Schedule Demo
GDPR 3 Minute Read

Is Spotify's Privacy Policy asking for too much?

Spotify made headlines for all the wrong reasons when it unveiled its latest privacy policy last week. The media soon discovered the proposed changes and details of how the new policy expands the breadth of data that can now be collected went viral. The music streaming giant’s CEO immediately apologised in response to a public outcry against the company’s plans to collect data from its users. 

The new privacy policy (see here), states that Spotify may now gather the following data:
• Information stored on mobile devices such as contacts, photos and media files
• Geolocation and sensor (speed of movement) data
• Voice commands (if the user has ‘opted in to share’ that information)

In his subsequent blog post, Spotify CEO Daniel Elk apologised for the commotion caused, saying that users do not have to share this kind of information if they do not wish to. Elk also stated that the company should have done a better job in communicating its intentions and promised to present an improved revised privacy policy in the coming weeks.

However, in addition to the data retention mentioned above, Spotify’s new privacy policy also states that all data collected may be used by “trusted business and service providers” even if they are located in different countries to the user. There are fears therefore that Spotify’s lack of transparency in its practice of data collection and use thereafter is an indication of how privacy policies can be abused in order to exploit user data once consent has been given. Consumers do not typically read privacy policies and simply click “I agree” in order to gain access to a service that is often provided to them free of charge. They often hand over access to personal data without realising the extent, or possible consequences, of their actions. 

Spotify now has 60 million users in 58 countries and offers access via a two-tiered model: Subscribers can listen to music accompanied by ads for free, or they can pay €9.99 a month and bypass advertising. Yet despite its position as the most popular music streaming service in the world, Spotify is still operating at a significant loss: In 2014 the company reported net losses of €173 million, up from a loss of €55 million in 2013, despite a 45 percent increase in revenue. Also, there is now increased competition from recently launched streaming services such as Google Play, Apple Music and the Jay-Z-owned Tidal. Cynics, therefore, claim that Mr Elk’s public apology is a consequence of media exposure only, and that Spotify’s attempts to increase its access to data is typical of sinister corporate policies to maximize financial return from the collection and storage of data. As Paul Mason opinioned (see here), Spotify’s real intention is not to make the user experience better but rather “to commercialise the aggregated knowledge it gets for free when we interact on the network. The control and knowledge over the aggregated data will be for Spotify, not us.” 

CEO Daniel Elk affirms that “The privacy and security of our customers’ data is – and will remain – Spotify’s highest priority,”. Nevertheless, his company wants to collect data unrelated to music such as contacts, photos or media files. It also wants to know where you’re going and how fast you are getting there. It may be overly simplistic to compare these contrasting intentions and it will be interesting to see whether the proposed update makes any changes to the controversial privacy policy. An organisation must have a legitimate specific purpose for collecting personal data and Spotify’s argument for collecting the aforementioned information – facilitating an enhanced experience for users – appears to be a weak excuse for such a substantial infringement. Irrespective of Spotify’s intentions however, this exposure of corporate data privacy policy confirms that little comes for free in the digital age, and that everything, even rock ‘n’ roll, is now considered fair game.