Prospect Data Retention for US Colleges: How Long Can You Keep Applicant Data?

The core problem: no single federal rule governs how long you keep prospect data

At a private college or university in the United States, the question of how long to keep prospect data — the names, emails, test scores, and conversations that flow through your CRM before a student enrolls — has no clean federal answer. FERPA (Family Educational Rights and Privacy Act), administered by the US Department of Education, protects the education records of enrolled students. It does not apply to prospects who never matriculated.

For that pre-enrollment population — the inquiries from college fairs, the Common App starters who never submitted, the students who downloaded your viewbook and never replied — your obligations come from a different stack of laws:

• CAN-SPAM Act: email marketing opt-outs must be honored within 10 business days; records of opt-outs must be maintained
• State comprehensive privacy laws: as of 2026, more than 20 states have enacted laws giving consumers rights over their personal data, including the CCPA/CPRA (California), Virginia's CDPA, Colorado's CPA, and Texas's TDPSA
• FTC Act Section 5: unfair or deceptive practices in data handling are actionable by the FTC
• State breach notification laws: 50 states have them; most require notification within 30-72 hours of discovery

The industry best practice for prospect data — adopted by most regional accreditors and recommended by enrollment management consultants — is 3 years from last contact. This aligns with CAN-SPAM's implicit expectations, state privacy law look-back periods, and the statute of limitations for consumer protection claims in most states.

For a broader overview of data privacy compliance at your institution, see our complete guide to student data protection.

Retention periods table: what to keep, and for how long

The 3-year window for prospect contacts is not arbitrary. California's CCPA establishes a 12-month look-back period for data subject requests — meaning if a California resident requests their data, you must account for the prior 12 months. Holding data for 3 years gives you a reasonable operating window while limiting your exposure under state laws that apply retroactively.

FERPA: what it covers and what it does not

FERPA is the foundation of student data privacy in US higher education, but its scope is widely misunderstood. The statute protects education records — records directly related to a student and maintained by an educational institution. Two words matter: "student" and "records."

A prospect who submitted a Common App application that was denied is not yet a "student" at your institution. An admitted student who chose not to enroll is not a "student" under FERPA. The Department of Education has confirmed this interpretation: FERPA does not govern the records of individuals who were not enrolled.

What FERPA does govern once a student enrolls: transcripts, grades, financial aid records, disciplinary files, and any other records maintained by the institution that are directly related to the student. These records must be retained for as long as the institution's policy and applicable accreditor standards require — typically 5 years post-graduation, though some records (transcripts showing degree conferral) are maintained permanently.

The practical implication for admissions teams: the moment a student enrolls, their application file transitions from "prospect data" (governed by state law and institutional policy) to "education record" (governed by FERPA). Your policies must address both phases.

State privacy laws: the patchwork that catches institutions off guard

Private colleges and universities are not specifically exempt from state consumer privacy laws. The CCPA and its successor CPRA apply to for-profit businesses that meet revenue or data volume thresholds — thresholds that many private universities exceed. More importantly, the roughly 20 state laws enacted since 2021 largely cover non-profits as well, and the trend is toward broader applicability.

What these laws require for prospect data retention:

California (CCPA/CPRA): Consumers have the right to know what personal information you hold, delete it on request, and opt out of sale. The 12-month look-back period means your deletion obligations extend to data collected in the prior year. The CPRA adds proportionality requirements: data must not be retained longer than necessary.

Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA): Similar deletion rights, with 45-day response windows for consumer requests (extendable to 90 days with notice). These laws explicitly include educational institutions unless they qualify for an exemption.

Texas (TDPSA): Effective July 2024, Texas's law covers entities that process personal data of 100,000+ Texas residents per year — a threshold reachable for many national recruiting programs.

The compliance implication: if you recruit nationally (and virtually all private colleges do), you should treat every prospect data retention decision as if the most restrictive applicable state law applies. A 3-year maximum retention period with clean deletion procedures satisfies the proportionality requirement of every current state law.

CAN-SPAM and email marketing: the floor, not the ceiling

The CAN-SPAM Act sets minimum requirements for commercial email — which includes most admissions marketing. Key compliance points for retention:

• Opt-out requests must be honored within 10 business days
• You must honor opt-outs for at least 10 years (the law requires a functioning opt-out mechanism; retaining the opt-out record indefinitely is the safe interpretation)
• Post opt-out, you may not send commercial email but may retain the email address on a suppression list to prevent future accidental sends

The suppression list is the one case where "permanent retention" is not only acceptable but required. An email on your suppression list is retained not to market to the person, but specifically to prevent marketing — a fundamentally different purpose. Document this distinction in your data governance policy.

FAFSA and financial aid data: separate rules apply

Institutions that participate in Title IV federal financial aid programs — virtually every accredited US college or university — must comply with 34 CFR § 668.24, which governs records retention for the Federal Student Aid program. The general rule: records related to a student's financial aid eligibility must be retained for 3 years from the date on which the record was created, or 3 years from the end of the award year, whichever is later.

For auditing purposes, the Department of Education can request records going back 7 years. Institutions subject to a program review must retain all related records until the review is closed, which can extend beyond the standard 3-year window. Keep financial aid and enrollment records in a separate retention policy from your general prospect data policy.

Chatbot conversations: a blind spot for admissions compliance

72% of prospect questions submitted to school chatbots are simple FAQs that can be automated, while 7% require human escalation (Source: automated classification of 12,000 Skolbot conversations, 2025 — content/zpd-bank.json#question-complexity-distribution). That volume of conversational data is almost never addressed in an institution's formal data retention policy.

The applicable rule depends on whether a prospect was identified during the conversation:

• No identifier collected (anonymous inquiry): conversation logs can be retained 30 days for service improvement purposes, then deleted or anonymized
• Identifier associated (email or phone provided to be contacted): the conversation becomes part of the prospect record and follows the 3-year retention rule

Under the CCPA, a California resident who interacted with your admissions chatbot and provided their email has the right to request deletion of that record. Your chatbot vendor must be able to execute that deletion on request — verify this capability in your vendor contract and data processing agreement before deployment.

For institutions that also use cookies and session analytics associated with chatbot interactions, see our guide to cookie consent and data collection compliance for schools.

How SACSCOC, HLC, and other accreditors factor in

Regional accreditors do not prescribe specific data retention periods for prospect records. They do require institutions to demonstrate effective data governance as part of their compliance reviews. The Southern Association of Colleges and Schools Commission on Colleges (SACSCOC) and the Higher Learning Commission (HLC) both include data integrity and institutional effectiveness requirements that presuppose a coherent records management policy.

Accreditors are increasingly asking institutions about their data governance programs during reviews — particularly as AI tools for admissions become more common. An institution with a documented prospect data retention policy is better positioned than one managing data through informal practice.

The five systems that must be synchronized for clean deletion

When a prospect's retention period expires — or when a California resident submits a CCPA deletion request — the data must be removed from every system. At most private colleges, that means:

1. CRM (Slate, HubSpot, Salesforce, Technolutions) — delete or anonymize the contact record
2. Email marketing platform — add to suppression list, delete send logs containing the email address
3. Chatbot platform — delete conversations tied to the prospect's identifier
4. Analytics tools — delete or anonymize behavioral data tied to an identifiable user
5. Backups — schedule deletion from backup systems according to their retention cycle

This deletion cascade must be documented and tested. A manual quarterly purge process is not sufficient — staff turnover erases institutional knowledge, and a conversation from 2021 sitting in a backup database is a documented violation under CCPA if the individual has submitted a deletion request.

Our guide to protecting prospect data under state and federal law covers the legal framework in detail; our guide on the right to data deletion for US schools covers the operational procedures step by step.

Building a prospect data retention policy: what to document

An effective retention policy for prospect data should address the following, in writing:

Retention periods by data category: use the table above as a starting point, adjusted for your state law obligations and any applicable accreditor requirements.

Definition of "active contact": what events reset the retention clock? A response to an email, a click-through to your application portal, a campus visit registration — yes. An email open without engagement — generally no. Define this explicitly to avoid inconsistent application.

Deletion triggers and responsible parties: who executes deletions, when, and in which systems? If the answer is "whoever happens to remember," you do not have a policy — you have a wish.

CCPA and state law compliance procedures: how do you handle deletion requests, what is your response timeline, and who receives and tracks them?

Suppression list management: how do CAN-SPAM opt-outs flow into your email systems, and how do you prevent future sends to suppressed addresses?

Student Lifetime Value context: at US private colleges, annual tuition ranges from $20,000 to $80,000 per enrolled student. The admissions funnel is expensive — cost per enrolled student at selective private institutions can exceed $3,000-$5,000. A clear retention policy protects both the institutional investment and the institution's legal standing.

FAQ — Prospect data retention for US colleges and universities

Does FERPA require us to keep applicant records for a minimum period? FERPA establishes maximum restrictions on disclosure of education records, not minimum retention requirements. It does not govern records of individuals who never enrolled. For enrolled students, FERPA is silent on retention minimums — those are set by your institutional policy, state law, and accreditor requirements. The common practice is 5 years post-graduation for academic records, with transcripts retained permanently.

A California prospect requested we delete all data we hold on them. Do we have to comply? Yes, with limited exceptions. Under CCPA/CPRA, California residents have the right to request deletion of their personal information. You must respond within 45 days (extendable to 90 with notice). Exceptions include data you need to complete a transaction the consumer requested, data you need to comply with a legal obligation, and data retained for security purposes. For a prospect who never enrolled, the exceptions are narrow — compliance is effectively required.

We bought a list of high school seniors from College Board. What retention rules apply? CAN-SPAM applies to any commercial email you send to those addresses, including the opt-out requirement. State privacy laws may apply depending on where the students reside. The 3-year retention guideline applies from the date of first contact or last active engagement, whichever is later. If a student on the list submits a deletion request, you must comply regardless of the source of the data.

Our admissions chatbot collects email addresses for follow-up. Is there a disclosure obligation? Yes. Under the FTC Act and state consumer protection laws, collecting personal information through deceptive or unfair means is actionable. Disclosing at the start of the chatbot interaction that you are collecting an email address, what it will be used for, and how to request deletion is the minimum. Under the CCPA, you must provide a privacy notice at the point of collection. This disclosure should be built into your chatbot's first-contact flow.

How does our institution's Common App data fit into this retention framework? Common App is a shared application platform. Data submitted through Common App is governed by Common App's own privacy policy and your institution's data processing agreement with Common App. Once application data is imported into your SIS (Student Information System) or CRM, it becomes your data and is subject to your retention policies. For denied applicants, the 2-year retention window from the denial decision applies to the imported data in your systems.