Skip to content
This repository has been archived by the owner on Jan 14, 2020. It is now read-only.

Latest commit

 

History

History
executable file
·
100 lines (79 loc) · 5.32 KB

spotify.md

File metadata and controls

executable file
·
100 lines (79 loc) · 5.32 KB
Raw

Spotify Privacy Policy (PP)

Last reviewed: 2016-12-18

tl;dr Spotify:

  • collects too much information
  • shares information too readily
  • uses aggressive/pervasive tracking
  • uses shady practices to access and share your information
  • forces you to forfeit some rights and protections of your data
  • is working with data brokers 🔥

Information they "must have":

  • name
  • birth date
  • address
  • email
  • sex
  • "broad, non-specific" location, based on your IP address
  • the music you listen to (for recommendations)
  • technical and sensor information (type of browser and device, touchscreen data, accelerometer and gyroscope data)

Information they can have, if you provide it (but it's not necessary)

"... information that enables us to offer you additional features."

  • specific location (as accurate as possible)
  • photos you send them (e.g. profile picture)
  • list of contacts (to "find friends or contacts who use Spotify")
  • microphone (e.g. "to control Spotify with your voice")

What they share

  • if you sign up through Facebook, some information is shared between the two services
  • "de-identified information" is shared with "music industry partners to help them understand how the content they license to us is performing"
  • some information is shared with "marketing partners"
  • some information is shared with "advertisers that allow us to offer a free service"
  • data you make public in the service, is shared with all users
  • if you allow it, some of your information may be shared with artists and/or labels (making them able to contact you directly)
  • if you allow it, some of your information may be shared with your contacts and friends, people you follow or that follow you
  • if you sign up "through an offer that you received or purchased from a third party" (e.g. mobile network operator), some of your information is shared with that third party
  • if Spotify undergoes a merger or acquisition, your information automatically goes to the new entity
  • Spotify may share information in response to a legal process (e.g. a court order)
  • Spotify may share information to comply with the law
  • Spotify may share information to protect the safety of any person
  • Spotify may share information to protect its own rights and property
  • Spotify may share information to "address fraud, security, or technical issues"
  • "de-identified" information may be shared with academic researchers (for analysis and study)
  • "de-identified or aggregate" information may be shared to publish data about how Spotify is being used

What you consent to

All of the above, plus:

  • their use of cookies and similar technologies
  • "the transfer of your information outside the country where you live"
  • if you register through Facebook, they may access a far greater trove of information (including hometown, friends, etc.)
  • the collection and usage of a "unique device ID", device attributes, and similar
  • the collection and usage of "information enabling digital rights management" (DRM)
  • that Spotify may identify and track you on websites that use the Spotify widget
  • if you pay for the service, your payment method and related information (postal code, phone number, etc.) is stored by Spotify and the payment processors they work with
  • Spotify may share anything about you with other companies in the Spotify group, trusted business partners, and service providers
  • you waive your rights to local banking secrecy laws
  • you accept that your information will be stored in countries that provide less privacy protections than yours
  • if you take part in "sweepstakes, contests, offers, and/or surveys" or similar, there may be a different Privacy Policy and TCU applicable
  • Spotify may get information about you from service providers and partners

What's always public

  • name and/or username
  • profile picture
  • who you follow
  • who follows you
  • your Spotify user profile

Some or all of this information is "always publicly available", including through their APIs and similar tools. This makes this information available to additional third parties.

What you can do about these rules

  • if you delete your account, some or all of the parts of this privacy are cancelled
  • if you have questions, you can email privacy@spotify.com
  • you can also contact Spotify via letter
  • it may be possible to request a list of all the information Spotify has about you
  • if Spotify changes their PP, they may not notify you; Spotify claims it depends on whether they are "material changes"
  • if the PP changes, and your consent is needed to continue using the service, not accepting the new PP means the service is cancelled

Pervasive tracking

Apart from the vast amount of information Spotify may collect on you, they resort to what we call pervasive tracking:

  • Spotify uses both session and persistent cookies
  • Spotify uses third party analytics providers
  • Spotify uses third party advertising providers, with corresponding tracking and cookies
  • Third parties may be given access to some or all of these cookies
  • Spotify uses mobile device identifiers (such as a device's unique ID)
  • Spotify does not respect or respond to Do Not Track (DNT) requests
  • Spotify uses your information for behavioral analytics and advertising
  • Using Spotify forces you to consent to the use of Google Analytics and DoubleClick (indirectly), including their cookies and privacy policies