An Open Letter to Spotify

March 15, 2023

Dear Spotify,

My name is John Roa, and I’m the CEO of Caden. We’re a technology company in New York City whose goal is to empower the average person to control and benefit from their personal data—and provide companies like Spotify with more accurate, ethical, consent-based user data in the process. Caden is backed by top investors like Yahoo! founder Jerry Yang, DoubleClick founding member Wenda Harris Millard, and a dozen top venture capital firms.

Our mission is simple: give every citizen the opportunity to participate in the data economy, and benefit from it. In turn, we strive to help companies like Spotify benefit by giving users more control and consent around how their personal data is used.

Personally, I am a massive fan and user of Spotify. I also have a natural appreciation and empathy for your business and business model and understand the value of the data you collect and activate. My goal with this letter is to acknowledge Caden’s mission in the marketplace, make a case for the user, explain the significant long-term value to Spotify, and invoke tangible partnership conversations to build this future together.

As you know, legislation like CPRA includes a Right to Access clause which allows users of services like Spotify to request copies of their data. Additionally, the CPRA includes a Right of Portability which requires any electronic information must be provided in a format that can be easily ported to a different service provider. In Spotify's case, that would include a record of songs or podcast episodes a user has listened to. That is data each user has a right to, and is also valuable data for a user to be in control of. Not only can that data help to tell a story (what podcasts might I want to listen to based on TV shows or sports I’ve recently watched?) but if a user so chose, that data could be directly monetizable by the user, which is their right.

Spotify obviously sees the value in this, as you’ve had a great and longstanding developer platform that allows this data to flow to the user with their permission, and empowers other products to consume and take action on the data. 

However… there is a clause in your API documentation that limits the freely flowing nature of this data and the spirit of Right to Access & Right to Portability:

Section IV 2e: Transfer to third parties. Except as otherwise set out in these Developer Terms, do not transfer Spotify Content to third parties, including directly or indirectly transferring any data (including aggregate, anonymous or derivative data) received from Spotify to, or use such data in connection with, any ad network, ad exchange, data broker, or other advertising or monetization-related toolset, even if a user consents to such transfer or use. You may transfer Spotify Content to third party data processors, such as server providers for providing your SDA and consistent with your privacy policy and the permissions users have given you. You are responsible for any acts or omissions of those third parties.

(Emphasis mine)

With due respect, the problem here is applying a clause that limits the ability for the user to decide what happens with their data, solely because it came through your API. If a user were to request a copy of their data directly, they have no such restriction on what they can do with it—which also complies with the law. The restriction is unique to your API itself, which we believe is penalizing the user by using a more convenient method to access their data. We fully appreciate there is trademarked / proprietary information that presently flows through the API that should not be granted to the user, which should be easy to differentiate.

In short, we believe that data a user has legal ownership of should be freely transferred and then once in the user’s possession and control, they should be able to do anything they’d like with it, without restriction.

On behalf of Caden and our users, we would like to engage in a direct conversation about Spotify adapting your API to be more consistent with the spirit of the law and fairness to users. This would be a simple change: more compliant terms specifically for developers that are working to empower users to own their own data.

It goes without saying: this data-sharing freedom would benefit companies like Caden and many others in our industry as we work to open up walled gardens and empower users. However, we also believe this creates a number of significant advantages for Spotify as well.

First, more than half of your users rate their privacy as “extremely important”1 and 92% of customers appreciate companies giving them control over what information is collected about them2. We are in the middle of a rapid transition to a privacy-first internet, and brands who create data security, privacy, transparency and portability are going to win consumer favor. Spotify has been both the beneficiary of and damaged by the user privacy conversation. We believe there are many positives to strictly aligning to a privacy-focused future.

Second, while we recognize that letting data more freely flow out of our walled gardens is antithetical to how we’ve looked at digital marketing for the last couple decades, there is a significant benefit when you consider data can then easily flow back to Spotify. 83% of consumers are willing to share their data to create a more personalized experience3. This means that by allowing users to more freely access and transport their data, you are not only adhering to a privacy promise that users find important, but you are now equipping users to share amazing data back to you (imagine: users telling Spotify what movies they watch or where they’re traveling to next so you can recommend amazing content). More user control of data means revolutionary access to consent-based high-quality first-party data that does not sit in silos. As the undisputed leader in the subscription economy, we know that Spotify lives and breathes consumer behavior and finds opportunities to surprise users with prescient, data-driven experiences. What better way to take that user stickiness into the next generation than to open a dialogue with users where they can provide the information stream necessary to make every user’s experience even more bespoke?

Third, Spotify and all modern consumer brands are rapidly losing the ability to connect with users through their data, and this downturn comes at an incredible cost. The IAB recently said that 50% of signal has already been lost4, and that will only get worse. IAPP estimates new privacy laws will cost American businesses a trillion dollars over 10 years5. Between third-party cookie depreciation, Apple’s ATT and other similar measures, ad effectiveness is severely diminished. The most effective way to speak to the customer, whether internally, externally, or to support your own ad platform, is to do it with fully consented and ethically-sourced data that comes straight from the user.

This is why we are asking that you support an update to your API terms to allow users, on behalf of developers, to be fully in control of the data that is legally and rightfully theirs, without restriction. We can follow the Open Banking model and create a valuable ecosystem of fully-private but freely-flowing data. And we’d love to help you do it.

Please let me know personally if you are open to the conversation. It is my commitment that the full extent of my small but mighty team will work to make Spotify more successful in promoting privacy, fairness and security.

John Roa

Founder, CEO