The Federal Trade Commission (FTC) recently reminded companies why record retention policies are important, especially when required to comply with the Children’s Online Privacy Protection Act (COPPA). In a blog post, titled “Under COPPA, data deletion isn’t just a good idea. It’s the law,” the FTC explained that COPPA’s requirement to obtain parental consent before the collection of personal information from children under 13 years old is only the first part of COPPA compliance. Entities covered by COPPA must also provide parents the opportunity to review and delete their children’s information, along with having measures to delete children’s personal information when it is no longer reasonably necessary to fulfill the purpose for which it was collected.
It is this latter point that the FTC felt warranted reinforcing in the blog entry. Section 312.10 of the COPPA Rule states the limitation on retaining a child’s personal information. The FTC explains that this means even when a parent does not ask, a company must delete any data collected from a child under the age of 13 when the service that child was using becomes inactive, when a subscription lapses or is cancelled, or when an account is closed. So, for example, a child using a subscription-based app for learning or gaming that collects information about the child (with consent)—if the subscription for that app expires or becomes inactive, “the company must delete the information collected about the child” within a reasonable time frame, and must do so “using reasonable measures to ensure it’s been securely destroyed.”
The FTC thus advises that companies required to comply with COPPA should review their data retention and deletion policies to ensure they properly reflect this obligation. While there are reasons to retain certain personal data for a short period after an account is closed or expires, such as final billing obligations, or fulfilling residual services, the retention periods for such purposes should be limited.