Spotify Wrapped is here. Every year since 2016, Spotify processes a year’s worth of listening data — every play, skip, and repeat — into a personalized snapshot of your behavior. The listening platform describes it as “a mirror showing the moments, moods, and memories” that shaped your year.
As it does every year, Wrapped is flooding Instagram Stories, dominating group chats, and inspiring dozens of articles about the company’s marketing genius. And, like clockwork, every business leader is asking: How can we do our own?(nueva ventana)
It’s no wonder. Spotify Wrapped is a great commercial success. Many of its 713 million users(nueva ventana) have taken to sharing their top artists, albums, and songs — effectively turning personal analytics into free distribution. In 2024, Spotify’s co-president Alex Norström said it was a “huge driver behind MAU and subscriber growth(nueva ventana)”, boosting Q4 performance as it always does.
Businesses in other industries are tempted to try similar tactics: banks(nueva ventana) experimenting with end-of-year spending recaps, fitness platforms(nueva ventana) attempting annual workout summaries, even grocery stores(nueva ventana) releasing “your year in orders” campaigns.
Wrapped’s charm has made it harder for people to see its methods as surveillance. Instead, it’s set a dangerous precedent — one that’s far riskier for most businesses than it appears.
Nobody explicitly consented to Spotify Wrapped
A common defense of Wrapped (and surveillance advertising in general) goes like this: “Consumers don’t mind tracking if they get something valuable in return.”
That argument, however, is based on the premise of a fair exchange of value, in which both parties consent to the trade. Spotify users don’t have that choice.
As NPR notes(nueva ventana), researchers studying the “privacy paradox(nueva ventana)” reject the fair value exchange framing altogether because it implies consumers have a real option to protect their privacy. In practice, they don’t.
Spotify does not allow users to withdraw their consent(nueva ventana) for the collection of basic streaming history. Services are designed so that opting out of handing over data means opting out of modern life. Wrapped has normalized “constant tracking(nueva ventana) of digital footprints consumers leave online,” says Yakov Bart, a marketing researcher at Northeastern University. “…Instead of kind of feeling under surveillance, users (are) basically feeling seen.”
But for smaller, less beloved businesses, now’s not the time to be opaque about how you use customer data. As distrust and suspicion about data collection methods (especially around AI) rises, your customers want more information — not less — about what they’re agreeing to when they hand their personal data over.
Detailed, mandatory data collection isn’t just an ethically-questionable customer-experience issue. It leaves you open to regulatory risk too.
Crossing the privacy line
Wrapped works because Spotify tracks everything you do on the platform: what you listen to, when, how many times, in what sequence, how your behavior changes over the year, which artists you skip, and even the emotional tone inferred from your habits. That is a lot of data.
Collecting, storing, and using that amount of behavioral data is expensive and logistically challenging. It’s also a liability.
Every extraneous bit of data you store — every behavior log, event timestamp, or inferred preference — is more data you could leak in breach(nueva ventana). A single incident can cost a small firm over $1 million in regulatory fines under GDPR, incident-response costs, class-action lawsuits, customer churn, mandatory credit monitoring, reputational damage, and months of internal disruption.
Spotify itself is facing a €5 million fine in Sweden(nueva ventana) for failing to give EU users full transparency about the personal data it processes. That’s why data minimization, collecting only the data you need to deliver the service, matters. It signals credibility.
If you’re collecting more data than you need to deliver your service, that isn’t personalization. It’s surveillance.
For most businesses, the risk simply isn’t worth it.
What should your business do instead?
You don’t need to offer a glossy annual recap that spies on your customers and broadcasts those findings. What you do need to offer is trust.
Here are three principles that privacy-first companies (including Proton) stand by:
- Collect the data you genuinely need. Nothing more. Should you track your users’ clicks, location, and heart rate if your business is a calculator app? Almost definitely not.
- Ask for explicit, granular consent. Your users shouldn’t be tricked, nudged, or overwhelmed into data sharing. If you can’t explain why you need a data point in one sentence, it’s highly unlikely that you’ll need to collect it.
- Treat user data as borrowed, not owned. Privacy-first companies operate on the assumption that customers’ data belongs to them alone. The company is merely its temporary steward. That means, if/when a customer wants to delete their data, they should be able to delete it anytime and still be able to use the service.
A better kind of year-in-review
Most businesses can’t copy Wrapped because they don’t share Spotify’s granular view of consumer data, its brand affection, or cultural impact. Even if you did, it wouldn’t charm your customers — it would alarm them.
Privacy laws are tightening. Public sentiment is shifting. AI-driven data extraction is under increasing scrutiny. As people become more aware of how much of their behavior is quietly tracked and repurposed, they’ll choose services that respect their boundaries.
The good news is: There are ways to provide personalized year-end recaps that adhere to privacy-first principle. For example, Strava’s opt-in activity summaries reflect only the workouts users deliberately record and Duolingo’s clear, time-bounded recap tells learners exactly which data is included.
You also have the option to skip data tracking entirely by offering:
- A self-guided “Your year with us” quiz: Let people click through a short interactive quiz that they answer. The result feels personalized, but you never log or store the responses.
- A privacy-respecting leaderboard: Highlight the most popular features overall, or the most common workflows your customers rely on.
- Customer-powered success stories: Invite users to voluntarily share a win from the year. Turn the best ones into a collage or short reel. No tracking — just opt-in submissions.
If you’re asking, “How do we build our own Wrapped?”, the more relevant question may be: “How do we build trust?”
You won’t just avoid the pitfalls of Wrapped-style surveillance, you’ll help build an internet where data is treated with restraint, where users have autonomy, and where loyalty is earned by usefulness not intrusion.
