Back
Question
Asked

How do you handle "delete my account" requests?

When a customer of your business requests their account data to be deleted, how do you handle it?

You could just delete everything outright, but you risk losing all usage evidence if they end up filing a chargeback later.

I'm thinking of building a well secured, self-service "delete my account" feature to most my sites with a 30-day delay. And instead of deleting everything, I will zero out any personal data but keep the metadata around usage.

How do you handle it?


It's super annoying todo this right, I get the privacy laws around it but seriously it's not how most tech companies work making this a pain.

It depends a little on the app, for homestra, I wipe the whole thing, it doesn't matter for the rest of the platform. For a podcast platform, I ran years ago I would "anonymize" the user like reddit does it, it was simply to much work to remove comments (break all the replies etc.)

For webtastic I do delete most of the stuff but like you said you want to keep a log for chargebacks..

Honestly, I would do a soft delete and keep data for 30 days and anonymize everything after that maybe it's not completely "legal"?

You are allowed to keep some data for cases like financial stuff etc, not sure on specifics as there are quite a few national privacy laws these days (California's one, GDPR, UK's GDPR, South Africa's POPIA).

The approach to zero out data and anonymise as much as possible is sound - I've done it before for dayjob stuff. It's useful because metrics don't get skewed by data going missing.

I haven't had anyone request this, but I'm quietly following to see some good practices in case it comes up.

Klaas is right, it depends on the app and data you have. Is it interesting to keep it? Anonymize. If not, just delete it. I do have self-service deletion on all apps, it's a relatively small feature and saves you the tickets.

I have consumer apps and B2B apps, and deletion requests happen on both sometimes (far less on B2B), even with the self-service option.

For consumers I delete everything user identifying outright if they are making a personal request, except for financial stuff (for proof) - I keep those for 6 months, then auto prune. That's just in case they do a chargeback.

I have interesting data coming from the #whatpulse software - like used hardware peripherals, application versions and hashes, and more. Data that's useful even without attached users. That I anonymize.

There are also these services like saymine.com which automate requests via emails that'll send whenever they find a service in the users inbox. Irregardless of whether the user has already deleted their account. I find those so bloody annoying and lazy, I have auto responders set up to redirect the user to the self-service account deletion page. I know that's probably against the GDPR/CA/etc rules, but I don't care. 😉

Since a few years ago, I delete all user data upon request and after confirming identity.

For #ipregistry, upon account deletion, I store a hash of the email address along with the number of API credits remaining on the account. This ensures that if a new account is created with the same email address, the number of credits is restored.

Regarding chargebacks, in my case, they are rare and not worth spending much time on for now.