What Does Spotify’s New Privacy Policy Actually Say, And Should I Be Worried?

Spotify has basically run away with the music market over the last couple of years, boasting over 75 million active users. But the popular streaming service this week ticked off a bunch of those customers this week when it updated its privacy policy and user terms and conditions. And their timing couldn’t have been worse: the combination of seeming to add a dramatic and invasive new set of permissions to their apps, in a week when privacy concerns and hacks are already the top headline, set off an angry internet firestorm.

The new privacy policy has garnered criticism for a few clauses in particular. Those sentences say that Spotify “may collect information stored on your mobile device, such as contacts, photos, or media files,” which does actually sound pretty creepy, and also that Spotify may “collect information about your location based on… your phone’s GPS location or other forms of locating mobile devices (e.g. Bluetooth).”

Wired calls the new policy “eerie” and advises readers they can’t do squat about it. The Verge counters that everyone — including Wired — is overreacting. And Spotify had to issue a clarification and apology today going over the changes, and the permissions it requests.

So who’s right? Everyone, in part.

Wired is right because of the broader context, which is: most privacy policies are terrible. They do not guarantee you privacy; they just outline and detail the ways in which you do not have any. They are not protection but rather, explanation.

Spotify’s clarification about the ways in which it plans to limit the collection and use of data helps, but doesn’t eliminate the core problem, which is that lots of apps and services just rake in mountains of data, without even having clear plans for why they want to sit on that treasure trove of personal information. Or worse, that they do have a clear plan, and that plan is “sell it to advertisers and third parties.”

The Verge is right, on the other hand, because Spotify is probably not up to nefarious no-good wholesale resale of consumer data. As the official apology and The Verge’s analysis both point out, these permissions make it easier for Spotify to continue to add new, optional features to their service that a lot of users will probably really like. And if you want an app to do cool aggregative or predictive or customized things for you, or if you want to be one of the 50 million users sticking with the free, ad-supported version of the service, it needs information to do those things with. Thus, your data.

So how much you personally will want to freak out depends on how much data you, personally are comfortable with Spotify accessing.

Spotify promises repeatedly in their update that they are all about clarity and permission. The running theme of their entire statement is: no, seriously, we will only collect and use this information if you let us. In theory, Spotify will explicitly ask you specifically for permission before accessing any particular stuff on your phone, and you can say no.

“Let me be crystal clear here: If you don’t want to share this kind of information, you don’t have to,” writes CEO Daniel Ek. “We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience.”

That level of user control, Ek continues, applies to photos, location, voice (microphone), and contacts. As for data sharing, Spotify points out that sharing information with mobile carriers, rights holders, and advertisers is universal and the way that the entire system of mobile apps and streaming services works.

The thing about explicit permissions, though, is that they’re not always all that explicit. Much of the time, they show up in a vague general dump when you update or install the app, and hitting “okay” counts as explicitly accepting all the terms. Phone software makers (Apple and Google) have gotten much better over time about letting users which permissions they grant or reject at the time they install an app, but there’s still room for improvement.

But after this little tempest, it seems likely that Spotify, at least, will err on the side of caution going forward when it asks to poke around in your stuff.