How Netflix, Spotify and Deezer manage your personal data

3 June 2019
image single post header

They are increasingly adopted by Internet users, and while they are diversifying and monthly subscription offers are multiplying, they tend to differentiate themselves thanks to successful exclusives that are increasingly talked about.

Witness the collective frenzy around the recent return to the screens of the iconic robbers of La Casa de Papel.

These are, of course, the subscription-based video or music on-demand streaming platforms.


Among the best known are Netflix and Spotify, followed closely by several industry behemoths such as Deezer, Apple Music, Amazon Prime, Hulu, and many others for which success seems to be just as much in the air. Their rise is indeed staggering:

  • Netflix announced in April 2019 the biggest increase in subscribers in a quarter, up 9.6 million, bringing the total to 148.86 million users worldwide.
  • In the same month, Spotify became the first music streaming platform to gain 100 million subscribers, a 32% increase over the same period last year.

These streaming giants acquire a lot of personal data about the video or music consumption of their millions of subscribers:

These data are used to perfect their algorithms in order to precisely target tastes and issue the famous recommendations that are part of the major elements of their development.

This data is also analysed and taken into account for strategic marketing and sales decisions, and as it provides important insights into consumer tastes and desires, it goes without saying that it is coveted by many companies.

While popular streaming platforms have never hidden their data collection and analysis practices for personalisation and enhancement purposes, their users are apparently not necessarily aware of what this involves.

On 10 December 2017, about 5 months before the RGPD came into force, Netflix started a new and somewhat peculiar communication campaign through a tweet that was meant to be humorous:



“To the 53 people who have watched ‘A Christmas Prince’ every day for 18 days: who hurt you?”.



The next day, several newsrooms around the world received a statement from Netflix giving a numerical review of 2017. The report provided general information about customers and hours of content watched (140 million per day and 1 billion per week), but also more specific information:

For example, one customer “watched Pirates of the Caribbean every day for a year”, and another, living in the UK, saw “Bee Movie 357 times in 2017”.


Certainly seeing for the first time what data collection by streaming services actually entailed, and realising that they could be aware of what their users were watching, when, and how often, many internet users were outraged, to the point of creating a scandal following the tweet in question.


But Netflix is not the first platform to choose to communicate in this way and publicly reveal precise data about its users’ consumption: about a year ago, Spotify created some similar advertising posters on which it was possible to read messages such as “To the Parisian who listened to ‘Cold Water’ 26 times on the hottest day of the year”, or “To the 1,722 guys in Paris who liked the ‘Girl’s Night’ playlist this year, excellent choice”.

Users keen on their own streaming data


However, not all users of streaming platforms are necessarily opposed to this data collection. With the development of numerous connected objects that can capture physiological constants and sports performance, some streaming platforms have grasped the global craze for “self-measurement”. Spotify and Deezer have each developed a tool that allows their users to obtain reports on their usage statistics for the corresponding platform.


The first, Spotify Wrapped, shows the most listened to tracks, most redundant genres, total listening time, times of day when Spotify is frequently used, and other information that varies over the years.

The second tool, Deezer’s Stateeztics application, provides similar statistics about the listener and some of their friends on a monthly basis. The dazzling success of this application, which has seen its number of users explode to over 530,000, only confirms the interest aroused by the quantified self.


This anglicism, sometimes translated into French as “self measurement”, refers to all the practices that enable people to measure themselves, to obtain data on their body, health, activities or tastes through new technologies in order to know themselves better, to evolve, or possibly to compare their lifestyle with that of others. In the same way that measuring one’s steps, heart rate, or the performance of one’s last jog allows one to know oneself and to situate oneself physically, measuring one’s listening habits can lead to an understanding of one’s musical habits, oneself, and one’s tastes, which it is now possible to claim by sharing this information with one’s circle of friends.


But obviously, all this does not indicate anything about the security and storage of their users’ personal data by the streaming platforms, nor about the overall uses of this information…


Sometimes controversial platform processes


And for good reason, various problems involving personal data have affected several of these streaming platforms.

As part of an investigation into Facebook, the British Parliament had published in December 2018 more than 200 pages of internal exchanges at the social network proving that it had concluded agreements with nearly 150 companies, giving them access to the personal data of its users without their knowledge. These included Spotify and Netflix, which had also been the subject of a special agreement, as they had even had access to users’ Messenger conversations. Although Facebook later explained that it had provided such access as part of experiments to integrate Messenger with these platforms, it had obviously not been viewed very favourably.

Notably, Spotify had already had some issues with personal data prior to the GDPR, particularly in an update to its terms of use and privacy policy in August 2015, in which the company indicated that it was expanding the amount of personal data it could collect.

Once the new policy was accepted, users consented to the platform collecting their geolocation details, photos, contacts, information from their smartphones’ sensory sensors to determine whether they were walking, running, or standing still. The platform could then pass this information on to its partners, officially for the purpose of improving the user experience and developing new solutions. Journalists, celebrities and social network communities protested against this new collection, which they felt was abusive, leading the platform’s owner to explain and apologise.


Shortly after the RGPD came into force, Peter Steinberger, an Austrian developer and Spotify user, wanted to exercise his right of access to the streaming platform in order to obtain the personal data it held about him. First, he used the online data download facility available within Spotify accounts and found that by default he had only retrieved a tiny archive containing almost nothing. This was followed by numerous email exchanges and complaints, after which he finally got his entire file.

In addition to the classic information declared as being collected by the platform, and that necessary for its proper functioning, the 250 MB of data contained the complete tracking of every interaction with the service, down to the smallest detail: the way he resized the application’s windows, the brand of headphones he used, the way he adjusted the volume while listening to songs, his searches, and the slightest action performed on the user interface. Information that can sometimes be trivial, even useless and unusable, which highlights the tendency of some companies to want to collect data on a massive scale.


The GDPR not yet fully integrated


Already known for having attacked Google, Facebook, Instagram and WhatsApp, the NOYB (None of your business) association, led by the Austrian lawyer and activist Max Schrems, filed a complaint with the Austrian CNIL in January against eight streaming services. Netflix, Amazon Prime, Youtube, Spotify, SoundCloud, Apple Music, Flimmit and DAZN are accused of not respecting Article 15 of the GDPR, namely the right of access of individuals, via a request for the exercise of rights, to the personal data that an organisation holds about them and to the way in which this information is obtained, processed and stored.

The association sent a request to each of the 8 platforms, and if 2 of them did not respond (SoundCloud and DAZN), the 6 responses received were all considered insufficient: some types of data were missing, those provided were transmitted in formats that made them very difficult or impossible to read for ordinary readers, and contextual information such as sources, recipients, purposes of collection of personal data, and their conditions and retention periods was missing. Only the Flimmit platform stood out as offering a relatively decent response to the request, although it was too incomplete to be considered compliant.

Another problematic element is the right to data portability (Article 20 of the RGPD), which allows an individual to receive his or her personal data held by one organisation in a structured format in order to transfer it to another organisation. A right that could be useful in the context of streaming services, for example to transfer one’s playlists, history, and recommendation information from one platform to another in case of change.

But unfortunately, if the vast majority of services offer a tool for downloading data, the function allowing you to import them into another platform is still far from being developed and made available. There are, however, third-party solutions such as Soundiiz or Stamp, and Google is currently working on developing a common software base for data transfer between the various services. Called the Data Transfer Project, the initiative is still in the development phase.


Developments involving personal data to be anticipated


While streaming players tend to evolve by offering new content or services, one of these innovations is particularly controversial: the interactive narratives offered by Netflix, series or films in which the viewer identifies with the main character and must make decisions that will influence the rest of the storyline.

In this way, the platform no longer only collects data on users’ programme choices, but also on the choices made during viewing. In the first programme of this type created, Bandersnatch, the viewer can, for example, choose whether the main character accepts a job in a company, goes on a date or follows a friend instead. Also, they can choose between two different kinds of music to listen to on the bus, or between two existing brands of cereal to consume during breakfast: Frosties, which was unanimously chosen by 60% of viewers, and Sugar Puffs.

Given that a researcher at University College London found that this data about users’ choices was retained and always linked to them (linked to their account), it is easy to anticipate the possible commercial uses of such a format, potentially serving as a tool for brands to survey the popularity of their products.

Streaming platforms can therefore collect large amounts of data about their users. While new legislation such as the GDPR aims to protect users from abuse, data subjects themselves need to learn to pay a little more attention to the terms of use and policies of platforms without accepting everything out of hand.

Subscribers do not seem to be opposed to the collection of their data as long as it is not abused, but they do protest against some of the uses that can be made of this information. As platform practices evolve, such as Netflix’s recent interest in the physical activity of its users captured by their smartphones in order to improve its offerings, it is certain that personal data regulations will continue to evolve in order to ensure citizens’ continued protection.

If you would like to learn more about Fair&Smart and our personal data management solutions, click on the button below:

Let’s contact us!


Follow us on social networks: