Spotify explains its new “give us your data” policy

Last week, we wrote about why privacy policies matter.

In particular, we wrote to advise you to read privacy policies with care – not only when you first sign up, but also if those terms and conditions change in the future.

Even a small modification might be a change you don’t like, such as a shift from “we won’t share your data with anyone else” to “now we’ve been acquired, we will allow our new parent company to use some of your personal data for other businesses in the group.”

And it is difficult to compare two privacy policies in the same way that you might compare two versions of a program’s source code, or some other structured sort of data.

So re-reading the whole thing is often the only safe way to evaluate the changes.

Plus, your outlook on privacy may have changed since you first joined, so approaching a service’s updated privacy policy as if it were a completely new is probably time well spent.

(You do read privacy policies when you first sign up, don’t you?)

Anyway, in last week’s article about privacy changes, the website that was asking for new data-access privileges just happened to be the music-sharing service Spotify.

A Forbes writer, Thomas Fox-Brewster, decided to comb through Spotify’s update in detail, as most of us probably didn’t, and published his findings.

Amongst other things, Spotify was going after: geolocation data, for example to figure out whether you were walking, driving or on the bus; your contacts; and what it rather broadly described as “your media files.”

As we pointed out, the words “media files” paint with a very broad brush, potentially covering music, podcasts, videos, screenshots, your reading list, articles you’ve saved, ebooks you’ve downloaded, and more.

The good news is that Fox-Brewster’s vigilance, and the interest it sparked amongst other security sites, including Naked Security, seems to have paid off.

Last Friday, 21 August 2015, Spotify’s CEO, Daniel Ek, came up with a bit more information under the rather straight-talking headline, “SORRY.”

(An apology goes a long way. An upper-case apology goes even further!)

Although Ek never actually uses the words “strictly opt-in,” it seems pretty clear that the policy changes aren’t going to happen automatically.

What Ek actually said was, “We will ask for your express permission before accessing any of this data.”

So, the new privacy policy deals with the fact that Spotify reserves the right to start gathering up data that it wasn’t collecting before, but it won’t start doing so unilaterally.

Ek seems to be saying that if you update your Spotify app, for example, you may find that it has a whole raft of new options by which you can authorise Spotify to learn quite a lot more about you…

…but those options won’t be on by default.

Better yet, it sounds as though these changes aren’t all-or-nothing: in other words, you won’t have to give up on Spotify if you don’t like the new features, because you will be able to keep on using the service without them.

A music-streaming service that’s listening – we think that’s a neat metaphor!