OK, Spotify have now invoiced me for the £10 for my Subject Access Request so I'll pursue that.
In the meantime, here's my last email to them. No reply, so here's what I believe to have happened.
--
I have passed the details of your breach of the Data Protection Act 1998 to the Information Commissioner's office following a conversation in which they requested same.
Before I go ahead and place this information in the public domain (for instance, contacting BBC's Watchdog programme, News 24's Click and news channels) I wanted to give Spotify the opportunity to correct any misunderstandings or factual inaccuracies.
I believe the following to be a true and accurate reflection of what has happened.
Please respond within five calendar days from the date of this email with any corrections so that I can ensure that anything published about you is entirely accurate.
Thank you,
Mark
1. I disabled my Facebook account a long time ago and did not and do not use it.
2. I created a Spotify account with a specific username and used that on signup quite some time ago. I do remember very specifically choosing a Spotify login; I do not use Facebook anyway.
3. I then later rebuilt my PC and used incorrect login details to access Spotify, instead using my email address instead of the correct user name.
4. Instead of rejecting my invalid login, Spotify have asked Facebook if I have an account with that user name and password despite me giving no explicit sanction to transmit that information to them.
They said they did, even though the account was suspended, and Spotify have gone ahead and set up a second account linked with Facebook by virtue of the invalid login. It's my fault for using incorrect login details, yes. But I'd expect to be told so. This has resulted in me having two paid subscriptions running simultaneously - one for the orphaned account and one for the 'Facebook' one.
5. Without knowing it, I've been using that account since the rebuild in step 3
6. I realised that my Facebook account had "come back to life" all by itself last week, and this time requested a complete deletion of my data. Shortly after this point the Facebook account was deleted.
7. I find that my Spotify login no longer works and as I key in what I believed to be the correct login, which had worked before, Spotify have then made API calls to Facebook and sent them that email address and password *after* I had them delete my data (clearly, since this is why the login stopped working), so it's possible that the very data I wanted removed from Facebook's database is again now stored in there in a list of "login attempts" leaving me vulnerable to exactly the sort of data disclosure I wanted to prevent when Facebook is eventually compromised, whether it's stored using a one-way hash or not.
I only spotted this after I emailed Spotify at Step 7 and Spotify responded confirming there were duplicate accounts. I had no idea until that point, nor that I had paid twice.
The clues were there:
1. The mysterious reactivation of the Facebook profile
2. Having to put the card details again on the second account - I assumed something had gone wrong, maybe the card got declined (I had to have the card in question replaced at one point around that time and the new one had a different number resulting in a string of declines for automated subscription payments which I had to rectify manually at the time)
3. The change of the Spotify interface from a split "choose your login" to "Login with Spotify or Facebook" - that is the really key one.
If you go to Spotify.com - download the app - and enter an email and password both those pieces of information will be sent to Facebook to check against their database to see if you have a Facebook account.
There a serious data disclosure issue here which has occured specifically because the login screen does not offer two login routes with say a drop down list to pick which one you want, rather, it takes it upon itself to send what you key in to Facebook.
My Facebook account was not only "reactivated" but whatever I listened to with that connected account was also passed to Facebook and may have been published on my reactivated Facebook page.
Finally, because of the account lockout, it was necessary for me to lookup the WHOIS record to find contact details; other users may not know how to do this. It is impossible to contact the company online without logging in.
--
I also discover that it is possible that Facebook passed back, along with the "login token", details such as my profile photograph. Which I take to be a very similar and serious breach of the Act in the opposite direction. However that is not a statement of fact, it is conjecture based on what I have read elsewhere.
The irony is that Spotify wanted to compete with iTunes. Until this happened I had a paid Spotify subscription, now, I buy stuff from iTunes.
I deleted the original posts after discovering that I was very far from the only one to have been impacted by these changes at Spotify, though perhaps the combination of events meant I was impacted more than most. I wanted to give Spotify the opportunity to correct anything that was not correct.
As they have elected not to bother replying, I'll take it that I was correct.
In summary, I think my privacy has been royally raped by these two companies and I would recommend that people avoid both.