Should users data be removed upon their request?


10

I have a commercial web startup. From a legal standpoint does maintaining users record (database info) if they decide to delete their account outweighs deleting their record?

  • Maintaining the users record, even if they delete their account, can protect users and myself, from legal issues by having solid evidence.
But
  • Deleting a account, can save some server space and prevent users from claiming that there is a privacy/respect issue.
What can be done to prevent users discomfort and always have a legal backup?

Customer Support Legal Users

asked Aug 22 '12 at 11:32
Blank
Dave Valentine
51 points
Get up to $750K in working capital to finance your business: Clarify Capital Business Loans
  • As a side note, does anyone know if sites like ebay and amazon actually complete delete their user records? – Dave Valentine 11 years ago
  • I don't know about eBay/Amazon, but this is a negative point for me if a site keeps my information even if I don't want it to. Respecting your users' privacy is a common courtesy that is so missed dearly here in the US... – Littleadv 11 years ago
  • BTW: Some information must be kept (for example, billing history) even if the account is deleted. Check it with your local legal advice. – Littleadv 11 years ago
  • information required for tax purposes will also be kept – Mhoran Psprep 11 years ago
  • Also - if there is a social aspect to the site, the persons submissions may be of value to the community, so one should craft in the EULA what is personal and public data. – Jim Galley 11 years ago
  • Where are you based? Different countries have different rules on this. – Dj Clayworth 11 years ago
  • @DaveValentine Facebook distinguishes between a 'deactivated' and 'deleted' account. A deactivated account is kept but disabled. A deleted account is now completely deleted; although it takes some time for everything to be removed from all servers. – Dj Clayworth 11 years ago

4 Answers


3

You should be very aware of the rules on data retention and data privacy for the legal jurisdiction(s) you operate in. Some places will give you a lot of legal trouble if you retain the information of a user who has 'deleted' their account.

For example the Privacy Commisioner of Canada conducted an investigation into Facebook and found them to be in contravention of the Personal
Information Protection and Electronic Documents Act
. She was able to effectively compel them to remove both deactivated and deleted accounts completely from their databases after a reasonable time or face penalties under the act. From the investigation: "The Act is clear that organizations must retain personal information only for as
long as necessary to fulfil the organization’s purposes, that organizations
should develop guidelines and implement procedures with respect to the
retention of personal information, and that such guidelines should include
minimum and maximum retention periods." A similar investigation in the UK led to similar results.

answered Aug 23 '12 at 05:28
Blank
Dj Clayworth
228 points
  • This is absolutely correct. If you're an international company, you can spend a LOT of time (legal and IT departments, especially) dedicated to getting this right. It could have significant impacts on system architecture as well, especially if you don't anticipate up-front the potential for wildly differing jurisdiction rules and your business requirements. – Mark Freedman 11 years ago

3

I don't think it's really viable to delete their information. Even if you remove it from your application, you aren't going to go back to every back up that contains them and remove them from those as well. With that in mind, claiming you have deleted them would be somewhat dishonest.

You can delete them from your database if you like (it is probably a good idea to help limit database growth), but don't claim in your terms that you delete all their data.

answered Aug 22 '12 at 17:27
Blank
Joel Friedlaender
5,007 points
  • Backups should not be retained indefinitely. – Dj Clayworth 11 years ago
  • Why not? I think it's a good idea to keep backups at different intervals? ie. daily for the last month, weekly for the last 6 months, monthly for the last year, and then yearly indefinitely? Storage is so cheap, why wouldn't you? – Joel Friedlaender 11 years ago
  • Because if you have data from customers who think they have deleted their accounts, and they are stolen, then suddenly those customers find thieves have their data even though they thought it had been deleted. That will get you in a lot of legal hot water. See my answer for more details. – Dj Clayworth 11 years ago
  • As long as you are clear in your terms of service/privacy policy, I can't imagine how this can be a problem. Assuming your service is optional, and people opt to use it and agree to your terms, I am not a lawyer but it would be pretty tough for that to be illegal. – Joel Friedlaender 11 years ago
  • I suggest reading the Facebook story. I think you'll be surprised. – Dj Clayworth 11 years ago
  • I read your link of "an investigation into Facebook". I was not surprised. I saw nothing in there that goes against my point. What exactly did you find in there that made you think this is illegal? Even if something in there did state that (which I do not believe is the case), this pertains to Canadian law, and may not affect the asker, nor many other people. – Joel Friedlaender 11 years ago
  • There's various liability aspects that can come up from keeping data too long - do some research into document retention policies/practices. – Nick Stevens 11 years ago
  • @JoelFriedlaender "The Act is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes". Keeping backups is not "the organization's purposes". When you've stopped providing the user with the service they asked for then keeping their data unnecessarily is illegal. – Dj Clayworth 11 years ago
  • @DJClayworth I don't agree that your conclusion directly correlates with the statement. As mentioned at the top, I am not a lawyer, I just hope people get real advice before making any decisions on this. There is too much subjective information here that is claimed as fact. – Joel Friedlaender 11 years ago
  • @JoelFriedlaender I agree. People should certainly check with their lawyers. – Dj Clayworth 11 years ago

1

Be very clear in your cancellation policy. There are situations where a temporary 'soft' delete might be appreciated: accidents happen, accounts get compromised, disgruntled employees act maliciously. It would benefit you if an owner could verify themselves and have their account and data restored. You could keep it for 30 days. It could also be a great excuse to send a former client and email telling them their time is up, but if they would like to return as a customer, you have their data.

You are taking a risk when you manage client's data and there is little reward from former clients. Be dilligent and as Joel recommends, don't forget about the backups. Clients need to know they exist, how long you intend on keeping them, and that they are in a secured location.

answered Aug 23 '12 at 03:31
Blank
Jeff O
6,169 points

0

In general, not much is deleted these days, as storage is so cheap. However, if you are concerned about server space, why not just archive the "deleted" data to an offline store?

Perhaps you should mention your data-retention policy in your terms, so that people know what will happen. If you are silent on the matter, the rules will depend upon your jurisdiction. Furthermore, in some jurisdictions, whatever you have in your terms is over-ruled by local regulations.

For example, it used to be required to delete telecoms call records within 12 months in Germany, while the UK allowed you to keep them.

answered Aug 22 '12 at 17:03
Blank
Steve Jones
3,239 points
  • "We will keep your personal data for ever, even if you ask for it to be deleted" would certainly stop me from signing up for your service. In some countries it would get you in legal trouble. – Dj Clayworth 11 years ago
  • Yes, that's why I mentioned "...the rules will depend upon your jurisdiction." – Steve Jones 11 years ago
  • You seemed to say that the rules will apply only if you are silent on the matter. I think you will find that some rules will apply whatever you say. I believe it's also bad policy to keep users private data for ever. – Dj Clayworth 11 years ago
  • I was talking about defaults, i.e. implied terms of contract. Not worded well, I guess. – Steve Jones 11 years ago

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Customer Support Legal Users