In an era where convenience often trumps caution, the omnipresence of digital platforms like Spotify invites us into a world where music streaming is seemingly effortless and uninterrupted. Yet, amidst Spotify's endless music and podcasts lies a subtle undercurrent; the continuous collection of our data. As we become more reliant on convenient applications like Spotify, we willingly share more data about ourselves and our daily routines. According to Spotify’s website, the application is the most popular audio streaming subscription service; boasting over 615 million users across more than 180 markets (Iqbal, 2024). As these millions of users indulge in the convenience of unlimited music consumption accessible with a simple touch, do they fully comprehend the consequences of such a transaction?

This research aims to provide an in-depth analysis of Spotify's privacy practices. By utilizing PrivacyCheck, a data-mining tool developed by the University of Texas, this study will analyze and evaluate Spotify's privacy policy based on user control criteria. Although PrivacyCheck was originally designed for large-scale analysis of hundreds of policy documents, this study will focus exclusively on applying its criteria to perform a textual analysis of Spotify's privacy policy. Through this analysis, the article aims to uncover potential privacy issues concerning Spotify’s data collection or handling practices.

What is Spotify?

In 2006, Spotify was founded in Stockholm, Sweden by Daniel Ek and Martin Lorentzon (Colón, 2024). It was originally meant as "a way for people to legally listen to copyrighted music as well as to share files and engage with others on a single platform" (Colón, 2024). Currently, the service provides users access to more than 100 million audio tracks, 5 million podcast titles and more than 300,000 audiobooks (Colón, 2024) through a free, ad-supported tier and a premium, ad-free subscription. The service is available across desktops, mobile phone and even game consoles; all providing users with on-demand listening, personalized playlists and recommendations tailored to their preferences. Throughout the years, Spotify has developed as a digital streaming platform that has become synonymous with digital culture itself. However, before one can access the endless sea of consumption provided by Spotify, users must consent to the platform's privacy policy, a declaration document that explains how Spotify collects, uses, discloses, or maintains a customer's data. Despite Spotify’s widespread usage, the intricacies of its privacy policy often remain unread by users.

Previous research on Spotify’s data regulation underscores privacy concerns dating back to 2015. Brain Benedik, then Vice President of North American advertising at Spotify, emphasized the platform’s extensive data collection practices. He noted that because all users are required to sign in, Spotify accumulates significant data on user's listening habits, locations, and preferences (Terdiman, 2015). While Benedik's remarks were intended to stress the platform's ability to personalize content and target advertising effectively, the sheer volume of data collected from this also raises significant privacy concerns. Users may not be fully aware of the extent to which their personal information is tracked and used. This could potentially lead to misuse or unauthorized access to sensitive data. Additionally, an article by iCulture (2022) further emphasized that all user actions on Spotify, such as searches and song skips, are meticulously recorded. The article also revealed that Spotify analyzes data to detect user behavior patterns, such as repeated listening to specific playlists. This enables the platform to tailor advertisements to specific behaviors. While these practices enhance Spotify’s ability to personalize user experiences and target ads, they also raise severe privacy concerns. The extensive tracking of user actions could lead to a sense of intrusion, as users may not be fully aware how much to what extend their behavior is monitored and analyzed for commercial purposes. Alternatively, these practices could be described as data collection methods that reflect Spotify’s strategy to optimize user engagement and ad effectiveness.

In 2019, Spotify’s data regulation faced severe examination and criticism. This occurred after the non-profit organization "Noyb", the European Center for Digital Rights, accused the company of failing to provide full information about the personal data it processes in response to individual requests. As reported by TechCrunch (2023), this was a clear violation of Article 15 of the European General Data Protection Regulation (GDPR). Consequently, Spotify was fined approximately 5.4 million euros for breaching data access rights within the European Union. 

Theory

This study will employ a theoretical framework consisting of Shoshana Zuboff's "Surveillance Capitalism" and Bernard Harcourt's "Expository Society" to analyze Spotify's privacy policy in-depth. These theories properly allows an understanding and evaluation of Spotify's data practices; potential concerns that arise while also answering why individuals (still) use Spotify despite potential privacy and security concerns.

In 2019, theorist Shoshana Zuboff redefined our contemporary economic system as a new form of capitalism based on surveillance and data called Surveillance Capitalism. In contrast to the traditional view of capitalism as a system that feeds solely on traditional market dynamics such as labour exploitation, Zuboff (2019) argues that "Surveillance Capitalism" transforms individuals’ private experiences into marketable commodities (Zuboff, 2019, p.11). These experiences are translated into behavior data, which Zuboff calls "propriety behavioral surplus", which can be bought and sold within our market ecosystem. (Zuboff, 2019, p.11). In other words, "Surveillance Capitalism" sees private human experiences as free 'raw material' that can be translated into behavioral data for commercial extraction, prediction and sales (Zuboff, 2019). 

In his 2015 work “Exposed”, theorist Bernard Harcourt scrutinizes the pervasive reach of digital surveillance in contemporary society. Harcourt (2015) argues that our online activities and social media interactions leave meticulous digital traces that are recorded, stored and monitored. He argues that we now inhabit a society where individuals increasingly "expose" themselves online and willingly surrender personal data in the pursuit of novel digital experiences. This willingness to share intimate details to embrace new experiences inadvertently facilitates corporate observation, surveillance and commodification in this so-called "Expository Society". This not only fuels Zuboff's new form of capitalism, but also raises significant concerns about the future of our privacy.

Method

When utilizing Spotify on any device or platform, data undergoes processing as described in Spotify’s privacy policy. Therefore, empirical data for this analysis was obtained by manually examining Spotify’s overarching privacy policy, found on the official Spotify website and using the proprietary data mining tool PrivacyCheck. PrivacyCheck, as outlined by Zaeem & Barber (2020) from the University of Texas, formulates ten factors about the privacy and security of user data by analyzing privacy policies. For this research, a textual analysis was performed by manually evaluating Spotify's privacy policy using PrivacyCheck’s predefined factors and classifying risk levels for each factor as high (red), medium (yellow), or low (green).  The collected data was then correlated with the theoretical framework to address the aforementioned research aims. The research phase occurred from April 29th to May 2nd, 2024.

PrivacyCheck's checks for ten factors, namely:

• Handling the user’s email address
• Handling the user's credit card number and home address
• Handling the user's Social Security Number
• Using or sharing PII for marketing purposes
• Tracking or sharing locations
• Collecting PII from children under 13 (Children’s Online Privacy Protection Act – COPPA)
• Sharing personal information (PII) with law enforcement
• Notifying the user when the privacy policy changes
• Allowing the user to control their data by editing or deleting information
• Collecting or sharing aggregated data related to personal information

Spotify's Privacy and Security of User Data

In the table below, PrivacyCheck's ten factors are organized to represent the risk level associated with each factor in Spotify's privacy policy. The subsequent analysis focuses on sections posing high or medium risks within the entire policy.

Email, Street Address & Credit Card Numbers

Spotify collects essential personal data, termed “user data”, including email and possibly street addresses. Concerns arise from the policy permitting the use of such "user data" for marketing without explicit consent, such as tailored advertising, were legally permissible (Privacy Policy, 2023). These concerns escalate as Spotify's privacy policy indicates sharing user data with third-party entities, including other advertising and marketing partners (Privacy Policy, 2023).  Additionally, Spotify claims to not fully store (credit) card numbers for security reasons, therefore they appear to only be utilized for intended purposes as seen in Figure 2 and 6. It has become evident that Spotify employs and shares user data, potentially including email or street addresses, for various purposes involving third-party entities. Consequently, Spotify’s handling of email and street addresses appears to lack sufficient protection; posing a high-level risk. The use of credit card numbers is classified as a medium-level risk.

PII for Marketing, Location and Collecting PII of Children

The majority of Personally Identifiable Information (PII) can be classified within Spotify’s “user data” framework. As previously discussed and examined, Spotify’s practices indicate the collection, utilization and sharing of such “user data" for various purposes. This includes marketing and advertising endeavours. Therefore, the label is red and underscores potential risks to user control of data and security. (see figure 4 & 5)

The factor of location tracking is marked in yellow. In the policy, it is explained that Spotify monitors general locations encompassing country, region or state information, but this tracking is non-precise. The data is derived from sources such as IP addresses, payment currency details or external third-party sources. Thus, it appears that Spotify does track and receive general (non-precise) locations from users, but refrains from actively disseminating precise location data to third-party entities. Therefore, the classification of location tracking as yellow is warranted.

Despite the seemingly innocent act of engaging with one's favorite artists or songs, this research on Spotify's privacy policy reveals significant privacy concerns associated with this streaming platform.

The Children’s Online Privacy Protection Act (COPPA) poses medium to high risks. Spotify’s policy states it doesn’t knowingly collect data from children below the minimum age of thirteen. It directs them to Spotify Kids, which has its individual policy. Herein, the company states that essential user data for account creation will only be shared with parental consent (figure 9). However, due to a weak age verification process, children who misrepresent their age can still create accounts on Spotify’s main service. The weak age verification process refers to the fact that Spotify's system primarily relies on self-reported age, which users can easily misrepresent. Children under 13 can falsely claim to be older, allowing them to create accounts on Spotify's main service instead of being directed to Spotify Kids. This poses a risk because it undermines the protections that are supposed to be in place under the Children's Online Privacy Protection Act (COPPA). Additionally, this could also potentially lead to the inadvertent collection of PII from children. While Spotify takes steps if notified of underage users, detecting them without any parental contact is unlikely. Therefore, this scenario presents low/medium risks for Spotify Kids and high risks for the original service.

Law Enforcement, Policy Change & Control

Spotify’s privacy policy states that the company may share user information with law enforcement. This sharing can include both user data (PII) and usage data, which refers to data collected and processed during the use of Spotify’s services. Spotify shares this data when it is deemed necessary, to respond to a valid legal process or in its own or a third party’s legitimate interest. This covers both mandatory and voluntary sharing with law enforcement. Consequently, this factor is classified as high-risk (red) as legal documents are thus not always required for Spotify to share with law enforcement.

The factor of policy change is categorized as yellow. While Spotify may periodically amend its policy, it does so with a prominent notice to individuals, as deemed suitable under the circumstances. However, this notice lacks an explicit opt-out option, hence resulting in the factor at a medium-risk level.

Spotify's policy permits individuals to edit or delete certain information. The policy specifies that users can edit or request data deletion, and that some data expires after a set period. However, the policy also states that certain data is retained indefinitely; even after account deletion. This presents mixed risk levels; green for data that can be deleted or that expires, and red for data retained indefinitely without clear disclosure.

Aggregated Data

Spotify's policy reveals the collection of "usage data", encompassing search queries, streaming and browsing history, created playlists and device sensor capabilities. According to the privacy policy, Spotify's device sensor capabilities refers to data from one's device's sensor which track how you move or hold your device. This could, for example, include detecting whether an individual user is running or driving. Spotify might use this information to offer personalized recommendations, such as suggesting workout playlists when jogging. Additionally, third parties could use this data for targeted advertising, like showing car-related ads if the user is detected to be in a vehicle. This "usage" data is extensively shared with third parties such as service providers and advertising or marketing partners, as depicted in Figures 4 and 5. The insights derived from this usage data, such as mood indications from music listening patterns or personal interests from browsing and search history, pose significant privacy risks. The broad sharing permits these third-party entities to access and potentially exploit the detailed personal insights gathered from such usage data. Consequently, this practice is deemed a high-level risk (red).

Exposure in a Surveillance Capitalist Society

The analysis of Spotify's privacy policy reveals significant risks associated with the handling of user data. Major concerns include the extensive use of PII for marketing or advertising potential issues with data retention and the broad sharing of aggregated data with third parties. The policy's handling of data related to children and interactions with law enforcement enforcement also raises high-level risks. Overall, while there are some measures for user control and data management, the predominant findings indicate areas of high risk that could impact user privacy and security.

Considering that many individuals may be unaware of Spotify's data collection and sharing practices, and in light of the study's findings, it is worth questioning why users are likely to continue using the streaming platform even after becoming informed about these practices. According to Harcourt (2015), a prevalent culture of willingly divulging personal information online in exchange for novel digital experiences exists within our contemporary society. He contends that individuals, driven by pleasure, often overlook privacy concerns and willingly succumb to what he terms “data-fiction”. The allure of effortlessly accessing your favourite songs or podcasts with a click may even overshadow any privacy concerns. As Harcourt articulates, “It is one thing to know, and quite another to remember long enough to care.” Simply being aware of privacy issues may not always translate into sustained concern. Moreover, individuals might accept digital surveillance as an inherent aspect of utilizing Spotify; being inclined to trade personal information in exchange for the conveniences that Spotify provides.

Furthermore, such a privacy trade-off appears to benefit the company. As defined by Zuboff (2019), "Surveillance Capitalism" treats human experiences as ‘raw material’ for translation into behavioral data, also known as “propriety behavioral surplus”. The analysis has showcased that Spotify aligns itself with the concept of surveillance capitalism by gathering and sharing user and usage data with third-party marketing and advertising entities. The company utilizes private human experiences, such as listening to favourite songs, for commercial extraction, prediction and sales. Moreover, according to Andrew Braun (2020;3) and the Common Sense Privacy Report for Spotify (n.d.), Spotify utilizes user and usage data in algorithms to produce prediction products that shape user behaviour and music consumption patterns on the platform, as well as to enhance targeted advertising and marketing efforts. This strategy has proven successful for the streaming giant. According to Götting (2024) and Faria (2023) from “Statistics”, Spotify generated over 13.2 billion U.S. dollars in revenue within 2023 alone; a 12.9% increase from 2022 and with 1.56 billion exclusively from advertising. Additionally, Spotify’s user base expanded to 615 million active users worldwide in 2023; marking an increase of 110 million users in just one year. Despite Spotify's reliance on user and usage data for revenue generation and the raised concerns over individual data privacy, the conveniences offered by Spotify appear to outweigh these concerns. The streaming giant continues to dominate the market and achieve financial success with no signs of slowing down any time soon.

The Verdict

Despite the seemingly innocent act of engaging with one's favorite artists or songs, this research on Spotify's privacy policy reveals significant privacy concerns associated with this streaming platform. The findings indicate that Spotify's data practices do not adequately protect and ensure user privacy and security. Instead, the streaming service participates in the collection, sharing and utilization of user and usage data. Therefore, as we enjoy our music and "expose" ourselves to the platform, we effectively become "laborers" for Spotify; supplying the "raw material" that fuels its surveillance capitalist model and contributes to its vast revenue streams.

Motivated by convenience and enticed by pleasure, we make it both easy and cheap for corporations like Spotify to surveil, monitor and target us. As we continue to blindly share our data to embrace the conveniences of applications like Spotify, we ourselves facilitate the increasing commodification of surveillance and expository evident within contemporary society. By voluntarily providing our data to these corporations, we support their data-driven ecosystems and profit-oriented agendas. In doing so, we effectively "work" for them in exchange for their apparent convenience. This harrowing future prompts a critical individual examination of the balance between the offered benefits and potential privacy risks. Therefore, we must demand transparency and accountability from these surveillance capitalists to further question, challenge and reform the data practices that jeopardize our privacy. "Workers" of the digital world, unite! 

References

Braun, A. (2020). "Dance like nobody's paying": Spotify and Surveillance as the Soundtrack of Our Lives". Electronic Thesis and Dissertation Repository. 7001.

Colón, L. (2024, May 21st). Spotify | Description, history, & Facts. Encyclopedia Britannica.

Common Sense Privacy Standard Privacy Report for Spotify: Music and podcasts. (z.d.). 

Faria, J. (2023). Spotify’s advertising revenue worldwide from 2017 to 2027. Statista. 

Götting, M. C. (2024, March 15). Number of Spotify monthly Active Users (MAUs) worldwide from 1st quarter 2015 to 4th quarter 2023. Statista. 

Harcourt, B. E. (2015). Exposed: Desire and Disobedience in the Digital Age. Harvard University Press. 

Ians. (2023, June 14). Spotify fined $5.4 mn for data protection regulation violations in Sweden. Bussinesstandard. 

iCulture. (2022). Spotify en privacy: Spotify verzamelt meer data dan je denkt. 

Iqbal, M. (2024). Spotify Revenue and Usage Statistics (2024). Business Of Apps. 

McCreary, L. (2008). What was privacy? Harvard Business Review, 86(10), 123–130, 142. 

Russell, R. (2024, February 7). Unveiling the Digital Dilemma: Navigating the Controversial Realm of Privacy in the Digital Age. Medium. 

Spotify — about Spotify. (2024, April 23). Spotify. 

Privacy Policy - Spotify. (2023, December 5). 

Kids privacy Policy - Spotify. (2021, September 1). 

Spotify Fined $5.4 Million For Breaching EU's Data Protection Rules. (z.d.). NDTV.com.

Terdiman, D. (2015). Spotify Exec: We collect an ‘enormous amount of data on what people are listening to, where, and in what context’. Venturebeat. 

Wallis, J. (2023). How Does Spotify Work? Spotify Tech Stack Explored — The Tech Behind Series. Intuji. 

Wright, G. (2023, November 30). privacy policy. TechTarget. 

Zaeem, R. N., & Barber, K. S. (2020). The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS), 12(1), 1-20. 

Zuboff, S. (2019). Surveillance Capitalism and the Challenge of Collective Action. New Labor Forum, 28(1), 10-29. Retrieved from:

Zuboff, S. (2019). The age of surveillance capitalism. The fight for the future at the new frontier of power. Profile Books.