September 24, 2015

Spotify and Privacy Laws

What did the policy say?

The updated policy stated that: “With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy”.

The law

Under UK law, there is no express right to privacy. The law on privacy in the UK mainly manifests itself in the Data Protection Act 1998 (‘DPA’). Schedule 1 of the DPA lists 8 core principles which anybody responsible for using personal data has to comply with. These are that the data must:

Be processed fairly and lawfully;

  • Be obtained for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  • Be adequate, relevant and not excessive in relation to the purpose or purposes for which it isprocessed.
  • Be accurate and, where necessary, be kept up to date;
  • Not be kept longer than is necessary for the purpose or purposes for which it is being processed;
  • Be processed in accordance with the rights of the data subject;
  • Be protected by appropriate technical and organisational measures against unlawful processing and against accidental loss or destruction of, or damage to, the personal data; and
  • Not be transferred to a country or territory outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


The CEO of Spotify came forward to iron out the issues in what at first sight appeared to be a controversial modification of the company’s privacy policy. He stated that the information collected would be used to personalise playlist images or update profile pictures, features which have not yet been integrated into the app. He said that the app will offer a ‘find friends’ feature which will permit Spotify to scan address books and suggest connections. It was re-iterated that the tracking of consumers’ locations would simply enable Spotify to keep consumers up-to-date with music trending in their proximity. In relation to the sharing of data with partners of Spotify, who assist with the company’s marketing and advertising, the information shared is de-identified so no personal data is shared.

The CEO assured consumers publicly that their personal data will not be misused or used against their will. It was made clear in his speech and in Spotify’s newly drafted privacy policy that if consumers do not want to share this kind of information, they do not have to.

Be careful

From the above you will see that the processing of personal data is an extremely sensitive area where even the most innocent of steps can be misconstrued. Given this and the complexity of the law  it is important to ensure that companies and service providers store consumers’ personal data in a lawful way to avoid being penalised under the DPA.

If you require advice on whether your use and storage of individuals’ personal data is done so in accordance with the DPA then please contact John North, Claus Andersen or Tony Roberts from our corporate team.

Share on: