Under COPPA, data deletion isn’t just a good idea. It’s the law.

Share This Page

Buckling up in the car is a precaution parents take to protect themselves and their children. When it comes to the Children’s Online Privacy Protection Act, navigating the rules of the COPPA Road helps protect your business and the kids who visit your website or use your online service. Most companies are familiar with COPPA’s mandate to get parental consent up front before collecting personal information from children under 13. But there’s another requirement farther down the COPPA Road that some businesses may not know about.

As the FTC’s Six-Step Compliance Plan for Your Business explains, if you’re covered by the Children’s Online Privacy Protection Rule, you must provide parents the right to review and delete their children’s information. But did you know that, under certain circumstances, COPPA also requires you to delete children’s personal information, even if parents don’t ask you to?

Consider the example of a subscription-based app that offers children under 13 a variety of games and learning tools. What happens if, at the end of the subscription period, a parent decides not to renew the service? Absent a deletion request from Mom or Dad, can the company just keep the child’s personal information?

The answer is clear: No, the company can’t keep it. Under Section 312.10 of COPPA, you’re allowed to retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, you must delete it using reasonable measures to ensure it’s been securely destroyed.

With that in mind, if you haven’t reviewed your data retention policy recently, it’s time to take a fresh look at it. What do you do with the child’s information when a parent closes an account, doesn’t renew a subscription, or allows an account to become inactive? Is that information still necessary for, say, final billing purposes? If so, for how long?

Here are a few questions that might help your company navigate COPPA’s data retention and deletion requirements:

  • What types of personal information are you collecting from children?
  • What is your stated purpose for collecting the information?
  • How long do you need to hold on to the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
  • Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
  • When it’s time to delete information, are you doing it securely?

The FTC has resources to help your company streamline COPPA compliance.

Comments

All on time

You guys really don't understand internet pop culture, you don't get it.

The safety of a child is great, but there are people like thieves who get a 20,000 dollar fine and youtubers who targeted children get 42000 that's dumb.

to be honest. i'm indonesian citizen. not american. just a teenager from asia pacific. i understand that coppa is needed to protect our kids from adult/mature content on youtube or other platform. but consider your choice. youtube isn't just for kids. its for everyone. not limited just by age or country. even religion or ethnic people lived in. if you didnt atleast try to find a better resolution. thousand of people who's working as content creator on youtube will suffer. their channel will get deleted. and lot of people didnt like it. i personally didnt like it. if i suggest you. talk to few content creator on platform. not people working on youtube. but the content creator. i think we can find a better way to solve this

thankyou ftc

That's why there is youtube kids.

The parents shod control what the kids are watching not the content craters.

This is completely dumb when combined with the algorithm. This proves to be a recipe for disaster on YouTube because of how YouTube abuses its platform.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.