When Spotify launched in 2008, it was heralded as a return to the glory days of Napster, when all music was free. In a sense, this is still true; Spotify Free lets you listen to any song in its extensive library without paying a dime, and the service accomplishes this miracle through advertising and its paid premium option.
But a recent update to Spotify’s privacy policy reminds us of a third resource that Spotify and other free services often leverage to finance their “free” services: your data.
The update
Last week Spotify users were asked to consent to a new privacy policy. Most of them likely didn’t bat an eye, but those who were paying attention noticed some suspicious new demands:
Access to your photos and contacts
With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.
Access to your location
Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).
Permission to share your data with third parties
We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.
Clearly a music player doesn’t need to see your photos or know whether you are standing still, jogging, or flying through the streets on your bicycle. Nor does it need to share this data with anyone else. Many users tweeted to say they were cancelling their accounts and shared articles all decrying the update on social media.
Here are some of the angriest tweets from people around the world:
There, @Spotify account ended. I suggest you do the same. Privacy policies like that must die. I’ll happily resume sub after remedies.
— Henrik Pettersson (@carnalizer) August 21, 2015
@Spotify I loved you like no other music service but now you want to mine my personal life. I thought this was special. #cancelspotify — diegomcnamara (@diegomcnamara) August 21, 2015
Subscription cancelled @Spotify after 7 years. Shameful new ‘privacy’ #cancelspotify yourself #spotify #spotify https://t.co/wy7UDQBpxG — Hadouken Hobbit (@Ryu1303) August 21, 2015
The apology
Thankfully, not lost among the outcry was an official response from Daniel Ek, CEO of Spotify. It was short and sweet, addressing each of the major concerns above:
Photos
We will never access your photos without explicit permission and we will never scan or import your photo library or camera roll. If you give us permission to access photos, we will only use or access images that you specifically choose to share. Those photos would only be used in ways you choose and control – to create personalized cover art for a playlist or to change your profile image, for example.
Contacts
We will never scan or import your contacts without your permission. Spotify is a social platform and many people like to share playlists and music they discover with their friends. In the future, we may want to give you the ability to find your friends on Spotify by searching for Spotify users in your contacts if you choose to do that.
Location
We will never gather or use the location of your mobile device without your explicit permission. We would use it to help personalize recommendations or to keep you up to date about music trending in your area. And if you choose to share location information but later change your mind, you will always have the ability to stop sharing.
Sharing
The Privacy Policy also mentions advertisers, rights holders and mobile networks. This is not new. With regard to mobile networks, some Spotify subscribers sign up through their mobile provider, which means some information is shared with them by necessity. We also share some data with our partners who help us with marketing and advertising efforts, but this information is de-identified – your personal information is not shared with them.
Ek’s statement reveals a fair point about the new privacy policy: access to a device’s photo library is necessary for legitimate features as mundane as customizing your album artwork, as Ek mentioned in a Twitter exchange with Minecraft creator Markus Persson.
@eldsjal This is a bizarre reply. It needs access to them to be able to let you do so. There’s NO NEED for anything like that for music. — Markus Persson (@notch) August 21, 2015
Likewise, although most casual users probably don’t use Spotify as a social network, following friends’ playlists is a favorite pastime for power users, and accessing your contacts is the most convenient way to do that. Ek promises the app will use these powers responsibly, requiring permission before each individual act of data collection.
The lesson
Whether or not you trust Spotify to use your data responsibly and on a case-by-case basis, Ek makes another fair point about this data collection not being new. Wired points out a host of other popular streaming music services like Pandora, Rdio, and Google Play Music that make similar demands of their users. That doesn’t make it okay, but it does reveal that Spotify is simply following a precedent, and at least attempting to be fairly upfront about it.
This problem is systemic. Instead of requiring all users to sign a blanket agreement before they can use even basic functionality, these demands should pop up only after a user tries to use a special function that requires special access, like adding photos or friends. Then, adding an option to consent to “this and all future actions” should reduce the compromise on usability.
Note: case-by-case permissions are already active in iOS, but Android users will have to wait until the release of Android 6.0 Marshmallow later this year to opt in.
Featured image: guteksk7 / Dollar Photo Club