Buckling up in the car is a precaution parents take to protect themselves and their children. When it comes to the Children’s Online Privacy Protection Act, navigating the rules of the COPPA Road helps protect your business and the kids who visit your website or use your online service. Most companies are familiar with COPPA’s mandate to get parental consent up front before collecting personal information from children under 13. But there’s another requirement farther down the COPPA Road that some businesses may not know about.
As the FTC’s Six-Step Compliance Plan for Your Business explains, if you’re covered by the Children’s Online Privacy Protection Rule, you must provide parents the right to review and delete their children’s information. But did you know that, under certain circumstances, COPPA also requires you to delete children’s personal information, even if parents don’t ask you to?
Consider the example of a subscription-based app that offers children under 13 a variety of games and learning tools. What happens if, at the end of the subscription period, a parent decides not to renew the service? Absent a deletion request from Mom or Dad, can the company just keep the child’s personal information?
The answer is clear: No, the company can’t keep it. Under Section 312.10 of COPPA, you’re allowed to retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, you must delete it using reasonable measures to ensure it’s been securely destroyed.
With that in mind, if you haven’t reviewed your data retention policy recently, it’s time to take a fresh look at it. What do you do with the child’s information when a parent closes an account, doesn’t renew a subscription, or allows an account to become inactive? Is that information still necessary for, say, final billing purposes? If so, for how long?
Here are a few questions that might help your company navigate COPPA’s data retention and deletion requirements:
- What types of personal information are you collecting from children?
- What is your stated purpose for collecting the information?
- How long do you need to hold on to the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
- Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
- When it’s time to delete information, are you doing it securely?
The FTC has resources to help your company streamline COPPA compliance.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
In reply to All on time by Tripti maurya
In reply to It is stupid by angelo