Spotify Privacy Policy

This is Spotify's U.S. Privacy Policy, which explains how Spotify collects and uses your personal information when you use its music streaming app, website, and related services — including data about every song you stream, search you make, ad you interact with, and even voice recordings and facial images if you use certain features. The most important thing to know is that Spotify collects detailed behavioral data including your full listening history, search queries, AI feature prompts, inferences about your age and interests, and shares this information with advertising partners to show you targeted ads — even on paid plans in some contexts like podcasts. You can opt out of tailored advertising at any time by visiting spotify.com/account/privacy and adjusting the 'Tailored Ads' setting.

This document is Spotify USA Inc.'s Privacy Policy, effective 13 April 2026, governing the processing of personal data of U.S. residents across all Spotify streaming services, websites, and customer service channels, with legal basis rooted in consent, contractual necessity, legitimate interests, and compliance with applicable U.S. state privacy laws. The most significant obligations created include Spotify's collection of an extensive range of personal data categories — including User Data, Usage Data, Voice Data, Age Check Data (including facial recognition and identity document verification), Payment Data, and inferences about interests and preferences — and its disclosure of this data to advertising partners, technical service providers, payment partners, and other third parties for purposes including tailored advertising and service personalization. A notably unusual provision is the collection and processing of biometric-adjacent Age Check Data (facial age estimation and identity document photos), which is immediately deleted post-check but implicates state biometric privacy laws such as Illinois BIPA and Texas CUBI; additionally, the collection of device sensor data, AI feature prompts and transcripts, and inferences about user age and interests represents a broader-than-standard data profile. The policy engages CCPA/CPRA (with a separate California Notice at Collection), applicable U.S. state consumer privacy laws (Virginia VCDPA, Colorado CPA, Texas TDPSA, and similar), FTC Act Section 5 unfair/deceptive practices authority, and potentially COPPA given the children's section and Managed Account provisions; material compliance considerations include the adequacy of consent mechanisms for biometric data processing, the sufficiency of opt-out controls for tailored advertising (including cross-context behavioral advertising/sharing), and the contractual and technical controls governing third-party data sharing with advertising and analytics partners.