Under COPPA, data deletion isn’t just a good idea. It’s the law.
Buckling up in the car is a precaution parents take to protect themselves and their children. When it comes to the Children’s Online Privacy Protection Act, navigating the rules of the COPPA Road helps protect your business and the kids who visit your website or use your online service. Most companies are familiar with COPPA’s mandate to get parental consent up front before collecting personal information from children under 13. But there’s another requirement farther down the COPPA Road that some businesses may not know about.
As the FTC’s Six-Step Compliance Plan for Your Business explains, if you’re covered by the Children’s Online Privacy Protection Rule, you must provide parents the right to review and delete their children’s information. But did you know that, under certain circumstances, COPPA also requires you to delete children’s personal information, even if parents don’t ask you to?
Consider the example of a subscription-based app that offers children under 13 a variety of games and learning tools. What happens if, at the end of the subscription period, a parent decides not to renew the service? Absent a deletion request from Mom or Dad, can the company just keep the child’s personal information?
The answer is clear: No, the company can’t keep it. Under Section 312.10 of COPPA, you’re allowed to retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, you must delete it using reasonable measures to ensure it’s been securely destroyed.
With that in mind, if you haven’t reviewed your data retention policy recently, it’s time to take a fresh look at it. What do you do with the child’s information when a parent closes an account, doesn’t renew a subscription, or allows an account to become inactive? Is that information still necessary for, say, final billing purposes? If so, for how long?
Here are a few questions that might help your company navigate COPPA’s data retention and deletion requirements:
- What types of personal information are you collecting from children?
- What is your stated purpose for collecting the information?
- How long do you need to hold on to the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
- Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
- When it’s time to delete information, are you doing it securely?
The FTC has resources to help your company streamline COPPA compliance.