Pre-saving an album on Spotify can give record labels and others access to personal data including email addresses and playlists, according to a Billboard study. It can also grant labels permission to manage follows, change songs in their libraries, and potentially even stream Spotify on the fans other devices.
Spotify pre-saves - the streaming equivalent of an album pre-buy - are enabled by accessing Spotify API which allows authorized applications access to specific parts of the streamer's "back-end." But the access given to labels and seeming anyone whose built or operated an authorized Spotify pre-save app goes far beyond what is needed to enable pre-saves - permission to “add and remove items in Your Library.”
Sony was the worst offender in the Billboard study, asking for 16 additional permissions to authorize a pre-save. Universal Music asked for 10 extra permissions in the test.
Why Not Fix it?
So far, neither the labels or Spotify have commented.
It's not clear that anything that the labels are doing is illegal. But why Spotify would allow this level of access and control? Why has streamer's so far failed to publicly admit the problem and fix it? As we saw with Facebook recently, users are increasingly unwilling to tolerate unauthorized access to their accounts and data.
Spotify could also fix the problem by rolling out a pres-save tool of their own. Apple Music already has one baked in.