Some loss of privacy is unavoidable with any online or streaming service. In the case of Spotify (which offers two tiers of service: a free subscription with advertising, or $9.99 per month ad-free), it's practically a tautology that if you listen to music through the service, it therefore knows what sort of music you listen to.
So the music-streaming service wanted access to users' email contacts and personal photos. And that's not all. Spotify also wanted information connected to users' Facebook pages (if applicable), including “your username ... and other information that may be available on or through your Facebook account, including your name, profile picture, country, hometown, e-mail address, date of birth, gender, friends' names and profile pictures and networks.”
Depending on the type of device subscribers used to listen to Spotify, “we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).” The location-and-speed monitoring was specifically for users of Spotify Running, which automatically matches music to the pace at which you're traveling.
The almost-instant backlash inspired Spotify CEO Daniel Ek to respond to critics in a blog post titled “SORRY”:
To be fair, it's possible that the entire controversy was merely a misunderstanding. Fast Company, for example, said that “Spotify's privacy gaffe was poor messaging, not bad policy.”
And Ek's apologetic blog post seemed to agree; he repeatedly stressed that these proposed policy changes would only be implemented with users' permission. “We will never access your photos without explicit permission …. We will never gather or use the location of your mobile device without your explicit permission …. We will never access your microphone without your permission …. ”