Spotify’s New Privacy Policy Is Downright Invasive (But They’re Sorry)

Update: Spotify’s CEO Daniel Ek has apologized for being invasive. They’re going to try to figure out how to word all this better.

It looks like Spotify is trying to give users a good reason to switch to Apple Music. As first reported in Forbes, Spotify’s new privacy policy is particularly invasive. Here are some of the more egregious sections:

3.3 Information Stored on Your Mobile Device
With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.

3.4 Location and sensor information
Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).

Spotify seems to want to peer into much of your personal data: contacts, photos, media files. To be fair, this section doesn’t mean that it’s going to scan your entire device; it may simply mean that it will need permission to access your contacts to allow you to search for users based on their email addresses, or that it needs access to your photos to allow you to choose a photo for your profile. However, the privacy policy does not specify this, and it would be a good idea for Spotify to make such things clearer. And media files? Well, it can play back files that you’ve synced to your device, so there’s nothing invasive about that.

The sensor data – your pace – is needed for Spotify’s new feature of playlists that match your running speed. The location data is a bit more worrisome; I really don’t want Spotify to track where I am.

Spotify also wants to monetize you. And that’s what’s invasive.

3.8 Spotify service providers and partners
We may also receive information about you from our service providers and partners, which we use to personalise your Spotify experience, to measure ad quality and responses to ads, and to display ads that are more likely to be relevant to you.

5.2.1 Marketing and advertising
We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.

So they want to spam you.

Finally, they want to use and share your payment data, even with companies that may be outside the country you live in, and even if it is, according to local law, information that is not allowed to be shared:

BY ACCEPTING THE PRIVACY POLICY, YOU EXPRESSLY AUTHORISE SPOTIFY TO USE AND SHARE WITH OTHER COMPANIES IN THE SPOTIFY GROUP, AS WELL AS CERTAIN TRUSTED BUSINESS PARTNERS AND SERVICE PROVIDERS, WHICH MAY BE LOCATED OUTSIDE OF THE COUNTRY OF YOUR RESIDENCE (INCLUDING COUNTRIES WHICH DO NOT PROVIDE THE SAME LEVEL OF PROTECTION FOR THE PROCESSING OF PERSONAL DATA AS THE COUNTRY OF YOUR RESIDENCE), THE INFORMATION PROVIDED BY YOU TO SPOTIFY, EVEN IF SUCH INFORMATION IS COVERED BY LOCAL BANKING SECRECY LAWS. YOU ACKNOWLEDGE AND AGREE TO THE IMPORTANCE OF SHARING SUCH INFORMATION FOR THE PROVISION OF THE SPOTIFY SERVICE AND ALSO AGREE THAT, BY ACCEPTING THIS PRIVACY POLICY, WHERE APPLICABLE AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, YOU EXPRESSLY WAIVE YOUR RIGHTS UNDER SUCH BANK SECRECY LAWS WITH REGARD TO SPOTIFY, ANY COMPANY IN THE SPOTIFY GROUP, AND ANY TRUSTED BUSINESS PARTNERS AND SERVICE PROVIDERS, WHICH MAY BE LOCATED OUTSIDE YOUR COUNTRY OF RESIDENCE. THIS CONSENT IS GIVEN FOR THE DURATION OF YOUR RELATIONSHIP WITH SPOTIFY.

(Sorry for the all caps; that’s how it appears in Spotify’s privacy policy.)

Finally, Spotify reserves the right to sell your personal data:

5.2.5 Other sharing

In addition to the above, we may also share your information with third parties for these limited purposes:

to allow a merger, acquisition, or sale of all or a portion of our assets;

Most people will simply ignore this. But if you do care about privacy, it might be time to check out that free Apple Music trial.

19 thoughts on “Spotify’s New Privacy Policy Is Downright Invasive (But They’re Sorry)

  1. Spotify are being upfront and honest.
    Kirk, this Forbes article has a whiff of scaremongering about it. If you select NO, to access to contacts, and NO, to your location, can Spotify still acess those areas without your knowledge? I doubt ios would allow that.
    Many apps get access to things you’d rather not give access to because ios allows it by delault, but location, photos, and contacts need to be explicitly allowed. Or am I wrong/missing the point/being stoopid, or a combination of all three…?

    A VAST majority of apps have zero value and exist merely to collate data. Maybe Apple don’t share (as much, they do share) but they do get to know this stuff too. Trust Apple? Less and less, especially where (my) music is concerned…

    • As with the above comment, I routinely turn off location access on my devices, allowing it only for cases such as Google Maps. Similarly, I always prevent apps from accessing my Contacts too. Does Spotify over-ride those settings? I agree with the above comment, that perhaps Spotify is just being upfront…
      I’m a paying Spotify customer, if they start hitting me with adverts, I’d be likely to close my account.
      What are Apple Music’s T&Cs around privacy and data harvesting?

    • As I explain in the first part, there are logical reasons for needing access to contacts and photos. You can, of course, turn these off on iOS, if you know where to look. (Settings > Privacy) But it’s the later stuff that’s more worrisome, the bit about selling your data, and that fact that data can be stored in different countries, which may actually be a violation of EU law.

    • Spotify is absolutely not being upfront and honest which is really obvious. They said little until they got caught and they are still saying little. This is all about them selling your personal data to advertisers, Facebook etc. Not hard to figure out.

      • Hello Nowhere,
        Spotify are being honest and upfront. They’re apologising for sake of the media.

        Don’t infer from my post I condone weasel worded “agreements” (not saying that you or people are), I don’t like them either. But they have been inflated, and I’m surprised at Kirk making a post out of the Forbes article (who have no interest in Spotify bashing, now have they…?). These conditions are no different, if not less invasive, to other music apps, or of photo apps, where uploaded personal pics often become automatic property of whichever corporation you upload to.

        Talking of personal data, take a look at the click/share links on this very page, Twitter, Facebook, Google, not to mention the ubiquitous GoogleAnalytics.

        And yes Apple do the same but perhaps don’t monetise it as overtly as the above, but my goodness, they really will not stop until the music industry is merely something they alone can sanction…

        Oh, I’m sorry, wrong meeting…

        • You’re being unfair. I made it very clear in my article why I felt they were asking permission, and the thing I griped about was the fact that they say that they may sell your data to third parties (as well as sharing it now).

          As for this site, you’ll see there are only two trackers (if you use something like Ghostery): WordPress stats and Google Analytics, which I need to be able to have valid stats for sponsors. All of the share buttons are passive, which means they don’t ping Twitter, Facebook, etc. on page loads. I’ve done this intentionally to not slow down the site, and to not have them tracking users.

          • I’m sorry you think I’m being unfair. But in essence we agree, ultimately Apple “win” because of the lesser 3rd party privacy invasions they have. Because surely we’re not disagreeing that Apple ultimately get your personal info (one way or another)?

            You said the terms were “down right invasive” and called them “egregious”, going on to say “Spotify seem to want to peer into much of your personal data”. Well, no, they are explaining in very clear terms some options they are implementing, to which all you can say no to. (I’ll get to selling data)

            But really, come on? Shock! Horror! Large software company wants access to your contacts, photos, location. I don’t know of many apps in which this is not typical, do you? Where upon installing one goes straight to settings and switches that off (vainly hoping it’ll stem the ferocious tide of data harvesting). So why single out a social music app like Spotify?
            The terms are typical. Not great, just typical.

            Would saying “I don’t really want Spotify to track” me when you know very well it’s a simple button choice could be considered inflated? But a choice was made to chime in with Forbes rather than down play. And this is not just an Apple option, all software companies (Android) allow you to turn off location, easily. But that’s not even the point, your location will be triangulated in other ways, of which there is no way circumvent.

            As for selling data, this is a huge subject. All long term (5yrs+) smartphone users must have inadvertently “given away” personal info that has been sold on to 3rd parties, (even anonymously – Apple) but isn’t that how large and small software developers make some money? This is partly to do with the almost criminal app store system.
            Data is a much bigger conversation that stretches throughout the software universe, if we are to hold Apple products in high esteem merely for lesser data selling then it’ll be a short discussion. Expect no personal privacy or scruples when it comes to software companies.

            I mentioned your buttons to show just how close we all are to giving our data over to companies whose privacy terms are vaguer or suspect still.

            I still like the blog! :)

            • I’ve read that Android doesn’t currently give you the same granular permissions as iOS does, but that the next version, Marshmallow will. I don’t know Android well enough to know if this is the case though. So, while iOS users can temper Spotify’s access, Android users cannot currently do so. And it’s not a simply button choice, there are several options in iOS that need to be adjusted.

              I think they are invasive and egregious, because what the overall privacy policy suggests is that they will be retaining your data and selling it to third parties.

              And, again, my buttons don’t collect any data. You will need to be signed into Twitter of Facebook to share articles, but the buttons themselves only make the sharing process easier, they don’t collect anything.

  2. Have you noticed that replies added, using the reply button on under specific posts, forces the text further and further to a narrow text box to the right?

    • Yes, each reply is indented to make it easier to follow threads. And I’ve set the limit to five posts in a thread, and I know it’s not perfect, because then you can’t reply to a thread correctly. It’s on my to-do list to make this a bit better. I tried Disqus, but it was a failure, since it didn’t import all my comments correctly. And, it would be another element slowing down page loads and collecting data.

  3. In which case is there the option to make the indents narrower?
    Not sure I can upload a pic here but by 3 replies the text is basically single letters on the right.

    Disqus = No! Correct!

      • Yes, I guess handhelds, smaller screens. It’s a problem I only see with your blog. And yet I still read it… ;)
        This is going off topic now…
        perhaps we (I) will save this for another post…

    • Can’t you use landscape mode? That’s what I always do on mobile websites that don’t render well in portrait.

Leave a Comment