Share via

XR-014: Player Data and Personal Information *

  • Article

Version 2.0, 08/01/2024

Game publishers are solely responsible for collecting and processing end user data in accordance with applicable law especially when the user is a child.

Additionally, when a title has information about a player either acquired from Xbox or from their relationship with the player directly (such as a website or mobile app), titles must not display to other players:

  • Information that could be used to cause financial damage to a user (such as Social Security or credit card numbers).
  • Information that divulges a user's address beyond country/region.
  • Information that would allow a user to impersonate another user online, such as account credentials.

Handling Child Data
When collecting data from accounts in the Child or Teen Age Group, titles may only request personal data necessary to verify age or obtain parental consent.

Definitions
Address is any information that can identify a user's location to the level of city or town. This includes, but is not limited to, the following:

  • Physical address
  • Mailing address
  • Billing address
  • ZIP code
  • IP address or related information
  • Geographical location information

Implementation Guidance and Best Practices

Validate the user's age prior to creating accounts.

Before requesting additional data from a Microsoft account user, titles should validate the user's age. This is to ensure that the data collected conforms with global and regional regulations for children.

Tip

Titles check a user's age group by calling the XUserGetAgeGroup function.

At Microsoft, a child account is defined as any Microsoft account that’s affiliated with an adult Microsoft account when the age of the child or teen is less than the age of majority for their country or region. When this is the case, the child must be linked to an adult’s Microsoft account to participate in Xbox services.

When managing a family group member’s privacy and online safety, the Xbox console breaks the definition of child into two categories: Child and Teen. The actual ages that apply to these categories depend upon the country or region indicated in the child account. The category that will be assigned to the account is based upon the ranges set by the country and the date of birth provided during account creation.

Member Value Description
Adult 3 User is an adult.
Teen 2 User is a teen.
Child 1 User is a child.
Unknown 0 User age is unknown.

014-01 Personal Information

Test Steps

  1. Visit all areas of the title, including all possible Xbox multiplayer sessions.
  2. Visit all areas where content might be saved or otherwise sent across the Xbox network, or to a title server.

Expected Result
Titles must never display personal information about another user as detailed in the body of the XR.

Pass Examples

  1. The title displays and shares country of residence information with a user on another console.
  2. The title uses the user's IP address to define the user's general location (no more specific than state or country/region) and displays that location to other users on the leaderboards.

Fail Examples

  1. The title transmits and shares a user's personal information with users on other consoles. Examples: Email address, location (anything more specific than state/country/region), name, date of birth, profile passcode, secret question, password(s), credit card details.

014-02 Data Collection

Test Steps

  1. Launch the title using a Child or Teen account.
  2. Visit all areas of the title, including all possible single and Xbox multiplayer game modes.
  3. Check to see what data is being requested from the user.

Expected Result
Titles must not request data from a Child or Teen user beyond what is needed for age verification or to acquire parental consent (such as an email address for the parent).

Pass Examples

  1. The title does not request any data from the Child or Teen user.
  2. The title requests the birth date of the user and states that this is needed to verify age.
  3. The title requests an email address for a parent so they can provide parental consent.

Fail Examples

  1. The title asks for data that could be used for purposes other than verifying age or acquiring consent from a parent.
  2. The title does not state what the requested data is needed for, such as asking for a parent’s email address but not saying why.