Yesterday, Spotify’s new privacy policy created quite a stir. Today, the company released a statement in which CEO Daniel Ek clarified how exactly the privacy permissions would be used.
“Let me be crystal clear here: If you don’t want to share this kind of information, you don’t have to. We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience.”
In other words, these will enable opt-in experiences, something that Spotify regrettably neglected to mention when it first announced the changes. The app won’t go scanning for your photos, but it’s reserving the right to access them if and when you want it to.
The privacy settings don’t seem quite so creepy in that light. Even more helpful? Putting what Spotify is asking for in the context of its contemporaries.
We read through the Android app privacy policies of Pandora, Rdio, Tidal, Google Play Music, and Beats Music (soon to be Apple Music) to see which of the Spotify permissions that have rankled people show up there as well. As it turns out, most streaming-music apps ask for similar things, and often for good reason.
Most of the concern centers around three categories: the collection of locally stored contacts, photos, or media files; location and sensor data; and sharing information with third parties. That’s what we’ll focus on below.
Pandora
Contacts, photos, media files: Yes. Pandora also has permission to “add or modify calendar events and send email to guests without owners’ knowledge.”
Location: Yes: “We may collect and use approximated or realtime location information, such as GPS location, from devices you use to access the Pandora Service.”
Third parties: Yes. “We may receive or collect information about you from third parties, and combine and store it on our servers with other information we may have already received or collected from you.”
Rdio
Contacts, photos, media files: No on contacts, yes to photos/media/files. Rdio also has permission to “read sensitive log data.”
Location: Not listed.
Third parties: Yes. “We will not sell or rent your email address or any of your Personal Information. However, to operate the Rdio Service, we may share your information in the following ways: [7 sub categories, plus “third party analytics tools.”]
Beats Music (Apple Music)
Contacts, photos, media files: No on contacts, yes to photos/media/files.
Location: Yes. “We collect your location-based information for the purpose of developing, delivering, and improving our Service for you.”
Third parties: Yes. “Except as otherwise described in this Privacy Policy, Beats Music will not disclose Personal Information to any third party unless we believe that disclosure is necessary: [4 situations in which they will]“
Tidal
Contacts, photos, media files: No on contacts, yes to photos/media/files.
Location: Yes. “When you use the Service, we store information generated by your use of the Service, such as… time of log-in, location of sessions if allowed by the device, what version of the Service you use, technical data such as your IP address, location information, and other similar information.”
Third parties: Yes. “We will not share your personal data with third parties except in the following situations: [4 situations in which they will]”
Google Play Music
Google Play Music is covered by Google’s blanket privacy policy, which, I mean, if you’re on an Android phone Google knows everything about you.
But Why? And What Can You Do?
So most music-streaming services ask for similar information, some of which sounds pretty invasive. It’s worth taking a step back, though, and considering both why those permissions exist, and what you can do to get around them.
Let’s break this down a little further, since these are big categories that contain a few different implications.
Contacts: If you think of or use a streaming-music app as literally just a collection of playlists, you’re right to be annoyed that it wants access to your address book. Increasingly, though, apps like Spotify think of themselves as mini social networks, a way to share artists and songs among friends. Currently, Spotify taps into your social media profiles (if you let it) to help enable those connections. Access to your contacts would let you find friends on Spotify through their email addresses or phone numbers, exactly how Instagram, Twitter, or any other social network currently does.
Photos: It’s uncomfortable to think of a music app combing through your photo library, but think again of the social element. As Spotify CEO Daniel Ek pointed out on Twitter last night, access to your photos would be a convenient way for the app to let you customize header art on a playlist, or upload a new profile picture. Though it wasn’t clear in the first wording of its privacy update, Spotify has now said it will ask you for permission to access your photos when and if you want to upload a photo.
Media files: Many music streaming apps let you download playlists to your phone to listen to those songs offline. Those songs are stored as media files, which the apps then need permission to read.
Location: Spotify recently introduced a feature that generates a playlist to match your running pace; for that to work, it needs to know where you are and how fast you’re moving.
Beyond that, though, Spotify has been very public about its desire to provide context-aware playlists and songs. As we reported in July:
“Spotify is beginning to read your context—your location, the time of day, and more—to make deeply educated guesses about what you might want to listen to. You always run at 7 am, before work; Spotify’s going to start showing you running playlists at 7 am.”
To some of you, that may sound creepy. If so, you are probably right to leave Spotify for something less invasive. That’s also, though, the inherent trade-off for playlists that can (very well, anecdotally) anticipate your needs based on where you are and when.
Third parties: This is the arguably gross part, but it’s also not new or unique. Advertising is a part of staying in business, and Spotify shares data (which it says is “de-identified,” as opposed to specific personal information) with “partners who help [them] with marketing and advertising efforts.” Besides which, all apps need to allow at least some form of third-party communication in cases of legal liability. This is about as standard as it gets.
Unfortunately, there’s no way for Spotify to fine-tune the permissions language that Android uses to show users what an app wants and needs to access. That, combined with too-vague description of the new policy, landed the company in some hot water. Today’s statement goes a long way to ease those concerns.
There’s an even better solution on the horizon, though. Starting in Android 6.0 (Marshmallow), which will be released later this fall to select devices and eventually trickle its way down throughout the Android ecosystem, you’ll be able to allow specific permissions within every app you use. Don’t want Rdio to access your calendar? You can block it, but allow everything else. It’s a much more user-friendly way to manage access to your phone, at least until you realize just how important some of permissions are to basic features and functions.
Spotify’s not perfect, and it could do well to not reach so deeply into your privacy cookie jar (and to be clearer about why it wants to in the first place). Before you cancel your subscription, though, it’s important to understand two things. First, for better or worse it’s using this intel to help build a better product. Second, you’re going to be giving away basically the same access anywhere where you turn.