Data Sharing with Third-Party Partners

What it is

Spotify shares your personal data with and receives data from advertising partners, analytics providers, payment processors, technical service partners, and third-party apps or devices you connect to your account.

Why it matters (compliance & governance perspective)

The policy authorizes data flows to and from multiple categories of third parties, including advertising partners who may share audience data with Spotify to enable targeted advertising; the scope of these flows determines what data about you is available to external parties and for what purposes.

Consumer impact (what this means for users)

Your personal data, including usage behavior and device information, may be shared with advertising partners, analytics providers, payment partners, and technical service partners; advertising partners may also send data about you to Spotify to enable interest-based ad targeting, subject to your tailored advertising preferences.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Third-party data sharing for advertising purposes constitutes 'sharing' of personal information under CCPA/CPRA, triggering opt-out rights and disclosure requirements. The policy's disclosure of advertising partner data flows and the opt-out mechanism provided are designed to address these requirements. FTC oversight of data broker and advertising partner relationships is also relevant. CCPA/CPRA requires contracts with service providers to restrict secondary use of shared data. GOVERNANCE EXPOSURE: Medium. The policy categorizes third-party recipients but does not name specific advertising or analytics partners. CCPA/CPRA requires that the categories of third parties with whom data is shared be disclosed, which the policy provides. The absence of named partners is consistent with common industry practice but limits consumer ability to assess specific downstream risks. JURISDICTION FLAGS: California CPRA requires data sharing agreements with all third parties who receive personal information for advertising purposes. Virginia, Colorado, and Connecticut require processors to be bound by data processing agreements. The global scope of Spotify's operations means that even this U.S.-specific policy interacts with international data transfer frameworks for users who travel or access services across borders. CONTRACT AND VENDOR IMPLICATIONS: All advertising and analytics partners receiving personal data should be covered by data processing agreements that define permissible purpose, prohibit secondary use, and require security standards. The disclosure that third-party authentication partners send user information to Spotify at sign-up should be backed by agreements restricting Spotify's use of that data to account creation purposes. COMPLIANCE CONSIDERATIONS: Legal teams should maintain an up-to-date data sharing inventory mapping each third-party partner category to the specific data types shared, legal basis, and contractual protections in place. Annual reviews of advertising partner contracts against CCPA/CPRA service provider requirements are advisable.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Facial Age Estimation and Biometric Data Collection high
• AI Feature Prompts and Transcripts Collection medium
• Tailored Advertising Opt-Out medium
• Broad Usage Data Collection including Device and Location Data medium
• User Privacy Rights Extended to All U.S. Residents low
• Voice Data Collection medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.