Privacy Lessons Learned From Spotify’s $5 Million Fine

by: Dhara Shah

On June 13, the Swedish Authority for Privacy Protection (IMY) fined Spotify approximately $5.47 million USD for failing to properly process user data access requests. While IMY found that Spotify permitted users to submit a data access request, the streaming platform seemingly failed to provide the full scope of information required under the GDPR.

This serves as an important reminder for all businesses – whether subject to Europe or United Kingdom’s GDPR, California’s CPRA, or otherwise – to ensure its internal business processes are up to par with legal requirements. For access requests, this means ensuring you aren’t just replying by sending the user all the personal information you have collected. Rather, that you are adhering to the specific instructions on what information you must provide. For example, the GDPR requires disclosing the:

• Purposes for processing the personal data;

• Categories of personal data processed, including an explanation of any technical data in English and the user’s native language;

• Third parties to whom personal data is disclosed to;

• Duration for which the personal data will be stored, or the criteria to determine such retention period;

• Related rights the user has (such as to delete or correct the data);

• Ability to lodge a complaint with a supervisory authority;

• Source of personal data collection, if not from the user;

• Safeguards in place for any transfers of data to a third country (such as the US); and

• Whether automated decision-making is occurring and if so, how.

Similarly, California requires businesses to disclose the categories of: personal information collected, sources of collection, and third parties to whom the personal information is disclosed to. California also requires disclosure of: the business or commercial purpose for collecting, sharing, and selling such information and, upon request by a consumer, the specific pieces of personal information collected.

So What Should My Business Do Now? If not already in place, now is the time for your legal and compliance teams to set up internal guidance documents for your employees to follow when handling user rights requests. These internal guidelines should outline how to respond to each type of user request (access, deletion, etc.), and note the specific requirements under all privacy laws your business is subject to. For example, and as flagged by IMY, when processing access requests under the GDPR, ensure that you provide an explanation of any technical data your business collects, in both English and the user’s native language.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.