The new policy, which was rolled out Wednesday and covered how Spotify plans to use personal information to enhance its features, quickly had users up in arms. The policy includes provisions that the service wants to collect information about users’ location, contacts, photos, and other media–even their voice. One of the most peculiar terms was that Spotify not only wanted to collect information about your contacts, but also claimed you were legally required to ask permission of your contacts before sharing their information.
Minecraft founder Markus Persson is just one of a number of people who are angry that Spotify essentially wants to mine your phone for photos and media files, along with information about where you’re going and at what speed. The app would also have access to third-party data, such as which pages you’ve liked on Facebook. Though that provision is getting attention, it is not new, according to Ek.
The policy itself–allowing an app to access contacts, photos, and phone sensor data–is not all that unusual among popular mobile apps. The issue here seems to be how poorly Spotify communicated the breadth and gist of the new policy, as well as how much control users will have over which data Spotify can access.
What wasn’t made immediately clear is that in most cases, users will be asked permission by the Spotify app to access their information, giving them the choice to decline. Just as you need to explicitly allow Instagram access to your phone’s camera and microphone, Spotify–like virtually all apps–would only be able to see your photos or contacts if you opted in. As is always the case, users can adjust their phone’s settings at any time to revoke access. Most importantly, the policy didn’t clearly explain why Spotify wanted access to, say, your photos.
Whether or not Spotify foresaw the outrage that followed the policy release, it quickly realized it had a problem on its hands. Today’s blog post by Ek, titled “Sorry”, attempted to make clear that the individual policies are not being imposed on users.
“We understand people’s concerns about their personal information and are 100 percent committed to protecting our users’ privacy and ensuring that you have control over the information you share,” he wrote. In Ek’s 10 paragraphs of mea culpa, he said again and again that Spotify will only collect the information it wants with users’ permission.
The whole fiasco illustrates a bigger problem that isn’t unique to Spotify: Tech companies push out new policies every day in the form of arcanely worded paragraphs of legalese. Normal people don’t read that text, but journalists do and will have a field day if there’s anything in there that sounds unusual or questionable. Some of them may go totally over the top with fearmongering posts. One has to wonder if Spotify could have avoided this backlash all together by publishing Ek’s post–which does a better job of explaining how this data will be used–before the policy change was made.
For Spotify, the policy change is designed, in part, to allow them to “provide, personalise, and improve your experience.” In other words, it’s primarily for product development. Spotify’s app would want to access your photos and contacts for the same reasons any app would: to let you upload customer user photos (or, more likely, playlist cover art) and mine your own contacts to find other Spotify users to follow. Location and other sensor data allows Spotify’s developers to build features like the recently unveiled Spotify Running, which beat-matches music to the speed of your run.
For example, writing about photos, Ek says, “We will never access your photos without explicit permission and we will never scan or import your photo library or camera roll. If you give us permission to access photos, we will only use or access images that you specifically choose to share.” He makes similar points about location, voice control, and contacts.
Although Wired initially stoked the flames over its assertion that Spotify’s new policy was “eerie,” it pulled back a bit today in a new post in which it compared the policy to that of competing streaming music services like Rdio, Beats Music, Pandora, and Google Play Music. Although each service handles data collection differently, there are a lot of similarities, Wired found.
Each of those services, save for Rdio, asks for information about users’ location, and all of them want photos and media files. They differ from point to point on other areas, such as contacts. Ultimately, though, it seems that Spotify is not far outside the norm in the industry.
Which leads back to messaging 101: When you’re going to make changes to something as crucial as users’ privacy, it’s essential that you embrace transparency and clarity. Saying sorry after the fact may not be enough to put out the fire of public opinion.