Partager via

XR-014: Player Data and Personal Information *

  • Article

Version 2.2, 03/01/2025

Game publishers are solely responsible for collecting and processing end user data in accordance with applicable law especially when the user is a child.

Additionally, when a title has information about a player either acquired from Xbox or from their relationship with the player directly (such as a website or mobile app), titles must not display to other players:

  • Information that could be used to cause financial damage to a user (such as Social Security or credit card numbers).
  • Information that divulges a user's address beyond country/region.
  • Information that would allow a user to impersonate another user online, such as account credentials.

Handling Child Data

When collecting data from accounts in the Child or Teen Age Group, titles may only request personal data necessary to verify age, obtain parental consent or complete publisher account linking.

Important

The request for data must state what the data will be used for. For example, if a title asks for a user's birthdate it must state what the birthdate will be used for:

Good Examples:

  • Please provide your birthdate so we can verify your age
  • Please provide your birthdate so we can personalize your experience
  • We need your birthdate to offer age-appropriate content
  • We need your birthdate to comply with legal age restrictions

Bad Examples:

  • Please provide your birthdate
  • Enter your birthdate
  • We need your birthdate
  • Birthdate required

Definitions

Address is any information that can identify a user's location to the level of city or town. This includes, but is not limited to, the following:

  • Physical address
  • Mailing address
  • Billing address
  • ZIP code
  • IP address or related information
  • Geographical location information

Implementation Guidance and Best Practices

Validate the user's age prior to creating accounts.

Before requesting additional data from a Microsoft account user, titles should validate the user's age. This is to ensure that the data collected conforms with global and regional regulations for children.

Tip

Titles check a user's age group by calling the XUserGetAgeGroup function.

At Microsoft, a child account is defined as any Microsoft account that’s affiliated with an adult Microsoft account when the age of the child or teen is less than the age of majority for their country or region. When this is the case, the child must be linked to an adult’s Microsoft account to participate in Xbox services.

When managing a family group member’s privacy and online safety, the Xbox console breaks the definition of child into two categories: Child and Teen. The actual ages that apply to these categories depend upon the country or region indicated in the child account. The category that will be assigned to the account is based upon the ranges set by the country and the date of birth provided during account creation.

Member Value Description
Adult 3 User is an adult.
Teen 2 User is a teen.
Child 1 User is a child.
Unknown 0 User age is unknown.

Certification Test Cases

014-01 Personal Information

Test Steps

  1. Visit all areas of the title, including all possible Xbox multiplayer sessions.
  2. Visit all areas where content might be saved or otherwise sent across the Xbox network, or to a title server.

Expected Result
Titles must never display personal information about another user as detailed in the body of the XR.

Pass Examples

  1. The title displays and shares country of residence information with a user on another console.
  2. The title uses the user's IP address to define the user's general location (no more specific than state or country/region) and displays that location to other users on the leaderboards.

Fail Examples

  1. The title transmits and shares a user's personal information with users on other consoles. Examples: Email address, location (anything more specific than state/country/region), name, date of birth, profile passcode, secret question, password(s), credit card details.

014-02 Data Collection

Test Steps

  1. Launch the title using a Child or Teen account.
  2. Visit all areas of the title, including all possible single and Xbox multiplayer game modes.
  3. Check to see what data is being requested from the user.

Expected Result
Titles must not request data from a Child or Teen user beyond what is needed for:

  • Age verification
  • Acquiring parental consent (such as an email address for the parent)
  • Publisher account linking (such as an email address for the Parent, Child or Teen user)

Pass Examples

  1. The title does not request any data from the Child or Teen user.
  2. The title requests the birth date of the user and states what the data will be used for.
  3. The title requests an email address for a parent and states what the data will be used for.
  4. The title requests an email address for account linking and states what the data will be used for.

Fail Examples

  1. The title asks for data that could be used for purposes other than verifying age, acquiring parental consent or publisher account linking.
  2. The title requests the birth date of the user and does not state what the data will be used for.
  3. The title requests an email address for a parent and does not state what the data will be used for.
  4. The title requests an email address for account linking and does not state what the data will be used for.