Spotify has been fined by the Swedish Authority for Privacy Protection (IMY) a total of SEK 58 million (equivalent to approx. $5.4 million) as it has been found to have been in breach of the General Data Protection Regulation (GDPR) which entered into force in 2018.
IMY found the failings during an audit of how Spotify was handling user's personal data, particualrly around how it informs users that they have the ability to access their data and that Spotify only releases the data when individuals request it. Karin Ekström, one of the legal advisors who led the supervision, said the following:
The information that the company provides about how and for what purposes individuals' personal data is handled should be more specific. It must be easy for the person requesting access to their data to understand how the company uses this data. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual's own, native language. In these parts, we have seen certain shortcomings.
Furthermore, customers who made the request for their personal data, had been able to choose exactly which data they wish to have access to, because Spotify has divided the data up into areas that are referred to as 'layers'. Foror instance, one could contain contact and payment details while another could contain followed artists and listening history.
IMY went on further to state that the deficiencies that were discovered during the audit are considered to be on a low level of seriousness. However, considering this and the number of registered users along with Spotify's turnover, the regulator confirmed that Spotify would still be liable to the administrative fine of SEK 58 million for "not having provided sufficiently clear information to individuals."