Spotify recently updated its privacy policy. What is typically an unremarkable update was greeted with serious backlash and users threatening to cancel their accounts.

Spotify’s 20 million paid subscribers and more than 75 million active users now have to agree to the new Terms and Conditions of Use and Privacy Policy which allows the music streaming service to collect information from users’ smartphones, including their contacts, photos and media files, and it can also gather location and sensor data, like whether you’re walking or running. And while Spotify could share user information with its partners under its old privacy policy, the new policy alarmed users about what would be shared and with whom.

Wired Magazine called the new policy “eerie.” Forbes said “Spotify just got real creepy.” Minecraft creator, Markus Persson, tweeted at Spotify and asked them to “please consider not being evil.”

With users questioning why access to their photos or location is necessary to build more personalized music recommendations and playlists, Spotify CEO Daniel Ek published an apology on the company’s blog.

The apology, titled “SORRY.”, seeks to clear up the confusion around the new privacy policy. Ek stresses that Spotify has to ask for explicit permission before accessing your personal data, you have the option to deny permission, and that the company will be updating the policy to better communicate this.

But even with an apology, has the damage been done?  It depends on how Spotify handles its relationship with its users going forward.

Spotify should take a proactive approach when it comes to its privacy policy, especially in light of other apps coming under fire for privacy invasions. Facebook dealt with this a year ago with its switch to the controversial Facebook Messenger app, and even recently rescinded an internship offer to a Harvard student, Aran Khanna, who exposed a major privacy glitch.

Spotify published a blog post ahead of time that was intended to explain the changes, but it wasn’t from CEO Daniel Ek. The post didn’t have the desired effect and users were left feeling vulnerable and upset. A letter from Ek could have been published before the new privacy policy was rolled out to inform users of the changes and to reiterate Spotify’s commitment to user privacy. Additionally, a letter directly from the CEO would have communicated a greater amount of transparency and added a personal touch.  A clarification from its CEO after-the-fact makes it seem like Spotify was trying to hide the changes. Going forward, a proactive approach shows that Spotify has nothing to hide.

Spotify also has to keep its word. Ek’s apology says that “if you don’t want to share this kind of information, you don’t have to” and if it wants to keep its millions of subscribers and users, the service needs to stick to that statement. Users will know that Spotify is sincere and values their privacy if they can choose not to share their information and still use all of Spotify’s features. If the only way to keep using Spotify is by giving up personal data, then the move may continue to damage the brand.

In an age where a growing number of people are worried about data collection and privacy, Spotify needs to be upfront and sincere about its policy with users because the next Aran Khanna won’t hesitate to expose them.