XR-014: Player Data and Personal Information *

Version 1.1, 9/1/2020

Titles must not request, store, or transmit any user's personal information (common examples include name, email, address, gender, financial information) outside of information provided by Xbox. Storage and transmission of any player information obtained from Xbox must be done securely. For more information on console network security best practices read Communication Security Overview.

For titles which support account linking, username/email and publisher account service password may be requested for the purpose of signing into a game's service account.

When a title has information about a player, either from Xbox or their relationship with the player directly (such as a website or mobile app), titles must not display to other players:

• Information that could be used to cause financial damage to a user (such as Social Security or credit card numbers)
• Information that divulges a user's address beyond country/region
• Information that would allow a user to impersonate another user online, such as account credentials

More Information

Address is any information that can identify a user's location to the level of city or town. This includes, but is not limited to, the following:

• Physical address
• Mailing address
• Billing address
• ZIP code
• IP address or related information
• Geographical location information

Personal Information Transfer and Storage Requirements

Any transfer of player information must done securely, for more information on console network security best practices read Communication Security Overview.

Due to privacy requirements, personally identifiable data that is obtained from Xbox Live services and is stored in title databases must be encrypted. If your title uses a custom service to store title data, this requirement comes into play.

The most common information that falls in this category is the Xbox User Identifier (XUID) and the Device ID. Any title database that contains either the XUID or the Device ID must be encrypted with AES-256. Secure hashing of ID values is not sufficiently secure and is not permitted.

Exemptions

Fitness-focused titles that require a user's height, weight, age, and gender to provide more targeted and accurate results are allowed to request and store the information as long as the data is stored only in the users connected storage and accessed through the ConnectedStorage* classes in the Windows.Xbox.Storage namespace.

Account linking of login and password information related to the title is acceptable.

Additional Resources

Certification Test Cases

014-01 Personal Information

Test Steps

1. Boot the title.
2. Visit all areas of the title, including all possible Xbox multiplayer sessions.
3. Visit all areas where content might be saved or otherwise sent across the Xbox network, or to a title server.
4. Verify that the title does not request any personal information of the type detailed in the Remarks section of this XR at any point.

Expected Result
A title must never request any personal information from a user. However, this does not cover all possible failure scenarios in their entirety. When titles are in Certification, they will be inspected and this requirement checked in any other area where it seems possible that a violation could occur. Some situations where this could occur include:

• Titles that save online game sessions to a storage device. Sensitive information such as name, email, address, gender, financial information, PUIDs/XUIDs must not be stored.
• Server-based titles where user information could potentially be transmitted and stored on a remote server.

Pass Examples

1. The title displays and shares country of residence information with a user on another console.
2. A fitness-focused title requests the user's height, weight, age, and/or gender. The information is stored locally and not transmitted externally.
3. The title uses the user's IP address to define the user's general location (no more specific than state or country/region) and displays that location to other users on the leaderboards.
4. The title requests login information for the purposes of account linking with a related community site.

Fail Examples

1. The title requests that the user enter personal information. Examples: real name, email address, date of birth, profile passcode, secret question, password, credit card details, and so on.
2. The title transmits and shares the user's personal information with a user on another console.
3. The title accesses sensitive personal data, such as a profile passcode, secret question, password(s), or credit card details, and presents that information on the screen (same console).
4. The title transmits and shares personal information with a user on another console. Examples: Email address, location (anything more specific than state/country/region), name, date of birth, profile passcode, secret question, password(s), credit card details.