The main areas of contention in the new policy, highlighted by Wired and others, are three additions. Here's the first:
There, @Spotify account ended. I suggest you do the same. Privacy policies like that must die. I'll happily resume sub after remedies.
— Henrik Pettersson (@carnalizer) August 21, 2015
All of these features are pretty easy to explain. Spotify CEO Daniel Ek says this will be used to personalize playlist images or update profile pictures, two features that are apparently on the way but not yet integrated into the app. There's also a "find friends" feature that will let Spotify scan your address book and suggest connections. This is a super common among apps, and will be entirely optional. What about photos? Let's put aside the notion that Spotify gives a damn about the hundreds of pet and food pics on your phone for a second. When it comes to "media files," your guess is as good as ours, but maybe Spotify'll add a song-matching feature, or bring back local music playback? Either way, it will ask you first.
As for the "seek the consent of your contacts," this is really Spotify covering its back. Some countries have strict privacy laws, and your contacts' information may not be yours to share. In reality, you should always ask your friends if they're okay with you sharing their information with a company. Just because you're a total jerk if you don't.
So that really wasn't that bad, was it? Here's the second change:
Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone's GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).
The company has a fitness feature in its apps called Spotify Running, which matches music to the pace of your running using -- you guessed it -- the sensor data from your phone. It's a little bad that Spotify has taken this long to add this stuff into its policy, but the fact remains that this is not new behavior for the apps.
Ready for number three?
So this isn't actually much of an addition at all. It's more of a clarification. The old policy said it would get lots of information from your Facebook account, but didn't do a great job at specifying what it would receive through the link. There's a line about "information that may be available on or through your Facebook account," but it doesn't mention Likes. It's pretty useful to know that Facebook is sending Spotify this stuff, and if you don't like it, you can just not integrate your account with Facebook -- I know I haven't, mainly because I'd rather not be judged on my awful listening habits. You also have the option of going through Facebook's privacy settings to limit what's sent to third parties.