Skip to Content, Navigation, or Footer.

Peng ’26: Listened to your Spotify Wrapped? Here’s what data Spotify has on you.

Spotify Wrapped 2022 officially dropped on Nov. 30. Like other Spotify listeners around the world, I opened my phone to find my top genres and artists, my four-letter listening personality and my 100 most-listened-to songs in 2022. I was immediately surprised by the Wrapped’s accuracy. Trying to figure out how the app knew what it knew, I decided to make a data request from Spotify. In doing so, I discovered the importance of being informed about the privacy we relinquish when we use online services.

Here is everything I found out.

My Spotify data arrived five days after I made my request, and it came as a folder sent to my inbox. Opening the folder, most files were information I had previously expected Spotify to store. The company had my email address, payment information and registration details from when I first created my account. I also received two files labeled “StreamingHistory.json” which contained every song I’ve ever listened to, the type of device I used while listening and how many milliseconds I spent streaming each song. This may be the data Spotify uses to customize our Wrapped. 

Spotify also collected my search queries, which it claims are used to improve music and podcast recommendations. My “SearchQueries.json” file has a log of all the times I’ve made a search, the type of device I used to make that search, the characters I typed into the search field and which results, if any, I interacted with. For example, the file reminded me that I had typed “driv” into my iPhone on Aug. 29 to play Olivia Rodrigo’s “driver’s license.”

I found my “Inferences.json” file to be particularly interesting. Here, Spotify lists all the inferences it has formed about my interests, personality and life status. These inferences are drawn from my “usage of the Spotify service” and data supplied by “advertisers and other advertising partners,” according to Spotify. Spotify claims that some of the reasons it draws inferences about its users are to serve tailored ads, promote Spotify on “other online services” and measure the “effectiveness of Spotify promotions,” according to Spotify’s privacy policy.

Opening my “Inferences.json” file, I came across a nested list of labels that put me into several categories. The prefix of each label marked the source it had originated from. The ones beginning with “1P” referred to groupings based on first-hand information directly obtained by Spotify. These identifiers were mostly accurate but generally technical, and they included tags such as "1P_Custom_Google_Pixel" and "1P_Custom_ConnectedTV_no_Speaker_Streamers" that described the types of devices I had connected to Spotify. Other “1P” tags were given based on my interactions with the Spotify interface. For example, I received the label “1P_Custom_Passionate_Curators,” which I assume means I make a lot of playlists. This is true.

Labels beginning with “3P” likely refer to groupings made with the help of third-party resources, and they are mostly used to place listeners into market segments for consumer products Spotify thinks they enjoy. Some examples from other Spotify users include labels that classify them as consumers of bread, yogurt or McDonald’s breakfast products. The specificity in these user identifiers suggests the transfer of very precisely packaged data. In particular, labels attached to certain dates point to user actions or e-commerce purchases made on those specific days. One Spotify user reported receiving the tag “3P_Custom__ Entertainment – Mobile & App – Interest – Video Games_19-Feb-2021_WW,” after making a Pokemon Go in-game purchase on Feb. 19, 2021. These incidences of data exchange are representative of a much larger trend — your data is being used as currency.

Here’s where Spotify goes too far. From looking at labels obtained by other Spotify users, I found that some of the “3P” labels seemingly categorize listeners based on Spotify’s interpretations of their personal lives, including inferences about their household income, level of education and family size. Some of these inferences may be inaccurate. For example, one Spotify user reported receiving tags that indicated he was simultaneously getting divorced and getting engaged or married. Although it’s certainly possible for someone to consider divorce and marriage at the same time, the recipient of these tags reported them to be laughably inaccurate.

It’s curious and more than a little worrying how Spotify generates inferences about us and uses them. Which interactions by a user could lead Spotify to infer that they are getting divorced? What are Spotify’s intentions for monitoring its users so closely? Who exactly are third-party advertisers and how much of our data is sold to them? Concerning these questions and many others, Spotify users remain largely in the dark, guided only by a vague privacy policy. As the tagging system demonstrates, companies often form assumptions about us that we have no control over, and those assumptions affect the way we are treated by online services.

Thankfully, there is a way for us to protect our Spotify data: turning off tailored ads. Opting out of this service will stop Spotify from drawing “3P” inferences, which are primarily used by Spotify to serve tailored ads to its listeners. You can do this on Spotify’s Privacy Settings page, which claims that disabling tailored ads will stop Spotify from sharing “your information with third party advertising partners” and using “information received by them to show you tailored ads.” While this is definitely a good first step, Spotify does not say in its tailored ads statement whether it would stop receiving information about you from its advertising partners — it just won’t use it for the purpose of serving you ads.

Worse yet, Spotify is not the only company trying to collect data about you. In fact, many companies are looking to harvest your data — whether that’s for the purposes of improving their service, turning a profit or both. To see how Spotify’s data collection methods differ from those of other companies, I also requested my data from Google. In response, I was sent 12 GB of files including an archive of my entire search history, a list of every profile picture I’ve ever used and Google’s confidence levels about whether I was "STILL," "IN_CAR" or "ON_BICYCLE" at various locations. Brown is also collecting data about you. If you log into your Brown account and go to the “Data & Privacy” page, you can see how Brown records every time you swipe your ID card (counting invalid swipes), connect to the Brown WiFi or authenticate your device through Duo Security. Unfortunately, there’s no way to stop these companies or institutions from collecting your data, but there is a benefit in reading the fine print to see what they’re using it for.

As the transfer of more goods and services becomes digitized, it is increasingly crucial for us to protect our data. This starts with paying more attention to a company’s privacy policy and knowing what’s at stake when accepting cookies from a website. It is in our best interest to keep our data private, safe and secure so that it is not used without our knowledge.

Beware. Just as you are listening to Spotify, Spotify is listening to you.

Christina Peng ’26 can be reached at christina_peng@brown.edu. Please send responses to this opinion to letters@browndailyherald.com and other op-eds to opinions@browndailyherald.com.



Powered by SNworks Solutions by The State News
All Content © 2023 The Brown Daily Herald, Inc.