16 CFR § 312.10 - Data retention and deletion requirements.

---
identifier: "/us/cfr/t16/s312.10"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "16 CFR § 312.10 - Data retention and deletion requirements."
title_number: 16
title_name: "Commercial Practices"
section_number: "312.10"
section_name: "Data retention and deletion requirements."
chapter_name: "FEDERAL TRADE COMMISSION"
subchapter_number: "C"
subchapter_name: "REGULATIONS UNDER SPECIFIC ACTS OF CONGRESS"
part_number: "312"
part_name: "CHILDREN'S ONLINE PRIVACY PROTECTION RULE (COPPA RULE)"
positive_law: false
currency: "2026-03-24"
last_updated: "2026-03-24"
format_version: "1.1.0"
generator: "[email protected]"
authority: "15 U.S.C. 6501 through 6506."
regulatory_source: "78 FR 4008, Jan. 17, 2013, as amended at 90 FR 16977, Apr. 22, 2025, unless otherwise noted."
cfr_part: "312"
---


# 312.10 Data retention and deletion requirements.

An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected. When such information is no longer reasonably necessary for the purposes for which it was collected, the operator must delete the information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion. Personal information collected online from a child may not be retained indefinitely. At a minimum, the operator must establish, implement, and maintain a written data retention policy that sets forth the purposes for which children's personal information is collected, the business need for retaining such information, and a timeframe for deletion of such information. The operator must provide its written data retention policy addressing personal information collected from children in the notice on the website or online service provided in accordance with § 312.4(d).