Most companies are familiar with the Children’s Online Privacy Protection Act (COPPA) and its requirement to obtain parental consent before collecting personal information online from children under 13. Yet COPPA also includes an information deletion requirement of which companies may be unaware. On May 31, 2018, the Federal Trade Commission (FTC) published a blog post addressing this requirement, clarifying (i) when children’s personal information must be deleted and (ii) how the requirement applies, as well as (iii) recommending that covered companies review their information retention policies to ensure they are in compliance.
(i) COPPA’s information deletion requirement. The FTC clarifies that, under Section 312.10 of COPPA, companies may retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, a company must use reasonable measures to ensure such personal information is securely destroyed.
(ii) Application of the deletion requirement to children’s outdated subscription information. In its post, the FTC applies the deletion requirement to the example of a subscription-based app directed to children under 13. If the subscription period ends, and a parent decides not to renew the service, can the company keep the child’s personal information? The answer, the FTC confirms, is “no”: the information is no longer “reasonably necessary” to provide the app’s services, so it must be deleted. This is true regardless of whether a parent affirmatively requests deletion.
(ii) Recommendation to review information retention policies in light of the deletion requirement. The FTC recommends that companies review their information retention policies with COPPA’s deletion requirement in mind. It lists questions to help guide companies as they navigate this requirement:
- What types of personal information are you collecting from children?
- What is your stated purpose for collecting the information?
- How long do you need to hold onto the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
- Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
- When it’s time to delete information, are you doing it securely?
Key takeaway. If a company possesses personal information collected online from a child under 13, and the information no longer serves the purpose for which it was collected, the company must delete it. Companies should review their information retention policies to ensure compliance with this COPPA requirement.
* * *
For more on the Children’s Online Privacy Protection Act, please read the following Socially Aware posts: FTC Issues Substantially Revised COPPA Rule: and Review of Changes and Compliance Tips; and Mobile App Legal Terms & Conditions: Six Key Considerations.