Advertising, a marginal part of Spotify's revenue
Spotify operates on a "freemium" model: you can listen to the music streaming service for free ("Spotify Free") but you will have limitations and advertising. The free version is a loss leader for the paid version.
If we look financial results for the last quarter of 2019, “Spotify Free” users represent 56% of all users, but only 11% of Spotify’s revenue.
Yet Spotify is aggressively selling its “Free” users
If advertising represents a marginal part of Spotify's revenues, this does not prevent it from using programmatic, the method of selling advertising inventory that is least respectful of privacy (read about this the Brave explanatory page). Spotify is even accelerating its advertising development, says Julie Clark, the programmatic advertising manager at Spotify:
[...] With that said, we still saw double digit rates of growth across each of our Direct, Programmatic, and Ad Studio channels. During Q4 we introduced Dynamic Ad Breaks (“DAB”) in the US and UK which added significant sellable inventory. We plan to expand this capability into 10 more markets in Q1 and will continue to scale these capabilities as content becomes increasingly available over our total geographic footprint.
Also, as noted Pat Walshe in this excellent Twitter thread, Spotify boasts about its site for advertisers to know your tastes, your moods, your online behavior very well and even to reveal your offline behavior:
What are these “key” musical habits, allowing you to better profile yourself and therefore sell yourself better to brands?
To profile you, Spotify also uses third-party data:
Spotify is already particularly good at analyzing your behavior and providing recommendations (as evidenced by your Discover Weekly playlist), they can be trusted to apply their science to behavioral advertising, at the same time leaking the personal data of its “Free” users to third-party advertisers.
But being a Spotify Premium subscriber and therefore not having advertising, I did not expect not to be tracked by third parties.
Spotify for iOS leaks my personal data
Here are the steps followed to observe whether Spotify iOS app Leaked my personal data:
- Closing the various background applications.
- Launch of the Charles Proxy application and enabling tracking.
- Launch the Spotify application (in connected mode, Premium subscription), then listen to some music.
- Export of logs from my Charles Proxy session to my computer.
Surprise, Spotify Premium calls many third parties:
- Google : omnipresent, Spotify calls here Crashlytics (crash reports), tool purchased from Twitter in 2017 and integrated into its developer toolbox, Firebase. While calling a Google service is debatable, a crash reporting tool makes sense, even for a paid app.
- Facebook : omnipresent, Facebook also provides its developer toolbox. This integration doesn't seem to leak any specific personal information (I can see making a simple call to Facebook, with no additional identifiers). However, what is the point? I connect to Spotify via my email address and no via Facebook, so Spotify should have no reason to call Facebook.
- Adjust : mobile marketing company offering several services including analytics, attribution (which advertising campaign enabled the installation of Spotify) and advertising retargeting. Clearly, I don't pay Spotify to have these kinds of companies track me.
- Comscore : via scorecardresearch.com, a company specializing in market research. Here too, I am profiled without having given my consent.
Please note for Facebook, I do not have an account and I had already deactivated "Facebook Data" in the Spotify privacy settings :
And yet, Spotify continues to call out Facebook.
How to avoid this tracking? Spotify does not present an opt-out for its iOS app (more details further down in the article), you will have to go through sophisticated solutions such as apps DNSCloak, Adguard or NextDNS.
Spotify for Mac, addicted to Google advertising solutions
Now let's see if Spotify's Mac client also leaks personal data to advertising companies. For this, I followed the same steps but with the Charles Proxy application for Mac :
Spotify therefore also sends your personal data on the Mac app, to these third parties:
- Google : via multiple domains, Spotify uses Google Ad Manager to monetize your advertising inventory. Problem: I use the Premium version of Spotify, I don't receive advertising. Why is Spotify leaking my personal data to Google's advertising solution?
- Comscore : via scorecardresearch.com, this tracker is already present on the iOS app, it can be found on the Mac app.
- Qualaroo : tool for collecting user feedback, allows Spotify to segment its users to only send surveys to certain users. This company therefore collects your profile and your use of Spotify. Note that it is responsible for the call to Amazon (via the domain s3.amazonaws.com, it hosts its JavaScript library on AWS).
If we zoom in on the information sent to Google Ad Manager during the ad call (the request https://securepubads.g.doubleclick.net/gampad/ads?), we realize that Spotify leaks a lot of information to Google including:
- Your Doubleclick advertising identifier, via the “IDE” cookie". It follows you everywhere on the internet and therefore even on Desktop apps thanks to Spotify.
- Your age.
- Your gender.
- The Spotify advertising ID: aduserid.
- Your listening playlist: Discover Weekly, etc.
- The artist listened to (encoded): artist.
- Your Spotify plan: here Spotify Premium.
How to avoid this tracking? Spotify does not offer a real opt-out on its Mac app (more details further down in the article), you will have to go through sophisticated solutions such as a Pi-hole or Adguard.
On the web player, the Wild West
If I don't use it daily the web player, preferring to use the Mac app, I wanted to check out the tracking on the web. Before I logged in, Spotify's use of trackers was already massive:
The companies that collect your personal data thanks to Spotify are numerous, it's a veritable who's who of surveillance marketing:
- Google : Spotify is powered by Google solutions and uses here Google Tag Manager, Google Analytics and Google reCaptcha.
- TowerData : via rlcdn.com aka Rapleaf, a company that became known in 2010 by wildly collecting Facebook user information and by reselling enriched identities (well before the Cambridge Analytica scandal). Rapleaf has been acquired in 2013 by TowerData, a huge data provider who probably knows you very well.
- Nielsen : via myvisualiq.net alias VisualIQ, an attribution service (allows Spotify to determine which ad campaigns are most effective) redeemed by market research giant Nielsen in 2017. Nielsen also tracks you via exelator.com aka eXelate, a data provider redeemed in 2015.
- Adobe : via demdex.net alias Demdex, the Data Management Platform redeemed by Adobe in 2011. Through successive acquisitions, Adobe is not only a giant in creative tools (Photoshop, InDesign, Lightroom, etc.), but also in marketing.
- Comscore : via scorecardresearch.com, this tracker is everywhere, after the iOS and Mac apps, we find it on the web player.
- Tapad : this data provider also knows you very well, it is able to make the link between the different devices you use (smartphone, computer, etc.).
- Oracle : via bluekai.com aka BlueKai, a Data Management Platform redeemed by Oracle in 2014. Did you know SQL? Oracle has changed. Just like Adobe, Oracle has diversified through successive acquisitions to now offer businesses a “Marketing Cloud”.
- Facebook : impossible to escape. Facebook is not called here directly by Spotify but by Visual IQ (aka Nielsen), Facebook and Nielsen have a agreement to share your personal data.
- Qualaroo : tool for collecting user feedback already seen on the Mac application.
However, you cannot listen to music without being connected. Will Spotify limit trackers when I log in given my Premium subscription? Let's look at the trackers sent once connected:
Bad luck, Spotify does not limit tracking, even if you are a Premium subscriber! And this time, the identifiers are associated with your Spotify account, therefore very interesting for these marketing companies which can thus recognize you, follow you on your computer and make the link with your other devices. And special mention to Nielsen which via Visual IQ synchronizes your identifier with several other Data Providers (boxed in red): TowerData, Oracle, Adobe, Facebook and Tapad!
How to avoid this tracking? Since Spotify does not provide an opt-out for the web (more details later in the article), a reasonable solution is to use an ad-blocker such as uBlock Origin (Firefox extension or Chromium).
A chatty but too vague privacy policy
If we read now Spotify's privacy policy, in section 6, Spotify indicates the reason why Spotify processes your personal data:
Spotify therefore relies on legitimate interest to serve you personalized advertising, in contradiction with the GDPR. If we now look at section 7 to find out which companies Spotify shares your personal data with:
The information, buried in a long confidentiality policy, is incredibly vague: who are these recipients? What exactly do they do with your personal data? For example, it would have been necessary to detail why Spotify calls Facebook and leaks your personal data to Google.
Spotify also has a nice "Privacy Center" but this page does not give us any further information regarding advertising, the only indication being:
We collect and use your personal data for the following reasons: [...] To provide you with features, information, advertising or other content based on your specific location.
A masquerade of control over personal data
To understand if it is possible to deactivate tracking, I first consulted the "Privacy Center", which simply redirected me to the page "Privacy Settings" from my account.
Except that this page just allows me to refuse the processing of my Facebook data (by default, the option is activated, did you say consent?) and to refuse personalized advertising (option also activated by default but which is of no use to me because I do not have advertising in the Premium version):
Spotify also has a page on the “cookie policy”. On mobile, Spotify mentions the possibility of limiting advertising tracking via iOS:
For example, you can use the “Limit ad tracking” setting (on iOS devices)
No luck, I have already activated this setting (which therefore does not have the advertised effect):
Spotify also informs of the possibility of blocking cookies on the desktop application (the Mac app therefore):
You can withdraw your consent to the use of cookies on the Spotify desktop app at any time. If you no longer wish to receive cookies, go to the Account Settings page and enable the opt-out of desktop cookies feature. When enabled, it blocks cookies from installing the Spotify desktop app on this computer. [...] Choosing to block cookies on the Spotify desktop application may harm your Spotify experience.
This consent I never gave, so I could withdraw it (but it could harm my Spotify experience, without me knowing why). After further searching, you should not go to the “Account Settings” page, but to “Preferences”:
And there, you need to scroll and then locate the “Show advanced settings”:
Then scroll again to the base to discover, well hidden, “Confidentiality” and this “Dark Pattern"very beautiful:
The setting is unchecked, so one might believe that tracking is disabled (as it is for Facebook and for personalized advertisements). Error ! You must check the setting to block cookies. And Spotify is here to scare you by indicating that enabling the setting can have a negative impact on the Spotify experience... What "negative impact"? No details.
So I checked the setting and restarted Spotify to study the "impact", unfortunately the trackers are still there:
In particular, if it no longer places the IDE cookie via doubleclick.net, Google continues to receive all your other personal information, including the Spotify aduserid advertising identifier which has remained the same. Spotify is making fun of you by preventing Google from placing its IDE cookie but allowing it to identify you via the Spotify identifier (even more invasive because this identifier allows Google to recognize you whatever your device).
The Spotify advertising identifier should however be blocked according to the definition of Cookies given by Spotify :
Spotify also has a very special relationship with Google, and not just for advertising: Spotify has decided to migrate your infrastructure to the Google Cloud, which constitutes for Google Cloud Platform a nice use case in its fight against Amazon AWS and Microsoft Azure.
What action against Spotify?
A complaint is already in progress with the Swedish CNIL, concerning the right of access to personal data (article 15 of the GDPR). But no action has yet been taken regarding the leak of personal data, although there is reason to launch an investigation:
- Spotify leaks your personal data to third parties without first obtaining your consent.
- In particular, Spotify leaks your personal data to Google and Facebook.
- Spotify's web player leaks your personal data to the who's who of surveillance marketing.
- Spotify does not provide any opt-outs on its iOS app.
- The opt-out provided by Spotify on its Mac app is clearly a "Dark Pattern" and does not work.
- Privacy policy relies on legitimate interest in personalized advertising, and therefore does not comply with the GDPR.
- The cookie information page gives false information, as Spotify does not provide the necessary controls to refuse cookies.
And all this even if you pay for a Spotify subscription!