What data privacy issues has Spotify faced?

1. Data breadth: Spotify’s own account of what it collects

Spotify’s public-facing Safety & Privacy and Privacy Policy pages list wide-ranging categories of data tied to account creation and everyday use: profile name, email, listening/usage data (songs played, playlists created), payment data, voice data, survey responses, and data received from third parties when you connect services or sign up via another provider ^{[1] [2]}. The company frames these collections as necessary for service functionality (recommendations, playlists, tailored ads) and points users to account controls for tailored advertising and other privacy choices ^{[2] [5]}.

2. Critiques from privacy researchers and watchdogs

Independent privacy evaluators and commentators flag concerns about how Spotify leverages personally identifiable information (PII) for marketing, long retention, and sharing aggregated data with third parties. Analyses using tools like PrivacyCheck have highlighted risks in PII use for advertising and unclear retention rules, arguing the convenience of personalization can mask privacy tradeoffs ^[6]. Consumer guidance pieces warn that Spotify’s detailed logs — effectively a record of every track and podcast a user listens to — can be combined with ad partners to produce invasive profiles ^[7].

3. Regulatory action: the GDPR fine and what it targeted

The Swedish Authority for Privacy Protection (IMY) concluded in June 2023 that Spotify failed to provide EU users with sufficiently clear information and complete access to their personal data under GDPR Article 15, and imposed an administrative fine of SEK 58 million (~$5.4M) ^{[3] [4]}. IMY found shortcomings in Spotify’s procedures for handling access requests and in how it described data contained in technical log files; the regulator characterized the issues as “a low level of seriousness” while still requiring improvements ^{[3] [4]}.

4. Legal context and ongoing litigation

The fine followed a strategic campaign by the privacy NGO noyb, which had tested data access practices across streaming platforms and argued that automated responses to Subject Access Requests (SARs) often omit legally required details ^[4]. TechCrunch and other outlets note the IMY ruling ties into broader, uneven GDPR enforcement across EU authorities and that Spotify’s case was part of a group of complaints against streaming services ^[4]. Available sources do not mention the final outcome of any appeals beyond IMY’s administrative decision ^[4].

5. User-facing controls vs. practical limits

Spotify advertises user controls — an Account Privacy page, opt‑outs for tailored advertising, and a dedicated GDPR/Article 15 support page explaining rights and deletions — but critics say those controls can be confusing and incomplete in practice ^{[5] [8]}. Guides and tech outlets argue that even opting out of tailored ads won’t stop all advertising and that deleting an account may be the only clear path to stop long-term profiling, a point Spotify’s own materials implicitly acknowledge by describing retained categories and verification needs for data‑subject requests ^{[5] [2]}.

6. Public perception and product features that raise eyebrows

Features that showcase personalized data — notably Spotify Wrapped and AI‑driven recommendations — sharpen debate: commentators say these popular features both demonstrate the power of Spotify’s profiling and highlight privacy tradeoffs users accept for personalization ^{[9] [10]}. Coverage argues that many users love Wrapped despite its privacy implications, while analysts worry about how aggregated listening data could feed AI systems without clear disclosure ^{[9] [10]}.

7. Where reporting disagrees or is incomplete

Reporting is consistent that Spotify collects extensive data and that IMY fined the company for shortcomings in GDPR access procedures ^{[3] [4]}. Differences appear in tone and emphasis: watchdog and academic pieces stress systemic risks and retention/third‑party sharing concerns ^[6] while Spotify’s own pages emphasize user rights, controls, and lawful bases for processing ^{[1] [2]}. Available sources do not provide exhaustive audits of Spotify’s back‑end practices or comprehensive outcomes of any subsequent legal appeals beyond the IMY decision ^[4].

8. Practical takeaways for users

Users seeking control should review Spotify’s Privacy Center and Account Privacy settings, use the opt‑outs for tailored ads, and exercise GDPR data‑subject requests when applicable — noting that regulators found Spotify’s prior SAR responses unclear, which motivated the IMY action ^{[8] [3]}. For those unwilling to accept continued collection and profiling, several outlets state deleting the account is the only surefire way to stop long‑term data collection on the platform ^{[10] [11]}.

Limitations: This analysis relies only on the provided sources; it does not incorporate other reporting or any developments after the cited items (p1_s1–^[1]3).