These changes, which came into effect on 19 August, allow Spotify to collect data from devices using the Spotify app.
Some of this information, including contacts, birthdays, email addresses, photos and location data, could be shared with third parties and advertisers.
CEO of the company, Daniel Ek, apologised for the new policies, claiming they had been poorly worded and were not as invasive as suggested.
Ek said they will ask for permission before collecting any of this information.
.@Spotify Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.
— Markus Persson (@notch) August 21, 2015
Professor of information systems at Deakin University, Matthew Warren, tells upstart that although Spotify claims that accessing this information will lead to a better user experience, they might not even know what to do with it.
“Many companies see the potential to collect information which they don’t really understand how they’re going to use,” he says.
“I think they were just seeing an opportunity with mobile devices, that they could collect this information without really thinking it through.”
Last month’s Ashley Madison leak has raised security concerns over storing this much personal information.
Chair of BCS Security, Louise Bennett, tells upstart that Spotify must be careful with how they handle private data.
“When any organisation is known to hold large quantities of personal data, this acts like a magnet for fraudsters and pranksters and hackers with other motives,” she says.
“It is essential that if they are collecting and keeping this data that as a minimum it is encrypted.”
It is likely that many Spotify users will allow the company access to this data without realising.
“When people install an app, instead of reading through pages and pages of details and small print, everyone ticks the box and installs the app,” Warren says.
“It’s an issue with all social media technologies, many people click it and they allow access without thinking about the consequences.”
“Most people are completely unaware about how much personal data organisations are collecting,” she says.
“When I talk to young audiences about online security, they are usually aghast at how much data is collected.”
Bennett says that Spotify, and other online based companies, should have privacy policies viewable in a single screenshot, to make it easier for users to read the terms and conditions.
Spotify isn’t the only company to be criticised for a lack of transparency within their terms and conditions. Apple was satirised by South Park for its excessive and generally unread terms and conditions.
Moving forward, Warren believes that online companies must be more upfront with how they plan to use customers’ data.
“[They should be] giving people information about what information is going to be held about them, how is that going to be used in the future and what rights customers have to opt in or opt out of that information being held about them,” he says.
Bennett proposes that companies should adhere to the seven privacy principles set by the Organisation for Economic Co-operation and Development (OECD):
- Notice – data subjects should be given notice when their data is being collected
- Purpose – data should only be used for the purpose stated and not for any other purposes
- Consent – data should not be disclosed without the data subject’s consent
- Security – collected data should be kept secure from any potential abuses
- Disclosure – data subjects should be informed as to who is collecting their data
- Access – data subjects should be allowed to access their data and make corrections to any inaccurate data
- Accountability – data subjects should have a method available to them to hold data collectors accountable for following the above principles
Spotify’s privacy changes could come back to hurt the company in the future.
Bennett says that companies who aim to monetise data will turn off a large proportion of their customers.
“While young people are often cavalier about their online privacy, preferring the value of ‘free’ services, this definitely falls off with age,” she says.
“Recent research shows that it is a major determinant of online behavioural change as individuals reach their twenties and upwards and stop using many service suppliers and social media.”