A national police force has, for the first time to my knowledge, opened a criminal investigation into the deployment of adtech surveillance to a person's device without consent. It has taken eighteen years.
Datatilsynet just fined Elkjop NOK 20 million (€1.8m) for the forced consent in its loyalty club — five years after I told their DPO it was unlawful.
Amazon's Ring Familiar Faces biometrically scans every person who approaches a Ring doorbell, performs the match in Amazon's cloud rather than on the device that could have done it locally, and stores faceprints of non-consenting strangers for up to thirty days. The architectural choice produces two independent breaches: a GDPR exposure the household-activity defence cannot reach, and an avoidable datacentre carbon cost that brings the feature within the conceptual territory of the Environmental Crimes Directive. This piece walks through Articles 5, 6, 9, 13 and 25 GDPR, the Lindqvist, Rynes, Fashion ID and Jehovan todistajat line of CJEU authority, and Directive (EU) 2024/1203, and asks the regulators directly when biometric mass-processing of non-consenting people will be treated as the breach it plainly is.
Google has quietly removed the privacy assurance from Chrome's on-device AI Settings UI. The sentence promising that the model runs locally without sending data to Google's servers has been deleted, and the toggle moved out of the System block to reduce the chance the change is noticed. There are three plausible reasons for that, and each is a serious problem for users. This piece walks through the legal exposure under the EU Unfair Commercial Practices Directive, Section 5 of the FTC Act, and Articles 13(4) and 5(2) of the Digital Markets Act, and asks Parisa Tabriz directly why the assurance was withdrawn.
Every CMP I have looked at in fifteen years sets a cookie before the user has consented to anything. That is a direct breach of Article 5(3) of the ePrivacy Directive, restated by the CJEU in Planet49 (C-673/17), and reinforced by the Belgian decision against the IAB TCF. This piece explains, step by step, what a lawful consent flow actually looks like and why every cookie banner you have ever seen is wrong.
Google's Chrome boss Parisa Tabriz tells the press that users can simply opt out of the unsolicited Gemini Nano install. Google's own Chrome manifest proves the opposite. Chrome reached into the device, flipped the flag, downloaded the 4 GB model and only then surfaced the settings UI after the fact. Opt-out is not the legal standard here — opt-in is. This piece walks through why the public PR statements are demonstrably false against Google's own logs, and why a half-truth response to evidence is its own kind of harm.
