Music streaming market leader Spotify has decided that it wants to know a lot more about you. It wants to be able to access the sensor information on your phone so it can determine whether you’re walking, running or standing still. It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too. And it may share that information with its partners, so a whole load of companies could know exactly where you are and what you’re up to.
This has all been made apparent by a rather significant update to the Spotify privacy policy, pushed out to users today. Upon opening the Spotify app up this morning, your reporter was greeted with a request to agree to the new conditions. A quick comparison with the previous privacy policy using the Wayback Machine showed some major changes had been made. I’m now considering whether the £10 I pay for a premium membership is worth it, given the amount of privacy I’d be giving away by consenting.
Here are the two key sections from the “Information We Collect” section of the new policy, which show just how far the company wants to reach into your phone:
3.3 Information Stored on Your Mobile Device
With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.
3.4 Location and sensor information
Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).
Why does Spotify need your photos? And your contacts?
It gets worse. Another update includes a provision to collect voice commands where users have given permission (it’s unclear what form of permission). And whilst Spotify could always track your requests and searches, its updated policy permits it to get the date and time of your queries.
The company will also be reaching out to other partners to harvest more information on you, according to another new section of the document:
3.8 Spotify service providers and partners
We may also receive information about you from our service providers and partners, which we use to personalise your Spotify experience, to measure ad quality and responses to ads, and to display ads that are more likely to be relevant to you.
And here's how Spotify says it shares information with advertisers and third parties, which provides some comfort on how identities are linked to the data that's shared:
5.2.1 Marketing and advertising
We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.
The vague policy also doesn't make it clear what kinds of information would or wouldn't be collected and shared.
One wonders whether the arrival of Apple Music has spurred Spotify on to increase its revenue by collecting users' most private data. It may be providing some useful additional services, such as its running feature, hence the need for the sensor data. But at what cost? What about those customers who don't use the services that take advantage of the extra data collection?
What’s equally perturbing is that it does not appear to matter whether you’re a paying customer or a freemium user. It should now be apparent to most that no web service is free - if you’re not paying in money, you’re paying in personal data. But Spotify doesn’t believe those who pay deserve a more private service. It seems there’s little option either to quit Spotify or accept the conditions of a company that has not only been questioned over its ethical treatment of musicians but will now face questions over its respect for customers’ private lives.
Anyone upset by these changes can send complaints to privacy@spotify.com or send a letter to the company's privacy representative by sending a letter to Spotify, Attn: Privacy Officer, Legal Department, 45 West 18th Street, 7th Floor, New York, NY 10011, United States.
UPDATE Spotify offered the following comment over email: "Spotify is constantly innovating and evolving its service to deliver the best possible experience for our users. This means delivering the perfect recommendations for every moment, and helping you to enjoy, discover and share more music than ever before.
"The data accessed simply helps us to tailor improved experiences to our users, and build new and personalised products for the future. Recent new features include Spotify Running, which matches the BPM of your music to the pace of your run, or the new Discover Weekly feature, which curates a weekly playlist based on your tastes.
"Throughout, the privacy and security of our customers' data is - and will remain - Spotify's highest priority."
The company later apologised for miscommunicating the privacy policy and subsequently updated it to make it clear just how it was collecting information.
