COPPA Data Retention and Deletion Requirements

The Children’s Online Privacy Protection Act obligates certain website operators and online service providers to protect children under thirteen years. The Federal Trade Commission enforces the COPPA Rule.

While many operators and providers may be familiar with the need to have certain information in a privacy policy, as well as COPPA’s “verifiable parental consent” requirement, they may not be as cognizant of data disposal obligations.

Privacy policies must clearly and comprehensively describe how personal information collected. It must set forth first and third-party practices. There should be a link to it on the homepage and anywhere else personal information is collected from children. Links must be clear and prominent.

Verifiable parental consent must be obtained prior to the collection, use or disclosure of personal information from a child. The COPPA Rule is flexible in this regard, as long as the chosen method is reasonably designed in light of available technology to ensure that the person providing the consent is the child’s parent. 

As set forth by the FTC’s Six-Step Compliance Plan for Your Business explains, those covered by COPPA must be sure to properly provide parents the right to review and delete their children’s information. Under certain circumstances, however, the personal information deletion requirement exists even absent parental request.

For example, consider a subscription-based application that offers children under thirteen different games and learning tools. At the end of the subscription period a parent decides not to renew the service. Here, maintaining the child’s personal information is not permitted because COPPA provides for such retention “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”

Once retention is no longer reasonably necessary, data must be deleted via reasonable measures that are designed to ensure that it is securely disposed of and protect against unauthorized access to, or use of, the information.

Data retention policies are critical, including how you handle a child’s personal information upon account closure or inactivity.

Consider the following:

• The types of personal information being collected from children
• Stated purpose for collection
• The length of time retention of the information is reasonably necessary
• The manner in which information is deleted

Always implement reasonable procedures to protect the security of children’s information. COPPA requires that reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children be implemented.

Minimization of what is collected in the first place is recommended by the FTC. As is ensuring that reasonable steps are taken to ensure that personal information is released only to service providers and third-parties capable of maintaining its confidentiality, security and integrity.

Under COPPA, data deletion is more than just a good idea. It is the law.

Contact the author at rnewman@hinchnewman.com.

Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35^th Floor, New York, NY 10005 | (212) 756-8777.