Briefing

Spotify's privacy policy changes: towards a new business model?

Posted by: Alan Baker | Date posted : 28/08/2015

While newspaper columns obsess over the Ashley Madison leak – which we hope to comment on next month (once its implications are a little clearer from a UK perspective) – the technology press has been equally titillated this past week by news of changes to a certain company's privacy policy.

While such events may be of passing interest to legal practitioners and data protection officers (we have to get our kicks somehow), last week's announcement that Spotify – the popular music streaming service – has changed its Terms and Conditions of Use and Privacy Policy has gathered rather more attention than usual. These changes apply equally to Spotify's 20 million fee-paying subscribers and the 75 million users of its free (advertising-supported) version of the service; so there are a large number of people with a rather personal interest in Spotify's updated terms. This article takes a brief look at the changes Spotify has made and suggests why (from a legal perspective) this is particularly significant, given that it is not otherwise unusual for businesses to change their terms of use (including privacy policies) from time to time.

The long-term viability of a pure streaming model – quite apart from its benefit to artists – is constantly under debate in the music industry. However, it is more settled commercial wisdom that the 'social media' business model depends on how companies can use and exploit users' data to provide personalised services and advertising. The presumption therefore, whenever a fundamental shift in privacy policy is announced by a tech company, is that it is gearing up to monetise in new ways. That is certainly the majority view taken by the judges, jurors and executioners of online forums.

So what are the actual changes? Spotify's privacy policy now allows Spotify to collect from its paying subscribers and the users of its free (advertising supported) service "information stored on your mobile device, such as contacts, photos, or media files". The new policy also allows Spotify to track its users' browsing activity when they visit a website with a Spotify widget installed.

In addition, the new privacy policy shows who Spotify shares user data with, including its "advertising partners". Other third parties that Spotify may share user data with include "service providers", "rights holders" and other "Spotify partners", such as mobile network operators. It is worth pointing out, however, that much of the data shared with these businesses will only be shared in a "de-identified format", such that no personal data is accessible. Still, Spotify's previous privacy policy did not specifically mention the sharing of user data with advertisers, although it did refer to data being shared with "certain trusted business partners".

It is arguable, then, that the changes to the privacy policy are actually beneficial for Spotify's users as they specify in more detail how their data may be collected and used. Indeed, that is exactly what Spotify CEO Daniel Ek has claimed when responding to the outrage expressed by certain users when the changes were announced last week. Mr Ek's blogpost of last Friday was entitled "SORRY." – doubtless as much for PR impact as for penitence – and, while Mr Ek said users can look forward to a further update of the privacy policy "in the coming weeks", he made no promises to reverse any of the new changes. One point which is clear from the blogpost, though, is that all of Spotify's changes are reliant on its users' consent: "If you don’t want to share this kind of information, you don’t have to. We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience."

With all that in mind, here are three simple lessons from Spotify's privacy land grab, which in turn we hope will form a useful list of 'top tips' for shaping a fair and useful privacy policy:

  1. Remember what a privacy policy is – and what it isn't.  There is no 'magic' to having a privacy policy applicable to your business – and in particular, it does not legitimise any mishandling (ie unlawful processing) of personal data by your business as a 'data controller'. If you are collecting, storing and then deciding how individuals' personal data is to be used, then you likely are a 'data controller' who is subject to all applicable obligations under the Data Protection Act 1998 (in the UK). Your privacy policy forms part of your legal obligation to process personal data "fairly and lawfully" – as such, it should explain to your users what personal information you are collecting from them (and about them from others), how you use that information (including how you share it with third parties) and other information which makes it plain to your users what they are consenting to when they agree to your terms.
  2. Don't collect more personal information than you need.  Perhaps one of the biggest 'surprises' in Spotify's new privacy policy is the expanded scope / types of information which Spotify may collect. One may very well ask "what does Spotify need to access the photos, contacts and media files on my smartphone for?" Daniel Ek's blogpost (linked to above) was at pains to emphasise that none of this information will be collected without a user's permission – e.g. so that a user must specifically select a photo to share with Spotify, for the purposes of adding a 'profile image'. However, since that additional information required a blogpost (i.e. it was arguably not clear from the wording of the privacy policy itself), and indeed since questions remain concerning the legitimacy of Spotify collecting this kind of personal data, it remains to be seen whether Spotify has in fact 'overreached' its permissions here – one would think that a word of warning from a data protection regulator is not out of the question. To be clear, the law requires that personal data are "obtained only for one or specified and lawful purposes", and indeed that the data so collected is "adequate, relevant and not excessive" for those purposes.
  3. Consider carefully who it is appropriate to share personal information with.  This is an issue worthy of further discussion but, suffice to say, the sharing of personal data with third parties (and perhaps especially with advertisers) is always a matter worth particular attention. As the Spotify privacy policy update showed, listing the particular third parties with whom you will (or may) share users' personal data can sometimes cause concern for those users. However, the risk of their surprise – or worse, their outrage –  is not a reason to withhold that information from those users. It remains good practice for a privacy policy to identify as precisely as possible the third parties with whom personal data will be shared; this should always prompt two important, related questions: (1) do you really need to share that information with those particular third parties?; and (2) do you really have your users' consent to do so?

If you require further information on anything covered in this briefing please contact Alan Baker (alan.baker@farrer.co.uk; 020 3375 7441), or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Intellectual Property & Technology page on our website.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, August 2015