What the Amended COPPA Rule Means for Data Retention Practices

Amid a growing wave of regulatory scrutiny aimed at protecting Children’s safety and privacy, amendments to the COPPA Rule that go into force this year set out new data retention requirements for Children’s personal information that Covered Companies must implement.

Although the amended COPPA Rule has been in effect since June 23, 2025, there is a 365-day grace period. As the April 22, 2026, enforcement deadline approaches, now is the time for Covered Companies to begin implementing the operational changes necessary to comply with the COPPA Rule’s new requirements regarding the retention of Children’s personal information.

This article addresses those requirements.

Written Data Retention Policy Requirement

Section 312.10 of the amended COPPA Rule requires Covered Companies to establish, implement, and maintain a written data retention policy that describes:

1. The purposes for which Children’s personal information is collected;
2. The business need to retain such information; and
3. A timeframe for when the Covered Company will delete such information.

In addition, Covered Companies must “provide” the data retention policy in their online notice of their Children’s information practices (Online Privacy Notice).

Below are some common questions that Covered Companies may find themselves asking as they prepare for compliance with the amended COPPA Rule’s data retention requirement.

Does a Covered Company Need to Prepare a Separate Data Retention Policy That Addresses Only Children’s Personal Information?

No. The COPPA Rule does not require a Covered Company to establish a separate written Children’s data retention policy so long as the company’s existing data retention policy is in writing, covers Children’s personal information, and satisfies all of the requirements of § 312.10. It is important to review an existing data retention policy to ensure it complies with the amended COPPA Rule retention requirements.

Can a Covered Company Simply Link to Its Existing Data Retention Policy in the Online Privacy Notice?

No. The data retention policy must be included as part of the Online Privacy Notice. Merely including a link to the data retention policy is not sufficient. To alleviate concerns that this may result in “unduly long, complex, or cluttered online notices,” the Federal Trade Commission (FTC) recommends using “various design features, such as expandable sections, [which would allow] reader[s] to obtain more detail within a given section, or intra-notice hyperlinks, [which would allow] reader[s] to quickly navigate between sections within the [Online Privacy Notice].”

How Detailed Must the Data Retention Policy Be?

Describing categories of Children’s personal information, such as contact information, account information, or education information, will likely suffice (i.e., those categories correlating with the categories typically found in a privacy notice under a section describing collection of personal information). Granular detail is not required. The FTC has clarified that it “declines to require that operators provide in their [Online Privacy Notice] an item-by-item matrix correlating each item of personal information collected with the particular use or uses of that item of information.”

Can a Covered Company Describe the Retention Timeframe in General Terms, e.g., ‘For as Long as Necessary’?

No. The data retention policy must establish and state reasonable and specific retention periods for Children's personal information. Covered Companies must ensure that they do not retain Children's personal information indefinitely.

For example, a Covered Company may be able to retain Children's personal information for a specific amount of time after the Child has last used the Covered Company's website or online service, or after a subscription has ended, if there is a business need for retaining the information, and the Covered Company’s data retention policy explains that the Covered Company will take such action.

What Is a ‘Reasonably Necessary’ Retention Period?

The COPPA Rule requires that personal information collected from Children online is retained only for “as long as is reasonably necessary to fulfill the purpose for which the information was collected” (the COPPA Reasonable Retention Requirement). Although the amended COPPA Rule is silent on specific retention timeframes, the FTC’s past enforcement actions offer guidance for best practices based on stipulated orders. Covered Companies should note that based on prior enforcement history, retention timelines vary, but indefinite retention will rarely, if ever, satisfy COPPA’s Reasonable Retention Requirement. Covered Companies should identify and document the purposes for which they retain Children’s personal information when establishing their retention period.

Companies may look to prior FTC enforcement actions for examples of retention periods the FTC found were unnecessarily long:

• In re Edmodo, LLC: The FTC alleged indefinite retention did not comply with the COPPA Rule. In the resolution of that matter, the FTC required that the business must be able to demonstrate and justify that a retention period is reasonably necessary to fulfill the original purpose for which the personal information was collected, including after account activity.
• In re Kurbo Inc.: The FTC alleged that retaining Children’s personal information for three years, regardless of whether the Child’s account was active, unless a parent requests deletion, violated the COPPA Reasonable Retention Requirement without a purpose for the retention.

Are There Specific Requirements for Describing the Purposes for Which Children’s Personal Information Is Collected?

The FTC indicated that the COPPA Rule “expressly permits operators to collect Children's personal information for more than one specific purpose.” The purposes listed in the data retention policy should match the purposes that were disclosed in the Covered Company’s Online Privacy Notice. The FTC prohibits collecting Children’s personal information for any purpose that is not disclosed in the Online Privacy Notice.

So long as this is disclosed, and the Covered Company ensures that it does not retain Children's personal information indefinitely, the FTC has stated that the purposes can include:

• Improving the website or online services
• Improving products or services
• Personalizing content shown to children on the website or online service
• Providing “support for the internal operations of the website or online service”
• Conducting activities that bolster privacy and security
• Facilitating security, fraud and abuse prevention, financial record-keeping
• Ensuring service continuity
• Complying with other legal or regulatory requirements
• Ensuring the age-appropriateness of the website or online service
• Preserving scores, interactions, communications, user-generated content, purchases, and other transactions in accordance with the user's expectations (in case of an online gaming service)
• Providing certain features in cloud-based productivity tools or in products for which parents have purchased lifetime subscriptions
• Retaining Children's personal information where the Child user or the parent directs an operator to retain information

Considerations for Implementation

As the effective date for compliance with the amended COPPA Rule approaches, Covered Companies may consider the following action items when preparing for compliance:

• Confirm that your organization has an established written data retention policy.
• Assess if the current data retention policy contains any gaps:
  • Does it explicitly cover personal information collected from Children?
  • Does it state reasonable and specific retention periods for Children's personal information supported by the business need?
  • Does it clearly describe purposes for which Children’s personal information is collected?
  • Do these purposes match the purposes that were disclosed in the organization’s Online Privacy Notice?
  • Does it describe business reasons for retaining Children’s personal information that align with the stated purposes for collection?
• If revisions are necessary (e.g., purpose statements or retention periods are missing), update and implement changes by April 22, 2026.
• Include the data retention policy in the organization’s Online Privacy Notice by April 22, 2026.