Do you let users completely delete their account on your site?

I’ve had one or two requests from users to completely delete their account. However, this can potentially cause issues, e.g. if there is info that we need to keep for audit reasons (like payment history). I notice that some big sites like wordpress.com don’t allow user deletion at all (see here: http://en.support.wordpress.com/deleting-accounts/), but at the same time, there could be PII concerns if you don’t honour a request to delete someones account and all the associated data.

Wonder how others here handle this?

I always think delete whatever you can and be a ‘real human’ about it. Do unto others…

I’d be surprised if you can’t delete all public facing data and definitely never email that person again!

In the specific case I’m thinking about we had to keep records of invoices/payments but we ‘denormalised’ the user data so that if we subsequently deleted a user the information stayed with the invoice. i.e. In ‘nerd terms’ we copied user address/email onto the payment record in the database, rather than use a foreign id.

You have to retain some information on the user, if only things like payment history. Imagine if people could “delete their account” with a student loan servicer.

After ensuring regulatory compliance and a certain level of CYA for liability issues, it really comes down to respecting user intent.

• People often reactivate an old account, and for most services they’ll expect to be able to pick up where they left off (it’s an “undo” action).

• If people “delete” an account, they expect all information you’re serving from/about them online to go away, and they expect never to have to hear from or care about your company again unless they decide to resume the relationship.

Users generally do not have any right to expect you to delete all information about them internally. But you should be up front about what actually happens, have adequate coverage in your ToS and privacy policy, and you should only retain what you need.

Here’s a rundown of what might be “best practices” for inactive and deleted accounts.

Inactive account:

• Stop serving their content if relevant.
• Be able to recover the account and its data with a short wait.
• Possibly send reactivation promos.

Deleted account:

• Remove their account and content from web servers.
• Retain what you need internally.
• Do not retain data for which you have no valid regulatory, liability, or research interest.
• Blacklist their contact for future marketing.

Personal information:

• Do not retain PII that you don’t need, even for active accounts.
• Encrypt data to the user when it’s sensitive and you don’t need to see it.
• Anonymize anything you want to keep for research but don’t need to link with a human for regulatory or liability reasons.

Emails to inactive users:

• Don’t screw up and email people on accident, this just isn’t professional.
• Honor the intent of opt-outs, don’t just invent new categories of email to opt out of every time you want to send to people who told you to stop emailing them.
• Don’t have stupid opt-out practices, you will get spam flagged like silly cakes if they have to jump through a bunch of hoops and log in to their inactive account just to unsubscribe from your latest new category of marketing mail.
• Reactivation promos are a thing, and often a useful thing depending on product, market, volume, account value, reason for leaving. Segment appropriately, wait a few months after account inactivation, make it legitimately special to the customer in terms of offer & sending frequency, and don’t send more than ~3 of these total.

If only LinkedIn, Twitter & Facebook would do this.

Actually, I’ve seen a lot of big and “respectable” companies do this. My patience is very short now- If I can’t unsubscribe in 1-2 clicks, I press spam.

The worst case was Swaroski. They automatically created an account for (for which I didn’t have a password). To unsubscribe, I had to login to my account, for which I’d have to do the “forgot password send email” dance, and then login to unsubscribe.

To answer the original question: Whatever you do, keep in mind that if it is seen as unfair (note: seen as), you may end up on Slashdot, with the heading “XYZ.com keeps your personal info forever”. Like @andycroll said, be a real human.

Great question!

I struggled with a client over this for a few weeks. We built a HR app together (for annual performance reviews etc) where it was important to maintain some records after a user was gone. In this case, the company is the customer and when they close their account we can export their data and remove it all (payment is done offline). But, for individual employees in the system, we needed to protect the company by keeping an audit trail (i.e., in case that employee sues for unfair dismissal etc).

Since everything (plans, reviews, surveys, action etc) in the system relates to a user we came up with a simple rule: you can only delete users that haven’t affected the state of the system (no survey responses, committed plans etc); otherwise those users are archived (& hidden). This maintains the audit trail and database integrity, but hides those users that have left the company.

Having done this work, I can says that it’s much simpler to delete all the account information if at all possible. Keeping some bits and hiding them, de-normalising them or excluding them from “active” queries, is a road straight to “edge case city”

With EventWax, we don’t have a delete button for the account level that is accessible to the accountholders. But, we do get about 1 request a month from people who want us to delete the account. We can do this but only if they haven’t sold paid tickets. If they’ve collected money for their tickets (and hence we’ve collected EventWax fees), we cannot delete the account, as we need to keep a record of those transactions.

But, based on this thread, I think we will create a new “hide” account function that we can use that will make it at least appear that the account is deleted. It will remove any public facing pages, remove the logins, etc.

I don’t expose a button to delete accounts. If customers ask me to delete their account, I use the standard unsubscribe feature and then ask whether that is enough. That keeps their info in our DB but stops service and we won’t bill them again.

Then I write something like this:

You mentioned that you wanted me to delete your account. If you would like, I can remove (e.g. your client and appointment information) from our database. This would make it impossible for you or anyone to get to it. Is that good enough for you?

Usually they say some variation of “yes.” I don’t generally explicitly say “Your information will still be in our backups. We generally don’t go looking for it, but it is theoretically find almost anything ever typed into our service. We won’t.” because it just confuses people.

No, not without asking. Otherwise, what can go wrong, would, and someone would lose their work by accident or by doing something stupid.

From a technical point of view, having a ‘deleted_at’ field in your DB and some kind of automatic logic like a scope in Rails that automatically discards records with that field set might be a good way to go.

When I delete my account at a service, I expect all data to be removed and not just a flag marking my account inactive.

I do respect the users of my service and the delete button truly deletes all data from our database. Payment history is retained by Stripe and there will always be a trace of the user within application and system logs.

The dilemma here is backups, I would be shocked to find out that a service is actually purging deleted account data from their historic backups.

At DNSimple we currently first present the option for customers to unsubscribe (i.e. to keep their user account, but stop having us resolve their DNS for them). Once they’ve done that then we provide a button that was not previously available to close their account completely.

For the moment we let people remove their user account along with all attached resources. I’m not sure if we’ll keep things that way forever though, as it does result in confusion in some cases.

If I’m in the right mood, I’ll mark as spam if it takes 2 clicks. Especially if they want me to type in my email address to “confirm” my unsubscribe.