensor Tower found.

Image Credits: Sensor Tower

Spotify confirmed tests of a new ad-supported tier called Spotify Plus, which is only $0.99 per month and offers unlimited skips (like free users get on the desktop) and the ability to play the songs you want, instead of only being forced to use shuffle mode.

The company also noted in a forum posting that it’s no longer working on AirPlay2 support, due to “audio driver compatibility” issues.

Mark Cuban-backed audio app Fireside asked its users to invest in the company via an email sent to creators which didn’t share deal terms. The app has yet to launch.

YouTube kicks off its $100 million Shorts Fund aimed at taking on TikTok by providing creators with cash incentives for top videos. Creators will get bonuses of $100 to $10,000 based on their videos’ performance.

Dating

Match Group announced during its Q2 earnings it plans to add to several of the company’s brands over the next 12 to 24 months audio and video chat, including group live video, and other livestreaming technologies. The developments will be powered by innovations from Hyperconnect, the social networking company that this year became Match’s biggest acquisition to date when it bought the Korean app maker for a sizable $1.73 billion. Since then, Match was spotted testing group live video on Tinder, but says that particular product is not launching in the near-term. At least two brands will see Hyperconnect-powered integrations in 2021.

Photos

The Photo & Video category on U.S. app stores saw strong growth in the first half of the year, a Sensor Tower report found. Consumer spend among the top 100 apps grew 34% YoY to $457 million in Q2 2021, with the majority of the revenue (83%) taking place on iOS.

Image Credits: Sensor Tower

Gaming

Epic Games revealed the host of its in-app Rift Tour event is Ariana Grande, in the event that runs August 6-8.

Pokémon GO influencers threatened to boycott the game after Niantic removed the COVID safety measures that had allowed people to more easily play while social distancing. Niantic’s move seemed ill-timed, given the Delta variant is causing a new wave of COVID cases globally.

Health & Fitness

Apple kicked out an app called Unjected from the App Store. The new social app billed itself as a community for the unvaccinated, allowing like-minded users to connect for dating and friendships. Apple said the app violated its policies for COVID-19 content.

Google Pay expanded support for vaccine cards. In Australia, Google’s payments app now allows users to add their COVID-19 digital certification to their device for easy access. The option is available through Google’s newly updated Passes API which lets government agencies distribute digital versions of vaccine cards.

COVID Tech Connect, a U.S. nonprofit initially dedicated to collecting devices like phones and tablets for COVID ICU patients, has now launched its own app. The app, TeleHome, is a device-agnostic, HIPAA-compliant way for patients to place a video call for free at a time when the Delta variant is again filling ICU wards, this time with the unvaccinated — a condition that sometimes overlaps with being low-income. Some among the working poor have been hesitant to get the shot because they can’t miss a day of work, and are worried about side effects. Which is why the Biden administration offered a tax credit to SMBs who offered paid time off to staff to get vaccinated and recover.

Popular journaling app Day One, which was recently acquired by WordPress.com owner Automattic, rolled out a new “Concealed Journals” feature that lets users hide content from others’ viewing. By tapping the eye icon, the content can be easily concealed on a journal by journal basis, which can be useful for those who write to their journal in public, like coffee shops or public transportation.

Edtech

Recently IPO’d language learning app Duolingo is developing a math app for kids. The company says it’s still “very early” in the development process, but will announce more details at its annual conference, Duocon, later this month.

Educational publisher Pearson launched an app that offers U.S. students access to its 1,500 titles for a monthly subscription of $14.99. the Pearson+ mobile app (ack, another +), also offers the option of paying $9.99 per month for access to a single textbook for a minimum of four months.

News & Reading

Quora jumps into the subscription economy. Still not profitable from ads alone, Quora announced two new products that allow its expert creators to monetize their content on its service. With Quora+ ($5/mo or $50/yr), subscribers can pay for any content that a creator paywalls. Creators can choose to enable a adaptive paywall that will use an algorithm to determine when to show the paywall. Another product, Spaces, lets creators write paywalled publications on Quora, similar to Substack. But only a 5% cut goes to Quora, instead of 10% on Substack.

Utilities

Google Maps on iOS added a new live location-sharing feature for iMessage users, allowing them to more easily show your ETA with friends and even how much battery life you have left. The feature competes with iMessage’s built-in location-sharing feature, and offers location sharing of 1 hour up to 3 days. The app also gained a dark mode.

Security & Privacy

Controversial crime app Citizen launched a $20 per month “Protect” service that includes live agent support (who can refer calls to 911 if need be). The agents can gather your precise location, alert your designated emergency contacts, help you navigate to a safe location and monitor the situation until you feel safe. The system of live agent support is similar to in-car or in-home security and safety systems, like those from ADT or OnStar, but works with users out in the real world. The controversial part, however, is the company behind the product: Citizen has been making headlines for launching private security fleets outside law enforcement, and recently offered a reward in a manhunt for an innocent person based on unsubstantiated tips.

Funding and M&A

🤝 Square announced its acquisition of the “buy now, pay later” giant AfterPay in a $29 billion deal that values the Australian firm at more than 30% higher than the stock’s last closing price of AUS$96.66. AfterPay has served over 16 million customers and nearly 100,000 merchants globally, to date, and comes at a time when the BNPL space is heating up. Apple has also gotten into the market recently with an Affirm partnership in Canada.

🤝 Gaming giant Zynga acquired Chinese game developer StarLark, the team behind the mobile golf game Golf Rival, from Betta Games for $525 million in both cash and stock. Golf Rival is the second-largest mobile golf game behind Playdemic’s Golf Clash, and EA is in the process of buying that studio for $1.4 billion.

💰  U.K.-based Humanity raised an additional $2.5 million for its app that claims to help slow down aging, bringing the total raise to date to $5 million. Backers include Calm’s co-founders, MyFitness Pal’s co-founder and others in the health space. The app works by benchmarking health advice against real-world data, to help users put better health practices into action.

💰 YELA, a Cameo-like app for the Middle East and South Asia, raised $2 million led by U.S. investors that include Tinder co-founder Justin Mateen and Sean Rad, general partner of RAD Fund. The app is focusing on signing celebrities in the regions it serves, where smartphone penetration is high and over 6% of the population is under 35.

💰 London-based health and wellness app maker Palta raised a $100 million Series B led by VNV Global. The company’s products include Flo.Health, Simple Fasting, Zing Fitness Coach and others, which reach a combined 2.4 million active, paid subscribers. The funds will be used to create more mobile subscription products.

🤝 Emoji database and Wikipedia-like site Emojipedia was acquired by Zedge, the makers of a phone personalization app offering wallpapers, ringtones and more to 35 million MAUs. Deal terms weren’t disclosed. Emojipedia says the deal provides it with more stability and the opportunity for future growth. For Zedge, the deal provides🤨….um, a popular web resource it thinks it can better monetize, we suspect.

💰 Mental health app Revery raised $2 million led by Sequoia Capital India’s Surge program for its app that combines cognitive behavioral therapy for insomnia with mobile gaming concepts. The company will focus on other mental health issues in the future.

💰 London-based Nigerian-operating fintech startup Kuda raised a $55 million Series B, valuing its mobile-first challenger bank at $500 million. The inside round was co-led by Valar Ventures and Target Global.

💰 Vietnamese payments provider VNLife raised $250 million in a round led by U.S.-based General Atlantic and Dragoneer Investment Group. PayPal Ventures and others also participated. The round values the business at over $1 billion.

Downloads

Mastodon for iPhone

Fans of decentralized social media efforts now have a new app. The nonprofit behind the open source decentralized social network Mastodon released an official iPhone app, aimed at making the network more accessible to newcomers. The app allows you to find and follow people and topics; post text, images, GIFs, polls, and videos; and get notified of new replies and reblogs, much like Twitter.

Xingtu

@_666eveITS SO COOL FRFR do u guys want a tutorial? #fypシ #醒图 #醒图app♬ original sound – Ian Asher

TikTok users are teaching each other how to switch over to the Chinese App Store in order to get ahold of the Xingtu app for iOS. (An Android version is also available.) The app offers advanced editing tools that let users edit their face and body, like FaceTune, apply makeup, add filters and more. While image-editing apps can be controversial for how they can impact body acceptance, Xingtu offers a variety of artistic filters which is what’s primarily driving the demand. It’s interesting to see the lengths people will go to just to get a few new filters for their photos — perhaps making a case for Instagram to finally update its Post filters instead of pretending no one cares about their static photos anymore.

Tweets

Facebook still dominating top charts, but not the No. 1 spot:  

Not cool, Apple: 

This user acquisition strategy: 

Maybe Stories don’t work everywhere: 

European refurbished electronics marketplace Refurbed raises $54M Series B

Refurbed, a European marketplace for refurbished electronics which raised a $17 million Series A round of funding last year has now raised a $54 million Series B funding led by Evli Growth Partners and Almaz Capital.

They are joined by existing investors such as Speedinvest, Bonsai Partners and All Iron Ventures, as well as a group of new backers — Hermes GPE, C4 Ventures, SevenVentures, Alpha Associates, Monkfish Equity (Trivago Founders), Kreos, Expon Capital, Isomer Capital and Creas Impact Fund.

Refurbed is an online marketplace for refurbished electronics that are tested and renewed. These then tend to be 40% cheaper than new, and come with a 12-month warranty included. The company claims that in 2020, it grew by 3x and reached more than €100M in GMV.

Operating in Germany, Austria, Ireland, France, Italy and Poland, the startup plans three other countries by the end of 2021.

Riku Asikainen at Evli Growth Partners said: “We see the huge potential behind the way refurbed contributes to a sustainable, circular economy.”

Peter Windischhofer, co-founder of refurbed, told me: “We are cheaper and have a wider product range, with an emphasis on quality. We focus on selling products that look new, so we end up with happy customers who then recommend us to others. It makes people proud to buy refurbished products.”

The startup has 130 refurbishers selling through its marketplace.

Other Players in this space include Back Market (raised €48M), Swappa (US) and Amazon Renew. Refurbed also competes with Rebuy in Germany, Swapbee in Finland.

White-label SaaS shipping startup Outvio closes $3M round led by Change Ventures

Outvio, an Estonian startup that provides a white-label SaaS fulfillment solution for medium-sized and large online retailers in Spain and Estonia, has closed a $3 million early-stage financing round led by Change Ventures. Also participating were TMT Investments (London), Fresco Capital (San Francisco), and Lemonade Stand (Tallinn). Several angels also joined the round including James Berdigans (Printify) and Kristjan Vilosius (Katana MRP). This is the startup’s first institutional round of funding, after bootstrapping since 2018.

Online retailers usually have to use a number of different tools or hire expensive developers to create in-house shipping solutions. Outvio offers online stores of any size a post-purchase shipping experience, which seeks to replicate an Amazon-style experience where customers can also return packages. Among others, itcompetes with ShippyPro, which runs out of Italy and has raised $5 million to date.

Juan Borras, co-founder and CEO of Outvio said: “We can give any online store all the tools needed to offer a superior post-sale customer experience. We can integrate at different points in their fulfilment process, and for large merchants, save them hundreds of thousands in development costs alone.”

He added: “What happens after the purchase is more important than most shops realize. More than 88% of consumers say it is very important for them that retailers proactively communicate every fulfilment and delivery stage. Not doing so, especially if there are problems, often results in losing that client. Our mission is to help online stores streamline everything that happens after the sale, fueling repeat business and brand-loyal customers with the help of a fantastic post-purchase experience.”

Rait Ojasaar, Investment Partner at lead investor Change Ventures commented: “While online retailing has a long way to go, the expectations of consumers are increasing when it comes to delivery time and standards. The same can be said about the online shop operators who increasingly look for more advanced solutions with consumer-like user experience. The Outvio team has understood exactly what the gap in the market is and has done a tremendous job of finding product-market fit with their modern fulfilment SaaS platform.”

Real estate platform Casafari raises $15M to allow PE to buy single-family homes at scale

Just a Spotify used VC and PE backing to acquire the assets of the music industry so that we must now all rent our music via subscription, rather than own it for life, so a PropTech startup plans to follow a similar strategy for single-family homes.

Casafari, a real estate data platform in Europe based out of Lisbon, Portugal, has raised a $15 million Series A funding round led by Prudence Holdings in New York. But, crucially, it has also secured a $120 million “mandate” from Geneva-based private equity investors Stoneweg, among other PE players, in order to buy-to-let residential and commercial real estate. The startup already has operations in Portugal, Spain, France, and Italy.

Other investors include Armilar Venture Partners (the Portuguese VC behind unicorns Outsystems and Feedzai), HJM Holdings, 1Sharpe (founders of Roofstock), and FJ Labs (Fabrice Grinda, founder of OLX Group), as well as existing investor Lakestar.

Founded by Mila Suharev, Nils Henning, and Mitya Moskalchuk in 2018, Casafari is taking advantage of Europe’s often chaotic real estate data to achieve its goals, due to the lack of a unified Multiple Listings Service (“MLS”).

Casafari plans to aggregate, verify and distribute this data via its platform, hunting down single-family homes as an asset class for institutional investors.

According to Nils Henning, CEO, “CASAFARI has built a unique ecosystem, which connects brokers, developers, asset managers, and investors and enables sourcing, valuation, underwriting and deal collaboration on single units in all asset classes. We are very excited to represent important institutional clients like Stoneweg and others, in deploying their capital into fragmented acquisitions at scale, bringing more liquidity to the market and generating more transactions to the broker clients of our platform.”

Private investors are already using the platform. Since launching in 2018, Casafari has been used by Sotheby’s International Realty, Coldwell Banker, RE/MAX franchises, Savills, Fine & Country, Engel & Voelkers, Keller Williams, and important institutional investors and developers like Stoneweg, Kronos, Vanguard, and Vic Properties.

Mila Suharev, Casafari’s Co-CEO and CPO said: ”There are currently around 70 billion euros in dry powder in Europe that could be allocated in acquiring residential property in a buy to let strategy, and basically there’s no offer available. The property will be collected in portfolios, consisting of single units that pension funds, private equity real estate funds, want to build in Europe as they do in the US.”

What Casafari’s is doing is largely following the playbook of what Roofstock in the US did: an online marketplace for investing in leased single-family rental homes. Roofstock has raised $132.3 million to date.

Italy’s DPA fines Glovo-owned Foodinho $3M, orders changes to algorithmic management of riders

Algorithmic management of gig workers has landed Glovo-owned on-demand delivery firm Foodinho in trouble in Italy where the country’s data protection authority issued a €2.6 million penalty (~$3M) yesterday after an investigation found a laundry list of problems.

The delivery company has been ordered to make a number of changes to how it operates in the market, with the Garante’s order giving it two months to correct the most serious violations found, and a further month (so three months total) to amend how its algorithms function — to ensure compliance with privacy legislation, Italy’s workers’ statute and recent legislation protecting platform workers.

One of the issues of concern to the data watchdog is the risk of discrimination arising from a rider rating system operated by Foodinho — which had some 19,000 riders operating on its platform in Italy at the time of the Garante’s investigation.

Likely of relevance here is a long running litigation brought by riders gigging for another food delivery brand in Italy, Foodora, which culminated in a ruling by the country’s Supreme Court last year that asserted riders should be treated as having workers rights, regardless of whether they are employed or self-employed — bolstering the case for challenges against delivery apps that apply algorithms to opaquely micromanage platform workers’ labor.

In the injunction against Foodinho, Italy’s DPA says it found numerous violations of privacy legislation, as well as a risk of discrimination against gig workers based on how Foodinho’s booking and assignments algorithms function, in addition to flagging concerns over how the system uses ratings and reputational mechanisms as further levers of labor control.

Article 22 of the European Union’s General Data Protection Regulation (GDPR) provides protections for individuals against being solely subject to automated decision-making including profiling where such decisions produce a legal or similarly substantial effect (and access to paid work would meet that bar) — giving them the right to get information on a specific decision and object to it and/or ask for human review.

But it does not appear that Foodinho provided riders with such rights, per the Garante’s assessment.

In a press release about the injunction (which we’ve translated from Italian with Google Translate), the watchdog writes:

“The Authority found a series of serious offences, in particular with regard to the algorithms used for the management of workers. The company, for example, had not adequately informed the workers on the functioning of the system and did not guarantee the accuracy and correctness of the results of the algorithmic systems used for the evaluation of the riders. Nor did it guarantee procedures to protect the right to obtain human intervention, express one’s opinion and contest the decisions adopted through the use of the algorithms in question, including the exclusion of a part of the riders from job opportunities.

“The Guarantor has therefore required the company to identify measures to protect the rights and freedoms of riders in the face of automated decisions, including profiling.

The watchdog also says it has asked Foodinho to verify the “accuracy and relevance” of data that feeds the algorithmic management system — listing a wide variety of signals that are factored in (such as chats, emails and phone calls between riders and customer care; geolocation data captured every 15 seconds and displayed on the app map; estimated and actual delivery times; details of the management of the order in progress and those already made; customer and partner feedback; remaining battery level of device etc).

“This is also in order to minimize the risk of errors and distortions which could, for example, lead to the limitation of the deliveries assigned to each rider or to the exclusion itself from the platform. These risks also arise from the rating system,” it goes on, adding: “The company will also need to identify measures that prevent improper or discriminatory use of reputational mechanisms based on customer and business partner feedback.”

Glovo, Foodinho’s parent entity — which is named as the owner of the platform in the Garante’s injunction — was contacted for comment on the injunction.

A company spokesperson told us they were discussing a response — so we’ll update this report if we get one.

Glovo acquired the Italian food delivery company Foodinho back in 2016, making its first foray into international expansion. The Barcelona-based business went on to try to build out a business in the Middle East and LatAm — before retrenching back to largely focus on Southern and Eastern Europe. (In 2018 Glovo also picked up the Foodora brand in Italy, which had been owned by German rival Delivery Hero.)

The Garante says it collaborated with Spain’s privacy watchdog, the AEDP — which is Glovo’s lead data protection supervisor under the GDPR — on the investigation into Foodinho and the platform tech provided to it by Glovo.

Its press release also notes that Glovo is the subject of “an independent procedure” carried out by the AEPD, which it says it’s also assisting with.

The Spanish watchdog confirmed to TechCrunch that joint working between the AEPD and the Garante had resulted in the resolution against the Glovo-owned company, Foodinho.

The AEPD also said it has undertaken its own procedures against Glovo — pointing to a 2019 sanction related to the latter not appointing a data protection officer, as is required by the GDPR. The watchdog later issued Glovo with a fined of €25,000 for that compliance failure.

However it’s not clear why the AEDP has — seemingly — not taken a deep dive look at Glovo’s own compliance with the Article 22 of the GDPR. (We’ve asked it for more on this and will update if we get a response.)

It did point us to recently published guidance on data protection and labor relations, which it worked on with Spain’s Ministry of Labor and the employers and trade union organizations, and which it said includes information on the right of a works council to be informed by a platform company of the parameters on which the algorithms or artificial intelligence systems are based — including “the elaboration of profiles, which may affect the conditions, access and maintenance of employment”.

Earlier this year the Spanish government agreed upon a labor reform to expand the protections available to platform workers by recognizing platform couriers as employees.

The amendments to the Spanish Workers Statute Law were approved by Royal Decree in May — but aren’t due to start being applied until the middle of next month, per El Pais.

Notably, the reform also contains a provision that requires workers’ legal representatives to be informed of the criteria powering any algorithms or AI systems that are used to manage them and which may affect their working conditions — such as those affecting access to employment or rating systems that monitor performance or profile workers. And that additional incoming algorithmic transparency provision has evidently been factored into the AEPD’s guidance.

So it may be that the watchdog is giving affected platforms like Glovo a few months’ grace to allow them to get their systems in order for the new rules.

Spanish labor law also of course remains distinct to Italian law, so there will be ongoing differences of application related to elements that concern delivery apps, regardless of what appears to be a similar trajectory on the issue of expanding platform workers rights.

Back in January, for example, an Italian court found that a reputation-ranking algorithm that had been used by another on-demand delivery app, Deliveroo, had discriminated against riders because it had failed to distinguish between legally protected reasons for withholding labour (e.g., because a rider was sick; or exercising their protected right to strike) and other reasons for not being as productive as they’d indicated they would be.

In that case, Deliveroo said the judgement referred to a historic booking system that it said was no longer used in Italy or any other markets.

More recently a tribunal ruling in Bologna — found a Collective Bargaining Agreement signed by, AssoDelivery, a trade association that represents a number of delivery platforms in the market (including Deliveroo and Glovo), and a minority union with far right affiliations, the UGL trade union, to be unlawful.

Deliveroo told us it planned to appeal that ruling.

The agreement attracted controversy because it seeks to derogate unfavorably from Italian law that protects workers and the signing trade body is not representative enough in the sector.

Zooming out, EU lawmakers are also looking at the issue of platform workers rights — kicking off a consultation in February on how to improve working conditions for gig workers, with the possibility that Brussels could propose legislation later this year.

However platform giants have seen the exercise as an opportunity to lobby for deregulation — pushing to reduce employment standards for gig workers across the EU. The strategy looks intended to circumvent or at least try to limit momentum for beefed up rules coming a national level, such as Spain’s labor reform.