What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), with a separate California Notice at Collection referenced in the document. The policy also engages comprehensive state privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states by extending deletion, access, correction, portability, and opt-out rights to all U.S. residents. The collection of facial photographs for age estimat…

How does Spotify's Spotify Privacy Policy affect users?

The policy establishes that Spotify collects extensive usage data including AI interaction transcripts and facial photographs, with facial data deleted immediately after third-party age verification. Spotify is authorized to share collected data with advertising and analytics partners for tailored advertising purposes on an opt-out basis, with the opt-out mechanism available through the 'Tailored Ads' setting at spotify.com/account/privacy. Users retain the ability to request copies of their pe…

How often is Spotify's Spotify Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Spotify updates this document?

Yes. Watcher subscribers ($9.99/month) can add Spotify to their watchlist and receive same-day email alerts whenever this document or any other Spotify document changes.

CA-D-000036

Spotify Privacy Policy

Spotify

Last change detected April 19, 2026 Privacy policy

SHA-256: db254b83bbbf7d4b7a7… 3 versions captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Spotify ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This document establishes Spotify's data collection and usage practices for U.S. users of its music and podcast streaming services. Spotify collects streaming history, search queries, device identifiers, inferred interests, AI feature prompts and transcripts, and facial photographs for age verification purposes, with authorization to share this data with advertising partners and analytics providers for tailored advertising. Users may disable tailored advertising through the 'Tailored Ads' setting at spotify.com/account/privacy and may request data download or deletion through the 'Download your data' tool on the same page.

Technical / Legal Breakdown

This document is Spotify USA Inc.'s Privacy Policy, effective 13 April 2026, governing the collection, use, and disclosure of personal data of U.S. residents across all Spotify streaming services, websites, customer service, and community platforms, with legal basis grounded in service provision, consent, legitimate interests, and compliance with applicable law. The policy states Spotify collects User Data (name, email, date of birth, gender, phone number, street address), Usage Data (search queries, streaming history, browsing history, AI feature prompts and transcripts, device identifiers, IP addresses, inferred interests), Voice Data, Payment and Purchase Data, and Age Check Data including biometric facial imagery; the terms authorize sharing this data with advertising partners, analytics providers, payment processors, technical service partners, and other Spotify group companies. The policy asserts an opt-out model for tailored advertising (rather than opt-in), extends state-law privacy rights to all U.S. residents regardless of state, and discloses collection of AI interaction transcripts and facial age estimation data processed by third-party providers, with Age Check Data stated to be deleted immediately after use. The policy engages the California Consumer Privacy Act (CCPA) and its amendments under CPRA, with a separate California Notice at Collection referenced, as well as Virginia, Colorado, Connecticut, and other state comprehensive privacy laws applicable to U.S. residents; the extension of state rights to all U.S. users reduces but does not eliminate jurisdiction-specific compliance exposure. Material compliance considerations include the biometric data dimension of facial age estimation under state biometric laws such as Illinois BIPA, the adequacy of consent mechanisms for AI feature data processing, and the scope of third-party advertising data flows relative to CCPA's sale and sharing definitions.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Facial Age Estimation and Biometric Data Collection Compare →

Spotify may take a photo of your face to estimate your age or verify your identity, using a third-party provider. The policy states this photo is deleted immediately after the check is complete.

Added May 12, 2026 Standard Seen across 251 platforms

Medium — 7 provisions

AI Feature Prompts and Transcripts Collection Compare →

When you use Spotify's AI-powered features, Spotify collects the text prompts you enter and transcripts of those interactions as personal data.

Added May 12, 2026 Standard Seen across 198 platforms
Tailored Advertising Opt-Out Compare →

Spotify uses your personal data for tailored advertising by default, but you can opt out through the 'Tailored Ads' setting in your account or via the 'Your Privacy Choices' link on the website footer.

Added May 12, 2026 Standard Seen across 262 platforms
Broad Usage Data Collection including Device and Location Data Compare →

Spotify collects detailed records of everything you do on the service, including what you search for, listen to, and interact with, as well as inferences about your age, interests, and preferences derived from that activity.

Added May 12, 2026 Standard Seen across 251 platforms
Data Sharing with Third-Party Partners Compare →

Spotify shares your personal data with and receives data from advertising partners, analytics providers, payment processors, technical service partners, and third-party apps or devices you connect to your account.

Added May 12, 2026 Standard Seen across 246 platforms
Voice Data Collection Compare →

If you use Spotify's voice features, Spotify collects and processes audio recordings of your voice.

Added April 4, 2026 Standard Seen across 251 platforms
Data Deletion Limitations and Exceptions Compare →

Spotify may decline to delete your personal data if it believes the data is still needed for its original purpose, for fraud protection, for legal compliance, or in connection with any unresolved account issue or legal claim.

Added April 4, 2026 Standard Seen across 223 platforms
Children and Minor Users Compare →

Children under 13 are not permitted to use the main Spotify service, and younger users have tailored advertising turned off by default until they reach the appropriate age, at which point they receive a notice within the app.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 2 provisions

User Privacy Rights Extended to All U.S. Residents Compare →

Spotify states it provides data privacy rights including access, correction, deletion, portability, and opt-out of targeted advertising to all U.S. users, not just residents of states with comprehensive privacy laws.

Added April 28, 2026 Standard Seen across 262 platforms
International Data Transfers Compare →

Spotify transfers your personal data to other countries, including to Spotify group companies and third-party partners, where data protection laws may differ from those in your home country.

Added April 3, 2026 Standard Seen across 246 platforms