Electronic Arts Responds

Following email inquiries and perhaps as a result of my article last week Invasion of Privacy Policy?, Electronic Arts' Privacy Policy Administration has responded to my questions regarding their access to sensitive customer information originally submitted to Xbox Live. I will post the entirety of the response below; it is fairly substantive and offers a far clearer description as to what information EA is gaining access to when you create an EA account through an Xbox Live game. They do retrieve information from Microsoft such as email, name, and general age, but they are not retrieving your credit card information, or phone number. This addresses the most serious of my concerns, and it is nice to have a clearer statement from Electronic Arts as to what customer information they have access to, and how they are protecting that information.

Additionally, Electronic Arts intends to take steps to "clarify these points in a future update" of their Privacy Policy. I appreciate the detailed response, and am happy to pass it along.

I have pasted the full text of the response below without further editorial.

Dear Mr. Sands,

We have received your email of August 9th. Our apologies on a delayed correspondence prior to your posting on the internet, but we wanted to have complete and accurate answers to all of your questions before responding. Here are clarifications to your inquiries and we hope that you will pass this along to your readers.

EA does not receive credit card information from Microsoft when an EA Account is created or products are purchased through the Xbox Live Arcade. In order to establish an Xbox account, Microsoft does provide EA email, postal address, age and gender. (We don't actually receive your true date of birth from Microsoft – only your age which our system approximates to a date.) We do not, however, receive phone number, mobile number or credit card information, etc. from Microsoft.

EA maintains all customer information using appropriate safeguards to ensure the security, integrity, accuracy and privacy of the information provided. Personal information is never provided to any third-party without the accountholder's consent. Should we receive consent, the information provided may be shared with one of our promotional partners but we do not maintain a list simply for the purpose of sale to any party who requests it. We are very selective and sharing information to key licensors and service providers. Customer's can always opt-out of sharing their personal information with third parties and may modify this information at any time either by accessing their "My Account" page or by sending an email to privacy_policy.ea.com.

We believe this confusion was caused by an unintentional association of our discussion terms specific to Xbox in close proximity to those that apply more generally. The section you identified in your message, http://www.ea.com/global/legal/priva..., is titled "What is personal information and when does EA collect it?" and was written to address all forms of information EA collects in all possible circumstances. Not all forms of information collection are combined and most operate through completely unrelated and non-interacting operating systems. As an editor, I'm sure that you can understand how this confusion could occur. Please be assured that we will take steps to clarify these points with a future update and thank you for bringing this to our attention.

Sincerely,
PRIVACY POLICY ADMINISTRATION

- Elysium

Comments

I don't understand why they need our address If it's for technical reasons - say putting us on the right server - wouldn't just a country/state be appropriate?

Not trying to start a flamewar, just to understand.

I too sent an email on the 17th and received the same exact response. I don't know what you wrote to them but I took this from DQ.

I am contacting you because I have some concerns about the EA Privacy Policy and would like clarification. I would appreciate it if you would answer the following questions:

1) The Privacy Policy states that information transferred to EA from an Xbox Live profile "may" include credit card information. Has this credit card information been collected in the past from transferred Xbox Live profiles, and is it taking place currently?
2) Must a customer who wants to play EA games via Xbox Live allow their credit card information to be gathered in this manner?
3) If this credit card information is not being collected, will the Privacy Policy be changed to reflect this?
4) The Privacy Policy also mentions that "click paths" may be collected. What does that mean?
5) The Privacy Policy states that demographic information and personal information may be combined. Has this data combining taken place in the past, and is it taking place currently?
6) If I don't want my demographic information connected to me personally, what can I do?

Thank you and I look forward to your response.

I hope they are telling the truth.

Let's cut through the fancy talk, shall we?

EA wrote:

We do not, however, receive phone number, mobile number or credit card information, etc. from Microsoft.

Bravo.

Personal information is never provided to any third-party without the accountholder's consent.

Consent which you must provide to play their games online. I see nothing intrinsic about "playing online" requiring "consent to receive marketing junkmail." However, this will never change without legislation.

We are very selective and sharing information to key licensors and service providers.

EA doesn't sell to porn sites. Of course, there is nothing preventing EA's "promotional partners" from doing that once they get the information. Once it's out there, there is no control over where it ends up.

It's nice to see that they responded, cordially, and with good news. It is unfortunate that it took a public posting of the matter on a respectable website to earn that response.

Took them long enough to respond.

I will wait until their new and improved policy comes out before making any final decisions on EA.

I also wonder why the heck they need someone's postal address? Seems a bit much.

souldaddy wrote:
We are very selective and sharing information to key licensors and service providers.

EA doesn't sell to porn sites. Of course, there is nothing preventing EA's "promotional partners" from doing that once they get the information. Once it's out there, there is no control over where it ends up.

My thoughts exactly - if they are going to share the information I'd like to see the privacy policy of the institutions they're sharing with first. They may be legit, but are they going to share it with their 3rd party partners (4th party organizations?!) etc. ad.inf.

Given a long enough chain of this kind you just know there's gonna be a screw-up along it at some point.

Either way I'm not going to stop playing Burnout. I just ask that they include my Takedown! record along with my credit card info.

Mr. Richthofen card number xxxx-xxxx-xxxx-1234, expires 02/08, 7428 takedowns. I want them to be impressed if they rip me off.

I for one am somewhat mollified. Still unhappy at the loopholes their leaving open for sharing our information, but it is nice to know they aren't collecting CC# information.

Prepare to be slashdotted in 5... 4... 3... 2...

Gaald wrote:

I also wonder why the heck they need someone's postal address? Seems a bit much.

The postal address is so they can sell the info to "partner companies"...read; marketers. We can't end dead tree junk mail because of nonsense like this. EA makes a fair amount of profit by selling user data.

The most recent PC gamer Podcast mentioned the orginal article by Elysium that got this response from EA.

Hey Ely, GWJ made the Dallas Morning News, when the quoted EA's response to you. I'll scan the newslet in and mail you the original.

Shhh don't tell him or the escapist will try to get him to sell out too and we'll lose all our reporting on gwj!

http://www.dallasnews.com/sharedcont...

Dallas Morning News wrote:

EA plays nice

Electronic Arts also made some news in the last couple of weeks with controversial wording in its Xbox Live user agreement that stated the company reserves the right to collect credit card info from Xbox Live online gamers. But EA clarified the issue to GamersWithJobs.com and promised to rectify the ominous-sounding passage in the agreement. "EA does not receive credit card information from Microsoft when an EA account is created or products are purchased through the Xbox Live Arcade," the company told the site. "Please be assured that we will take steps to clarify these points with a future update, and thank you for bringing this to our attention."

I am pleased that after a year of plenty of sites asking for clarification on this point we were able to get the issue a response and some exposure.

I'll scan the newslet in and mail you the original.

Thanks very much, I'd like that.

duckideva wrote:

Hey Ely, GWJ made the Dallas Morning News, when the quoted EA's response to you. I'll scan the newslet in and mail you the original.

That is... very surprising. This is probably the best we could hope for. I doubt a boycott would do anything to a company like EA which looks at us as a drop in the bucket at that. I kinda laughed when Madden came out and we ran to buy it (I would have done the same thing if I were a huge football fan, no negativity from me!) A flame war would probably fail considering the level-headed group we have here. Publicity is probably the best thing we could hope for and it suggests that GWJ's influence is growing. Bravo.

I think the great thing is, from what I saw, we(ok, Elysium) got a response where other sites didn't. As far as I know, we were first. I think that is a more telling testament to GWJ's growth and journalistic integrity than # of members any day.

Nice work, Ely.

Here ya go darlin. For the mailing...I have the return address from when the lovely Mrs. Ely did my logo design...is that the new house? If not, please pm or email me your current mailing address and I'll pop the newspaper in the mail to you.

IMAGE(http://img126.imageshack.us/img126/9859/gwjscanga1.th.jpg)

I've found out that EA are publishing Team Fortress 2 for the 360.

Anyone else got any concerns about buying an EA product? I'm tempted to write to them and ask them not to use my details for marketing purposes (which I believe I'm entitled to do under UK law).

Or I could just buy the Steam version, except I know so few people in the UK that play it.

I'd be surprised if the game ran on EA servers. Far as I know, they're just handling distribution.

I hadn't thought of that. I'll poke around.

This is from EA's latest privacy statement:

Xbox
If you sign up to play EA games through Microsoft's Xbox LIVE Service, Microsoft will provide your Xbox LIVE user account information to EA so that we can establish an EA Online account for you. You need an EA Online account to play EA's Xbox LIVE titles. By signing up to play EA's Xbox LIVE titles, you agree that Microsoft can transfer your user account information to EA. Information transferred from Microsoft to EA includes your name, address, e-mail address and date of birth but does not include credit card number or other financial account information.

That sucks... how can they just give out your address and date of birth?

Because they're tricksy, that's why.

I'm making a stand. I've sent them a letter telling them to stop processing my information for direct marketing purposes. It was a template from the Information Comissioner's Office. I believe they have to comply.

And if they don't comply?

Well, I'll probably capitulate. But I'll be living life on one knee, rather than two.

The question is that if they don't respond (which might be quite likely) how will you ever know?

They have to sign for the letter. Once I know they've recieved it, I'll give them 28 days or so to respond.

'I'll give them'. As if I could actually do anything to EA.

Well if you decide to try and do anything to them, i got your back

1Dgaf wrote:

I'll give them 28 days

I know what happens 28 days later!

How they can do that is the other half of the first article I wrote on the topic. My criticism began with EA and their questionable privacy policy - which, I have to admit, was changed as they promised - but the other half of the problem is with Microsoft who says in their privacy policy that they reserve the right to do exactly this kind of stuff. From them I heard nothing. The quote I referenced in the first article was: Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.

That article is here: http://www.gamerswithjobs.com/node/2...

Yeah, i understand that they reserve the right.... but isn't that illegal? I mean, there's a big difference between reserving the right to refuse admission or services but to share your IP, your information without consultation or solicitation or reimbursement?

I'm not sure the courts would find in favour of the corporation. Moving into increasingly involved systems of identifying who we are means that our personal identity is worth much more - to have companies being allowed to do that with our information in what amounts to dredging for marketing information on their terms and at their discretion just doesn't cut it anymore.

[edit]

I could possibly understand if this service was free.... but it's not. We're paying for it. We pay for Live! We pay for the game. Why should we subsidise them even more by allowing them our statistical information that benefits them, not us, and exposes us to identity fraud and other problems such as spam and profiling.

Information transferred from Microsoft to EA includes your name, address, e-mail address and date of birth but does not include credit card number or other financial account information.

If it was just email and name then it would be fine but all of your personal details can be derived from the above information. SSN (NI), mother's maiden name - family details, phone numbers and from there bank details and other such things. They are all freely available to corporations that have the money to buy or 'agreements' to share them. We need to start making a stand since they don't and certainly can't guarantee the safety of our information and we've only just recently seen that corporations don't care if they get hacked and consumers details are leaked or stolen. They don't care - therefore they don't protect us.... therefore they have no right to that information.