Music streaming service Spotify allows users to “pre-save” an upcoming release to their accounts. But users don’t realize that, by doing so, they are also agreeing to let Spotify release more personal data than is typical to the upcoming release’s label. Those labels can access information to track a user’s listening behavior, change the musicians they follow and possibly even control their music streaming remotely. In an era in which data privacy is receiving more consumer attention, Spotify’s practice is likely to become an issue.

Billboard reports that the labels ask for “more permissions than they need.” Labels only need permission to “add and remove items in your Library,” but the sub-menus for a Sony Music pre-save asked for 16 more, including to “control Spotify on your device … [and] stream and control Spotify on your other devices.”

Gabelli & Company media analyst John Tinker noted, “there’s nothing they’re doing that’s illegal — it’s just that no one ever actually realizes when they sign off on these things what they mean.” For another Sony title, Chris Brown’s new single, Sony wanted to “upload images to personalize your profile or playlist cover … and manage who you follow on Spotify.”

“These permissions strike me as expansive and beyond what a reasonable consumer would expect,” said University of Maryland law professor Frank Pasquale. “On the other hand, the larger picture is that as the Facebooks, Googles and Amazons of the world get so much data about people, every other company is just going to do the same … they fear if they aren’t as aggressive as Google and Facebook they’re going to lose a competitive advantage.”

Spotify added pre-save campaigns in 2017, and the “the feature has also become a way for major labels, and sometimes other rights holders, to get data on listeners.” Pre-saving can be “a service” for fans; singer/songwriter Ingrid Michaelson and her digital marketing company Feature.fm asks for 12 additional permissions, “including access to users’ email addresses and control over private playlists.”

But, adds Billboard, “Spotify has made it hard to see the extent of permissions that labels ask for, and it hasn’t taken actions to restrict the kinds of information third parties can request — or what they can potentially do with it.” In fact, Spotify was identified as one of many iPhone apps that use data trackers to pass along information about users or devices to third parties in the middle of the night,” while users are sleeping.

“I think Spotify could do a lot better,” said Pasquale. “They ought to be clearer about the nature of consent … Regulators have to step in and be aggressive in terms of punishing things that are clearly unfair or deceptive and making sure there are some basic standards that are met.”

All three major music labels “adhere worldwide to the European Union’s General Data Protection Regulation, which mandates that users be allowed to see the data companies keep about them and, in some cases, ask for it to be deleted.”