XBox Series X & S

Warning: *Privacy Not Included with this product

XBox Series X & S

Microsoft
Wi-Fi

Review date: Nov. 1, 2023

|
|

Mozilla says

|
People voted: Somewhat creepy

Microsoft's powerful Xbox X series and the smaller, cheaper S series bring games to you through their hugely popular Xbox Game Pass or just the old fashion way of buying them or sharing them with your buddy. Games like Halo, Forza, Starfield, Madden, and Elden Ring will keep you plenty busy. Unfortunately, Microsoft's Xbox raised some serious privacy concerns in 2023 that make us worry.

What could happen if something goes wrong?

If you want to give yourself a headache, spend some time trying to decipher Microsoft's super complicated and confusing privacy policies. On the other hand, don't, we've tried to do it here for you, to the best of our ability. Microsoft's privacy policy covers pretty much all of its products, from Outlook to Windows to Skype, Edge, Xbox, and Minecraft. That's a lot of products to cover broadly with one privacy policy. So, good luck sorting everything out.

Here's what we can tell you from our read of Microsoft's privacy policy in regards to Xbox -- your privacy might not be not included. The good news is, Microsoft says they don't sell your personal information. Yay! That's about where the good news ends though. Microsoft does say they can collect a good amount of data on you and your gaming habits. They go on to say they can go out and collect even more data on you from places like data brokers, social networks, partners, developers, and more and combine that data with data they have on you to do things like target you with more advertising or relevant products. That's not so good.

And here's the very bad when it comes to Xbox. The US Federal Trade Commission (FTC) filed a $20 million settlement against Microsoft in 2023 for alleged violations of the Children’s Online Privacy Protection Act. The problem is that Xbox was allegedly violating children's privacy by illegally collecting children's personal information when they signed up for Xbox services and failed to tell parents' about the full amount of data collected on kids under 13. And then Microsoft likely kept some of this personal information for way longer than they should have. Violating children's privacy laws is pretty bad. especially for a video game console lots of children use daily.

So, to recap, while Microsoft Xbox does not sell your personal data, Microsoft says they will use your data to target you with ads on Microsoft properties. Microsoft also says they might share your data with partners like Facebook and Yahoo to collect data about your online activity for advertising purposes, and to place their own ads. Finally, Microsoft says they can combine data with third parties, such as data brokers. Also, be aware, some of the games you play on the Xbox that are made by other companies might be collecting and sharing your data and their privacy policies would apply to your personal information. So many freakin’ privacy policies to just play games. All that, and Microsoft was required to cough up $20 million in 2023 for violating children's privacy laws.

What's the worst that could happen while playing Call of Duty on your Xbox? Well, Microsoft is going to know lots about what kinds of video games you play and when you play them. That info is then going to be used to target you with ads for lots more video game stuff. And that stuff all gets expensive. So, be prepared to go into the poor house by not being to resist all those ads you get. That's absolutely not the worst thing that could happen, but it's certainly something that is happening. Oh, and if you don't want to get hacked and have someone log into your Xbox account and buy a bunch of games at your expense, don't forget to set up two-factor authentication.

Tips to protect yourself

  • Check out safety settings in Xbox
  • Opt out of optional data sharing
  • Set up two-factor authentication on your XBox account immediately
  • Read XBox's Responsible Gaming guide for safety tips
  • Go into Profile & system > Settings > Account > Privacy & online safety > Xbox privacy and adjust your privacy settings to your comfort level
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless necessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
  • When starting a sign-up, do not agree to tracking of your data if possible.
  • mobile

Can it snoop on me? information

Camera

Device: No

App: Yes

Microphone

Device: No

App: Yes

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for combining personal data from users with data from data brokers and other third parties, and using it for targeted advertisement

Microsoft Privacy Statement

"We also obtain data from third parties. We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data. These third-party sources vary over time and include:

Data brokers from which we purchase demographic data to supplement the data we collect.
Services that make user-generated content from their service available to others, such as local business reviews or public social media posts.
Communication services, including email providers and social networks, when you give us permission to access your data on such third-party services or networks.
Service providers that help us determine your device’s location.
Partners with which we offer co-branded services or engage in joint marketing activities.
Developers who create experiences through or for Microsoft products.
Third parties that deliver experiences through Microsoft products. Publicly-available sources, such as open public sector, academic, and commercial data sets and other data sources. "

"Microsoft uses the data we collect to provide you with rich, interactive experiences. In particular, we use data to:
<...>
Advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers."

U.S. State Data Privacy

"Sale. We do not sell your personal data. So, we do not offer an opt-out to the sale of personal data.
Share. We may “share” your personal data, as defined under California and other applicable U.S. state laws, for personalized advertising purposes. As noted in our Advertising section, we do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age."

Microsoft Privacy Statement Xbox Section

"When you sign up for an Xbox profile, we assign you a gamertag (a public nickname) and a unique identifier. When you sign in on Xbox devices, apps, and services, the data we collect about your use is stored using these unique identifier(s).

Xbox consoles are devices you can use to find and play games, movies, music, and other digital entertainment. When you sign in to Xbox experiences—in apps or on a console—we also assign a unique identifier to your device. When your Xbox console is connected to the internet, for instance, and you sign in to the console, we identify which console and which version of the console’s operating system you’re using."

"Data we collect about your use of Xbox services, games, apps, and consoles includes:

When you sign in and sign out of Xbox, any purchases you make, and content you obtain.
Which games you play and apps you use, your game progress, achievements, play time per game, and other play statistics.
Performance data about Xbox consoles, Xbox Game Pass and other Xbox apps, the Xbox network, connected accessories, and your network connection, including any software or hardware errors.
Content you add, upload, or share through the Xbox network, including text, pictures, and video you capture in games and apps.
Social activity, including chat data and interactions with other gamers, and connections you make (friends you add and people who follow you) on the Xbox network."

"Xbox data shared with third parties including game and apps publishers. When you use an Xbox online game or any network-connected app on your Xbox console, PC, or mobile device, the publisher of that game or app has access to data about your usage to help the publisher deliver, support, and improve its product. This data may include: your Xbox user identifier, gamertag, limited account info such as country and age range, data about your in-game communications, any Xbox enforcement activity, game-play sessions (for example, moves made in-game, types of vehicles used in-game), your presence on the Xbox network, the time you spend playing the game or app, rankings, statistics, gamer profiles, avatars, or gamerpics, friends lists, activity feeds for official clubs you belong to, official club memberships, and any content you create or submit in the game or app.

Third-party publishers and developers of games and apps have their own distinct and independent relationship with users and their collection and usage of personal data is subject to their specific privacy policies. You should carefully review their policies to determine how they use the data."

"To stop sharing game or app data with a publisher, remove its games or app from all devices where you have installed them"

"Safety. In order to help make the Xbox network a safe gaming environment and enforce the Community Standards for Xbox, we may collect and review voice, text, images, videos and in-game content (such as game clips you upload, conversations you have, and things you post in clubs and games)."

How can you control your data?

We ding this product because it is unclear if all users, regardless of location, may get their data deleted.

Microsoft Privacy Statement

"Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types, the context of our interactions with you or your use of products, actual retention periods can vary significantly.

Other criteria used to determine the retention periods include:

Do customers provide, create, or maintain the data with the expectation we will retain it until they affirmatively remove it? Examples include a document you store in OneDrive, or an email message you keep in your Outlook.com inbox. In such cases, we would aim to maintain the data until you actively delete it, such as by moving an email from your Outlook.com inbox to the Deleted Items folder, and then emptying that folder (when your Deleted Items folder is emptied, those emptied items remain in our system for up to 30 days before final deletion). (Note that there may be other reasons why the data has to be deleted sooner, for example if you exceed limits on how much data can be stored in your account.)
Is there an automated control, such as in the Microsoft privacy dashboard, that enables the customer to access and delete the personal data at any time? If there is not, a shortened data retention time will generally be adopted.
Is the personal data of a sensitive type? If so, a shortened retention time would generally be adopted.
Has Microsoft adopted and announced a specific retention period for a certain data type? For example, for Bing search queries, we de-identify stored queries by removing the entirety of the IP address after 6 months, and cookie IDs and other cross-session identifiers that are used to identify a particular account or device after 18 months.
Has the user provided consent for a longer retention period? If so, we will retain data in accordance with your consent.
Is Microsoft subject to a legal, contractual, or similar obligation to retain or delete the data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data retained for the purposes of litigation. Conversely, if we are required by law to remove unlawful content, we will do so."

You can manage your data via the Microsoft Privacy dashboard. https://account.microsoft.com/account/

What is the company’s known track record of protecting users’ data?

Bad

In September 2023, 38TB of data were accidentally exposed by Microsoft AI researchers.

In September 2023, 60,000 emails were stolen from 10 State Department accounts.

In July 2023, Microsoft publicly disclosed that a group of Chinese hackers had spied on U.S. government agencies via a vulnerability in Microsoft’s cloud services.

In June 2023, it was decided that Microsoft would pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.

In 2022, Microsoft's Server Misconfiguration Led to 65,000+ Companies' Data Leak.

Microsoft suffered a major hack that left their Microsoft Exchange email service vulnerable and exploited. That hack didn’t affect the privacy of the XBox directly. In December 2019, 250 million Microsoft internal customer service and support logs were exposed online.

Child Privacy Information

"For users under the age of 13 or as specified by law in their jurisdiction, certain Microsoft products and services will either block users under that age or will ask them to obtain consent or authorization from a parent or guardian before they can use it, including when creating an account to access Microsoft services. We will not knowingly ask children under that age to provide more data than is required to provide for the product.

Once parental consent or authorization is granted, the child's account is treated much like any other account."

"Below is additional information about the collection of data from children, including more details as related to Xbox.
Accessing and deleting child data. For Microsoft products and services that require parental consent, a parent can view and delete certain data belonging to their child from the parent’s privacy dashboard: browsing history, search history, location activity, media activity, apps and service activity, and product and service performance data. To delete this data, a parent can sign in to their privacy dashboard and manage their child’s activities. Please note that a parent’s ability to access and/or delete a child’s personal information on their privacy dashboard will vary depending on the laws where you are located.

Additionally, a parent can contact our privacy support team through the privacy support form and, following authentication, request that the data types on the privacy dashboard together with the following data be deleted: software, setup, and inventory; device connectivity and configuration; feedback and ratings; fitness and activity; support content; support interactions; and environmental sensor. We process authenticated deletion requests within 30 days of receipt.

Please note that content like emails, contacts, and chats are accessible through in-product experiences. ...

If your child’s account is not a part of your Microsoft family group and you do not have access to your child’s activity on your privacy dashboard, then you need to submit a request related to your child’s data through the privacy support form. The privacy team will ask for account verification before fulfilling the request.

To delete all of your child’s personal information, you must request deletion of the child’s account through the close your account form. This link will prompt you to sign in with your child’s account credentials. Check that the page shows the correct Microsoft account, and then follow the instructions to request that your child’s account be deleted. Learn more about how to close a Microsoft account.

After you submit the request to close your child’s account, we will wait 60 days before permanently deleting the account in case you change your mind or need to access something on the account before it is permanently closed and deleted. During the waiting period, the account is marked for closure and permanent deletion, but it still exists. If you want to reopen your child’s Microsoft account, just sign in again within that 60-day period. We will cancel the account closure, and the account will be reinstated....

When users sign in to Xbox, in apps, games or on an Xbox console, we assign a unique identifier to their device. For instance, when their Xbox console is connected to the internet and they sign in to the console, we identify which console and which version of the console’s operating system they are using.

Xbox continues to provide new experiences in client apps that are connected to and backed by services such as Xbox network and cloud gaming. When signed in to an Xbox experience, we collect required data to help keep these experiences safe, secure, up to date, and performing as expected.

Data we collect when you create an Xbox profile. You as the parent or guardian are required to consent to the collection of personal data from a child under 13 years old or as otherwise specified by your jurisdiction. With your permission, your child can have an Xbox profile and use the online Xbox network. During the child Xbox profile creation, you will sign in with your own Microsoft account to verify that you are an adult organizer in your Microsoft family group. We collect an alternate email address or phone number to boost account security. If your child needs help accessing their account, they will be able to use one of these alternates to validate they own the Microsoft account.

We collect limited information about children, including name, birthdate, email address, and region. When you sign your child up for an Xbox profile, they get a gamertag (a public nickname) and a unique identifier. When you create your child’s Xbox profile you consent to Microsoft collecting, using, and sharing information based on their privacy and communication settings on the Xbox online network. Your child’s privacy and communication settings are defaulted to the most restrictive.

Data we collect. We collect information about your child’s use of Xbox services, games, apps, and devices including:
When they sign in and sign out of Xbox, purchase history, and content they obtain.
Which games they play and apps they use, their game progress, achievements, play time per game, and other play statistics.
Performance data about Xbox consoles, Xbox Game Pass and other Xbox apps, the Xbox network, connected accessories, and network connection, including any software or hardware errors.
Content they add, upload, or share through the Xbox network, including text, pictures, and video they capture in games and apps.
Social activity, including chat data and interactions with other gamers, and connections they make (friends they add and people who follow them) on the Xbox network.

If your child uses an Xbox console or Xbox app on another device capable of accessing the Xbox network, and that device includes a storage device (hard drive or memory unit), usage data will be stored on the storage device and sent to Microsoft the next time they sign in to Xbox, even if they have been playing offline....

Game captures. Any player in a multiplayer game session can record video (game clips) and capture screenshots of their view of the game play. Other players’ game clips and screenshots can capture your child’s in-game character and gamertag during that session. If a player captures game clips and screenshots on a PC, the resulting game clips might also capture audio chat if your child’s privacy and communication settings on the Xbox online network allow it.

Captioning. During Xbox real-time (“party”) chat, players may activate a voice-to-text feature that lets them view that chat as text. If a player activates this feature, Microsoft uses the resulting text data to provide captioning of chat for players who need it. This data may also be used to provide a safe gaming environment and enforce the Community Standards for Xbox.

Data use. Microsoft uses the data we collect to improve gaming products and experiences— making it safer and more fun over time. Data we collect also enables us to provide your child with curated experiences. This includes connecting them to games, content, services, and recommendations.

Xbox data viewable by others. When your child is using the Xbox network, their online presence (which can be set to “appear offline” or “blocked”), gamertag, game play statistics, and achievements are visible to other players on the network. Depending on how you set your child’s Xbox safety settings, they might share information when playing or communicating with others on the Xbox network.

Safety. In order to help make the Xbox network a safe gaming environment and enforce the Community Standards for Xbox, we may collect and review voice, text, images, videos and in-game content (such as game clips your child uploads, conversations they have, and things they post in clubs and games).

Anti-cheat and fraud prevention. Providing a fair gameplay environment is important to us. We prohibit cheating, hacking, account stealing, and any other unauthorized or fraudulent activity when your child uses an Xbox online game or any network-connected app on their Xbox console, PC, or mobile device. In order to detect and prevent fraud and cheating, we may use anti-cheat and fraud prevention tools, applications, and other technologies. Such technologies may create digital signatures (known as “hashes”) using certain information collected from their Xbox console, PC, or mobile device, and how they use that device. This can include information about the browser, device, activities, game identifiers, and operating system.

Xbox data shared with game and apps publishers. When your child uses an Xbox online game or any network-connected app on their Xbox console, PC, or mobile device, the publisher of that game or app has access to data about their usage to help the publisher deliver, support, and improve its product. This data may include: your child’s Xbox user identifier, gamertag, limited account info such as country and age range, data about your child’s in-game communications, any Xbox enforcement activity, game-play sessions (for example, moves made in-game or types of vehicles used in-game), your child’s presence on the Xbox network, the time they spend playing the game or app, rankings, statistics, gamer profiles, avatars, or gamerpics, friends lists, activity feeds for official clubs they belong to, official club memberships, and any content they create or submit in the game or app.

Third-party publishers and developers of games and apps have their own distinct and independent relationship with users and their collection and usage of personal data is subject to their specific privacy policies. You should carefully review their policies to determine how they use your child’s data. For example, publishers may choose to disclose or display game data (such as on leaderboards) through their own services. You may find their policies linked from the game or app detail pages in our stores.

Can this product be used offline?

No

User-friendly privacy information?

No

Microsoft has one broad, general privacy statement that covers all of its products. This makes it very hard to find Xbox-specific info in the general Microsoft privacy statement. Microsoft's privacy policy is also quite confusing and hard to follow.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

Privacy policy

Yes

Does the product use AI? information

Yes

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

The Xbox Series X & S utilizes AI for automatically adjusting the color and contrast of images on the screen.

Is the company transparent about how the AI works?

Yes

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • The Microsoft Xbox Live settlement: What it means for your child’s privacy
    FTC Consumer Advice Link opens in a new tab
  • $20 million FTC settlement addresses Microsoft Xbox illegal collection of kids’ data: A game changer for COPPA compliance
    Federal Trade Commission Link opens in a new tab
  • Microsoft to pay $20 million to settle Xbox Live privacy allegations
    CNN Business Link opens in a new tab
  • FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent
    Federal Trade Commission Link opens in a new tab
  • Chinese Hackers Breached Government Email Accounts, Microsoft Says
    The New York Times Link opens in a new tab
  • Chinese hackers stole emails from US State Dept in Microsoft breach, Senate staffer says
    Reuters Link opens in a new tab
  • 38TB of data accidentally exposed by Microsoft AI researchers
    Wiz Link opens in a new tab
  • How to Manage PlayStation, Switch, and Xbox Privacy Settings
    New York Times Link opens in a new tab
  • PS5 vs. Xbox Series X: Security and Privacy Features Compared
    IGN Link opens in a new tab
  • Microsoft Security Shocker As 250 Million Customer Records Exposed Online
    Forbes Link opens in a new tab
  • Xbox Series X ushers in a fantastic change Microsoft hadn’t announced until now
    Link opens in a new tab

Comments

Got a comment? Let us hear it.