As I hurry to play a song that is stuck in my head, a pop-up comes onto my phone screen, telling me about Spotify’s privacy agreement. Annoyed, I quickly exit out of it and continue to search for my song. Because of my Black Mirror and Digital Culture class, I feel a little guilty for this, but who actually has the time to read the whole thing anyways? Now, I guess I do.
I pull up the privacy policy on my laptop, and am actually shocked by how much easier it is to read than the statements of other companies that I have seen. Instead of the typical small black font on the all-white background, Spotify uses a nicely spaced font, with section headers in the company’s typical green color.
Spotify’s privacy policy opens with an introduction, which claims that they “want to transparently explain how and why we gather, store, share and use your personal data,” which seems like a nice thought. In my opinion, they are already doing a better job than most other corporations with regards to transparency. This intro is then followed by a section titled “About this Policy,” which essentially states why the Policy was made: to help users understand what is done with data, and explain your rights and options with regards to this data.
The next section talks about the rights a user has with regards to their own data, the most important of which are the rights to access your data, delete your data, and object to the use of your data. Something that I found interesting was that almost all of these rights were preceded by “request,” leading me to believe that a user’s request could be denied. This section of the privacy policy also mentions the fact that you can control “some of the categories of personal data [they] process about you,” and the ability to change your notification settings.
The policy then goes on to outline the ways in which data is collected from a user, such as signing up, usage of the app, “personal data,” and the most disturbing of all: data from third parties. This led me to wonder: what third parties does Spotify partner with, and what information do those third parties have that Spotify wants?
Next, the Policy goes more in depth as to what personal data really is. This data includes “Account Registration Data,” “Spotify Service Usage Data,” “Voluntary Mobile Data,” “Payment Data,” “Contests, Surveys and Sweepstakes Data,” and “Marketing Data.” Spotify then goes on to explain what this data is used for, setting up a chart that lists the “processing purpose,” “legal basis for the processing purpose,” and “categories of personal data used by Spotify for the processing purpose.” I found the last column the most helpful, because it makes it easy to see exactly what kind of personal data is being used for what purpose. Essentially, the processing purposes include improving your Spotify experience, understanding how you use Spotify, communicating, payment processing, and providing content. All of these uses seem pretty standard; the only thing that really stood out to me was the first description, which said, “to provide, personalize, and improve your experience with the Spotify Service and other services and products provided by Spotify, for example by providing customized, personalized, or localized content, recommendations, features, and advertising on or outside of the Spotify Service (including for third party products and services).” Again, information of users is being shared with third parties, but Spotify never states which ones. Third parties come up again in the next section, where Spotify outlines who receives your personal data. Recipients that you can choose to share your information with include: third parties (who could have guessed!), the Spotify Support committee, your followers, and artists/record labels. Recipients that Spotify “may share” (and probably do share) your data with are service providers “and others” (how vague!), Spotify partners, academic researchers, “other Spotify group companies,” “law enforcement and data protection authorities” (because apparently your Spotify data can be valuable to the cops; who knew!), and buyers or prospective buyers of Spotify. Almost none of these groups are extrapolated on; for example, I have no idea what Spotify Group Companies are, and I probably never will.
The rest of the policy is pretty short. It outlines that your data:
- is kept as long as you are a Spotify user, but you can request to delete or anonymize your data
- is shared globally (with 24 countries, to be exact)
- is protected, but “no system is completely secure”
It also states that links in advertisements are not associated with Spotify, children under 13 are not advised to use Spotify, changes can be made to the policy, and you can contact them with any questions.
In my opinion, this privacy policy definitely could have been worse! It was pretty organized and easy to read, contrary to what we had talked about in my DCI 180 class, in which we said that companies usually try and make their policies unreadable. However, it was still extremely vague in most sections, like most privacy policies are.
This activity reminded me of the Vice article “The Data That Turned the World Upside Down” about Facebook and Cambridge Analytica’s impact on the 2016 election. It could be possible that Spotify is giving companies access to our data and using it to gain information about us in order to conduct similar results.
I talked to my friend Carson, a fellow Spotify user, to ask him if they knew anything about the privacy policy. (He mentions Facebook as well, which I had talked to him about a week or two ago.)
Overall, I think this experience was extremely helpful not only because I was able to educate myself about a service I use, but also, I hope to educate others on the information they are giving to Spotify and other companies.
Do you plan on reading privacy policies now?
Citations
Grassegger, Hannes, and Mikael Krogerus. “The Data That Turned the World Upside Down.” Vice, 28 Jan. 2017, www.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win.
“Spotify Privacy Policy.” Spotify.com, Spotify, 25 May 2018, www.spotify.com/us/legal/privacy-policy/?tblang=french.
