Spotify set off a storm of hand-wringing recently with an announcement the company had updated its privacy notice.
The notice, which replaces a version published nearly two-and-a-half years ago, reflects the digital-music service’s aim of tuning its offering to users, who listen on the move and assemble playlists for one another.
Significantly, Spotify revamped sections of the notice that inventory information the company may gather from users. According to the notice, users consent to the company’s collecting the location of their smartphones, such as via GPS or Bluetooth, and information about the speed of their movements (from sensors in some smartphones), the better to deliver music that matches users’ workouts. Spotify also said it may gather photos, contacts and media files stored on users’ devices, as well as information about “likes” and posts from those who sign up for the service via Facebook.
None of that went over well with observers. “Like a jealous ex, Spotify wants to see (and collect) your photos and see who you’re talking to,” complained Wired. “Perhaps Spotify feels left out that you are hanging out without it, because it wants to know where you are all the time.”
“I’m now considering whether the £10 I pay for a premium membership is worth it, given the amount of privacy I’d be giving away by consenting,” lamented Thomas Fox-Brewster at Forbes. “You know, Apple Music just started looking a lot better,” Gizmodo observed.
It didn’t help Spotify that the changes it adduced arrived two days after hackers published names, email addresses and other personal information about roughly 36 million people who signed up for Ashley Madison, a hookup service for married people. On Monday, police in Toronto described the theft “as one of the largest data breaches in the world.”
Nor did it help that Spotify neglected to tell users how it might use all the data, or whether people could choose not to participate (and still remain users). The company also failed to describe the difference, if any, in privacy for subscribers to its premium service, which contains no ads.
The blowback elicited an apology from Daniel Ek, Spotify’s CEO, who conceded in a blog post the company “should have done a better job” communicating the changes and that users won’t have to share their contacts, photos and the rest if they don’t want to. “We understand people’s concerns about their personal information and are 100 percent committed to protecting our users’ privacy and ensuring that you have control over the information you share,” he pledged.
SORRY. Privacy super impt. We should have done better explaining new terms. Just posted; hope it clears things up. http://t.co/ASh34F0Zed
— Daniel Ek (@eldsjal) August 21, 2015
Though the apology diffused the dustup, the reaction to the exchange that services such as Spotify and others bargain for suggests a lack of confidence among users in the terms of the trade. Roughly in 10 adults say that controlling who can obtain information about them and what information can be collected are important, according to a survey published in May by the Pew Research Center. Yet about half as many trust their records will remain private and secure.
By now it’s established that companies cannot revise their privacy notices without first advising users what the changes will be. But it wasn’t always that way. The idea originated as recently as a decade ago, when the Federal Trade Commission determined that companies cannot change their privacy notices retroactively.
Companies comply by telling us the stipulations of their services and hoping we come round. “If you don’t agree with the terms of this privacy policy, then please don’t use the service,” Spotify’s privacy notice advises users. You can’t get much clearer than that. But privacy notices can get more explicit.
Standards and laws evolve, of course. Note, too, that consumers have more trust in banks and health insurance companies—sectors that abide by well-established rules for privacy—than they do retailers and social-networking services to safeguard their personal information, according to a Gallup Poll released last year.
Still, there’s nothing to stop companies from innovating. Services such as Spotify that specialize in personalization seem well-poised to deliver privacy notices that users can understand as intuitively as the services themselves.
Writing in the Times recently, A.O. Scott describes the main character in “Grandma,” a film starring Lily Tomlin. “She is impatient with the world and suspicious of the motives of a lot of people in it, but that is partly a result of her idealism, her uncompromising commitment to behaving like a free human being,” Scott writes.
As the characterization suggests, we can be uneasy and idealistic. The fears that arise in connection with how and to whom we relinquish our personal information are meaningful because they remind us of our independence. Which suggests debates about privacy premised less on reacting to the latest stumble and more on thinking individually and together about trade-offs we’re willing to tolerate.