This post was originally published on August 25, 2015.
When Spotify launched in 2008, it was heralded as a return to the glory days of Napster, when all music was free. In a sense, this is still true; Spotify Free lets you listen to any song in its extensive library without paying a dime, and the service accomplishes this miracle through advertising and its paid premium option.
Access to your photos and contacts
Access to your location
Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).
Permission to share your data with third parties
We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.
Clearly a music player doesn’t need to see your photos or know whether you are standing still, jogging, or flying through the streets on your bicycle. Nor does it need to share this data with anyone else. Many users tweeted to say they were cancelling their accounts and shared articles all decrying the update on social media.
Here are some of the angriest tweets from people around the world:
There, @Spotify account ended. I suggest you do the same. Privacy policies like that must die. I’ll happily resume sub after remedies.
— Henrik Pettersson (@carnalizer) August 21, 2015
Thankfully, not lost among the outcry was an official response from Daniel Ek, CEO of Spotify. It was short and sweet, addressing each of the major concerns above:
We will never access your photos without explicit permission and we will never scan or import your photo library or camera roll. If you give us permission to access photos, we will only use or access images that you specifically choose to share. Those photos would only be used in ways you choose and control – to create personalized cover art for a playlist or to change your profile image, for example.
We will never scan or import your contacts without your permission. Spotify is a social platform and many people like to share playlists and music they discover with their friends. In the future, we may want to give you the ability to find your friends on Spotify by searching for Spotify users in your contacts if you choose to do that.
We will never gather or use the location of your mobile device without your explicit permission. We would use it to help personalize recommendations or to keep you up to date about music trending in your area. And if you choose to share location information but later change your mind, you will always have the ability to stop sharing.
Likewise, although most casual users probably don’t use Spotify as a social network, following friends’ playlists is a favorite pastime for power users, and accessing your contacts is the most convenient way to do that. Ek promises the app will use these powers responsibly, requiring permission before each individual act of data collection.
Whether or not you trust Spotify to use your data responsibly and on a case-by-case basis, Ek makes another fair point about this data collection not being new. Wired points out a host of other popular streaming music services like Pandora, Rdio, and Google Play Music that make similar demands of their users. That doesn’t make it okay, but it does reveal that Spotify is simply following a precedent, and at least attempting to be fairly upfront about it.
This problem is systemic. Instead of requiring all users to sign a blanket agreement before they can use even basic functionality, these demands should pop up only after a user tries to use a special function that requires special access, like adding photos or friends. Then, adding an option to consent to “this and all future actions” should reduce the compromise on usability.
Note: case-by-case permissions are already active in iOS, but Android users will have to wait until the release of Android 6.0 Marshmallow later this year to opt in.