Users who “pre-save” an upcoming release to their Spotify accounts may be sharing more personal data with the act’s label than they realize.

To pre-save music, which adds a release to a user’s library as soon as it comes out, Spotify users click through and approve permissions that give the label far more account access than the streaming giant normally grants them -- enough to track what they listen to, change what artists they follow and potentially even control their music streaming remotely.

This lets labels access some of the data that streaming companies usually guard for themselves -- which they want in order to compete with the streaming giants on a more even playing field. But at a time when the policies of online giants like Google and Facebook has made online privacy a contentious issue, music’s pre-saving process could begin to spark concern among consumers, and perhaps even regulators.

Labels also ask for far more permissions than they need. Spotify users who, for example, tried to pre-save the Little Mix single “Bounce Back” from links shared by the act or its label, Sony Music, were prompted to agree that Spotify could allow Sony to “view your Spotify account data,” “view your activity on Spotify” and “take actions in Spotify on your behalf.” The exact permissions Sony requests are only visible to those who click through to the corresponding submenus, so users may not fully understand all that they’re agreeing to -- or that the changes apply to their account unless they change it on Spotify’s website.

“I’m not sure if most people realize that,” says John Tinker, a media analyst with Gabelli & Company. “There’s nothing they’re doing that’s illegal -- it’s just that no one ever actually realizes when they sign off on these things what they mean.”

The only access labels need to pre-save music to a Spotify account is permission to “add and remove items in your Library.” But the submenus for Sony’s Little Mix campaign asked users for 16 additional permissions, including to “control Spotify on your device” and “stream and control Spotify on your other devices.” In its campaign for Chris Brown’s new single “No Guidance,” featuring Drake, Sony asked to “upload images to personalize your profile or playlist cover” and manage who you follow on Spotify. (Spotify, Sony and the other major labels declined to comment for this story.)

The exact permissions requested vary among campaigns, but Sony often asks for the most, according to over a dozen pre-save campaigns reviewed by Billboard. Universal Music Group’s pre-save campaigns usually ask for 10 additional permissions; in its campaign for “Ritual” -- the recent single from Tiësto, Jonas Blue and Rita Ora -- it requested access to the user’s birthdate. Warner Music Group routinely asks for 10 additional permissions, including full control over private playlists in the campaign for the Black Star Dancing EP by Noel Gallagher’s High Flying Birds. (All three major labels adhere worldwide to the European Union’s General Data Protection Regulation, which mandates that users be allowed to see the data companies keep about them and, in some cases, ask for it to be deleted.)

“These permissions strike me as expansive and beyond what a reasonable consumer would expect,” says Frank Pasquale, a law professor at the University of Maryland who studies the ethical implementation of technology. “On the other hand, the larger picture is that as the Facebooks, Googles and Amazons of the world get so much data about people, every other company is just going to do the same. I can see why [the labels are] doing it: because they fear if they aren’t as aggressive as Google and Facebook they’re going to lose a competitive advantage.”

Pre-save campaigns, which boost the first-week listening that can drive strong chart debuts, quickly became a music business marketing staple after Spotify added the feature as part of a 2017 update to its API, the software that allows online programs to share data. But the feature has also become a way for major labels, and sometimes other rights holders, to get data on listeners. In some cases, labels could potentially even have the right to control playback on devices running Spotify, like Sonos speakers, although Billboard hasn’t seen evidence of that happening. It does not appear that third parties can change or cancel subscriptions or access a user’s payment information, according to the permission requests reviewed by Billboard.

Major labels are not the only parties who can ask for these kinds of permissions. Independent singer-songwriter Ingrid Michaelson is using the digital marketing company feature.fm in the pre-save campaign for her upcoming album, Stranger Songs, and asking for 12 additional permissions beyond those needed to pre-save the album -- including access to users’ email addresses and control over private playlists.

Pre-saving provides a service to fans, and labels do need a certain amount of access to user accounts to provide it. But Spotify has made it hard to see the extent of permissions that labels ask for, and it hasn’t taken actions to restrict the kinds of information third parties can request -- or what they can potentially do with it. In some cases, for example, when users give a label permission to view their email addresses, it adds them to an artist mailing list. This gives labels the same kind of information about technology users that many online companies already have, but it’s unclear whether users will accept the same kind of tracking practices from them -- especially at a time when such practices are attracting attention in the media and among politicians.

Other streaming services have different policies. For example, Apple Music does not share any identifying information on subscribers, in line with the company’s approach to user privacy. Apple does allow third parties to view users’ music libraries and recently played songs; it also allows third parties to create and modify user playlists with permission, although it makes clearer what access companies are asking for. It does not offer a way for an outside entity to get control over an account or gain access to personal information like an email address.

At a time when media coverage and users are focusing more on online privacy, the data collection practices of streaming services and rights holders haven’t received much attention. That could change soon, however, as companies -- which have in the past sought to cover themselves legally by asking for the widest range of permissions -- shift to asking for only what’s necessary. On May 28, The Washington Post reported that Spotify was among the many iPhone apps that use data trackers to pass along information about users or devices to third parties in the middle of the night, while users sleep.

“I think Spotify could do a lot better, and they ought to be clearer about the nature of consent,” says Pasquale. “Individual consumer action will change nothing: Most people are just too busy to hear about this problem and act on their own. Regulators have to step in and be aggressive in terms of punishing things that are clearly unfair or deceptive and making sure there are some basic standards that are met.”

This article originally appeared in the June 29 issue of Billboard.