Privacy Please is an ongoing series exploring how privacy is violated in the modern world, and what you can do about it.
Spotify is listening to you.
It sounds like the setup to a bad joke, but the wildly popular music streaming service in fact collects, stores, and shares reams of seemingly mundane user data, adding up to an intrusion that's much more than just the sum of its parts. While Spotify customers are busy rocking out, the company has its metaphorical hands full profiting off the data that rocking generates.
And it generates a surprising amount. What Spotify does with that data, and why that should concern you, are complex questions involving third-party advertisers, densely written terms of service, and inferences drawn from every piece of music or podcast you've ever listened to on the streaming platform.
But according to privacy experts, one aspect of this digital mess is absolutely straightforward: Spotify users should pay attention to how their data is used, and take the available steps to limit that use whenever possible.
Evan Greer, the director of the digital advocacy organization Fight for the Future and musician whose art has addressed this very subject, made that clear over direct message in early April.
"Spotify uses the same surveillance capitalist business model as Facebook and YouTube: they harvest your data and sell access to it to advertisers who think they can use that data to manipulate you into buying their products and services."
If you're a subscriber, you already pay Spotify $9.99 every month. There's no need to passively hand over your valuable personal data free of charge as well. Thankfully, there are steps you can take to limit what Spotify does with its vast repository of data points describing your life — or, at the very least, that make the company's effort to profit off your info just a tad bit more difficult.
What user data Spotify collects
To understand why Spotify's data collection practices might be a matter of concern, it's first important to understand exactly what user data Spotify collects.
Some of it is exactly what one might expect, and is relevant and necessary for Spotify to deliver its service. Think users' names, addresses, billing details, email addresses, and smartphone or other device information — stuff that Spotify needs to stream music to your ears and then bill you for that experience.
That sort of data collection is understandable. It's also not what concerns experts like the Electronic Frontier Foundation's director of federal affairs India McKinney.
"There are ways that we engage with apps, services, and platforms online, and there is a certain amount of data that those apps, platforms, and services need to collect in order to do their job," she explained over a late March phone call. "There are other things that other apps collect, that aren’t really necessary for the delivery of services or the thing that the user is engaging in."
While the former category of personally identifiable information can absolutely be abused or mishandled, it's the latter category of data collection McKinney warned about — and that's often seen by users as the most invasive.
In the case of Spotify, that may include (but is in no way limited to) general location data, search queries, "inferences (i.e., our understanding) of your interests and preferences" gathered from "certain advertising or marketing partners," "motion-generated or orientation-generated mobile sensor data," and, of course, a list of every song you've ever listened to as well as how many times and at what time of day you played it (aka your "streaming history").
Spotify also says it may collect data — including non-precise location data and "inferences (i.e., our understanding) of your interests and preferences" — from third party "advertising or marketing partners."
Notably, Spotify takes pains to explain its data-gathering practices both on its privacy page and in a series of animated videos — a point emphasized by a company spokesperson over email.
"Spotify is committed to user privacy and works to provide transparent information about the personal data we collect and how it is protected at our Privacy Center," they wrote. "You can find out more about the rights and controls Spotify listeners have in regards to personal data on our Data Rights and Privacy Settings page."
Of course, the question of whether or not Spotify users actually dig into the service's privacy center is another issue. According to a 2019 report from the Pew Research Center, "just 9% of adults say they always read a company's privacy policy before agreeing to the terms and conditions," and "more than a third of adults (36%) say they never read a privacy policy before agreeing to it."
What Spotify does with user data
Spotify's use of user data goes beyond just streaming the hits to its 180 million paying subscribers.
"Spotify doesn't sell music," explained Fight for the Future's Greer. "They sell surveillance. Their customers are not musicians and music listeners. Their customers are advertisers."
Indeed, while paying subscribers are not subject to the same sort of ad breaks as non-paying users, their experience with the service is not advertiser free. Spotify says that it may share users' data with unnamed advertising and marketing "partners," for purposes including (but not limited to) "[tailoring] ads to be more relevant to you" and "to promote Spotify in media and advertising published on other online services."
Spotify attempts to break this down in the most anodyne way possible: "An example of a tailored ad is when an ad partner has information suggesting you like cars, which could enable us to show you ads about cars."
That tailored ads bit is where things get interesting and, according to privacy experts, potentially problematic. Remember, after all, that the data collected by Spotify includes every song you've ever listened to on the platform.
McKinney, the EFF's director of federal affairs, explained what using streaming histories for targeted advertisement might hypothetically look like.
You're listening to a lot of songs about heartbreak and so they’re going to send you ads for Godiva chocolate.
"You're listening to a lot of songs about heartbreak and so they’re going to send you ads for Godiva chocolate," she observed. "The level of market research about buying preferences and consumer behavior goes really, really deep into the weeds."
When specifically asked whether or not, for example, a Spotify user listening to songs about romantic breakups could then be targeted with ads for dating apps, Spotify's spokesperson attempted to thread a very specific linguistic needle in response.
"Spotify uses listening history or 'likes' within the app to inform recommendations of songs or podcasts that a user may enjoy," they wrote. "Advertisers may also be able to target ads to listeners of certain genres or playlists, but we do not make inferences about users' emotions."
So Spotify, the spokesperson made clear, does not make inferences about users' emotional states based on their musical choices. The spokesperson did not, and perhaps realistically cannot, speak for companies who pay Spotify money to advertise to its subscribers.
That cautious framing makes sense in our post Cambridge Analytica world, where, regardless of the debatable effectiveness of that specific firm, modern tech consumers are extra wary of companies attempting to use emotional data to drive specific outcomes. There are real examples of this — Facebook's 2012 study which involved, in part, seeing if it could make users sad comes to mind — and they have not been received favorably.
The attempt to draw a clear line around leveraging users' emotions also follows on a Spotify specific mini scandal about that very thing. In early 2021, privacy advocates zeroed in on a 2018 Spotify patent wherein the company claimed that speech recognition tools could be used to infer a user's emotional state and thus, at least theoretically, recommend them songs corresponding to their mood.
An online petition effort, dubbed Stop Spotify Surveillance, was blunt in its description of Spotify's efforts: "Tell Spotify to drop its creepy plan to spy on our conversations and emotionally manipulate us for profit."
In April of 2021, Access Now, a digital advocacy group, sent Spotify a letter asking that it "abandon" the tech described in the 2018 patent. Spotify responded by saying that it "has never implemented the technology described in the patent in any of our products and we have no plans to do so."
"No plans," as Access Now pointed out in its May, 2021, follow up, does not mean "never."
That something as seemingly personal as one's musical tastes can be, or potentially are being, exploited by advertisers has an obvious distaste to it. However, according to the EFF's McKinney, that distaste may in part be the result of conflating Spotify the service with the music on Spotify — an error that users would do best to avoid.
"It's not about providing an altruistic service to give people an easy way to listen to music with their babies, or whatever, that's not why they're in business," McKinney said of the company's obvious profit motive. "And just remembering that I think would go a long way to help consumers make informed choices."
How Spotify users can limit data collection and sharing
Thankfully, Spotify users concerned with how their listening habits might be weaponized against them have more options than just "delete your account."
The most obvious and immediate step users can take is to make one very specific tweak to their privacy setting: turn off tailored ads.
"If you use Spotify’s ad-supported services and you opt out of receiving tailored ads, we will not share your information with third party advertising partners or use information received by them to show you tailored ads," explains Spotify's Privacy Settings page.
To opt out of tailored ads:
Log into your Spotify account.
From the "Profile" menu in the top-right corner, select "Account." If you're using the desktop application, this will open your browser.
On the left-hand menu, select "Privacy settings."
Scroll down, and make sure "Process my personal data for tailored ads" is toggled to the "off" position.
While you're there, also "opt out of Spotify processing your Facebook data." This, according to Spotify, means it "will stop processing any Facebook data shared with Spotify except the personal data that enables you to sign into Spotify using your Facebook account." (Then, while you're feeling emboldened, go ahead and delete your Facebook account.)
These steps are, thankfully, easy. Next comes the hard part, according to the EFF's McKinney.
"Consumers should be thinking about and looking for their elected officials to enact privacy-preserving legislation that restricts what advertisers can do with some of their information," she noted. "That's really the only way we’re going to come to a solution. I don't think that there's a whole lot of individual, personal, actions any one person can take that's going to fix this problem for them because it really is systemic."
But that doesn't mean addressing the problem of data-hungry tech giants sucking up user data is a lost cause, a point made by McKinney and emphasized by Fight for the Future's Greer.
"We can and must fight for a world where artists are fairly compensated, music is widely accessible to everyone, and people's data is private, safe, and secure," wrote Greer. "That means fighting for better policy, like data privacy legislation, FTC enforcement, and antitrust reform. It also means fighting for better tools, and supporting alternatives to giants like Spotify."
So after you're done tweaking your Spotify privacy settings, consider giving your congressperson a quick call to tell them you want federal legislation protecting consumer privacy. And then, if you want to get really wild, try purchasing an album directly from your favorite band.
