Pre-saving albums on Spotify can give music labels access to personal user data like emails addresses and playlists, according to a Billboard report. It also gives labels permission to manage who users follow, add or remove songs from their libraries, and stream Spotify on users’ other devices.

Spotify users can pre-save upcoming releases to have the album added to their libraries as soon as it’s available. Users have to click and approve permissions to give labels access to do this, but labels are given way more access than the one permission they require, which is to “add and remove items in Your Library.”

Since 2017, labels — the worst offender being Sony Music — have asked for an excessive amount of permissions, when it only requires a single permission to pre-save an album. Why haven’t you noticed? Spotify hides the actual permissions requested behind a drop down menu pic.twitter.com/KxQSbyW8fj — Micah Singleton (@MicahSingleton) June 27, 2019

For example, users who tried to pre-save the Chris Brown song, “No Guidance,” were asked by Sony Music to give the label access to “upload images to personalize your profile or playlist cover” and “manage who you follow on Spotify.” Users may not have known what they were agreeing to, as the permissions were hidden underneath numerous submenus.

Sony Music was found to ask for the most permissions, with 16 more than necessary. Universal Music Group usually asked for around 10 additional permissions, including asking for the user’s birthdate. Warner Music Group also asked for around 10 additional permissions, too, such as in its campaign for Noel Gallagher’s Black Star Dancing EP, when it asked for full control over private playlists.

While Spotify and the labels aren’t technically breaking any laws, it’s another sign that users should be more cautious of the fine print when they’re granting third parties access to their data.