Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 10 down vote favorite

I have a commercial web startup. From a legal standpoint does maintaining users record (database info) if they decide to delete their account outweighs deleting their record?

  • Maintaining the users record, even if they delete their account, can protect users and myself, from legal issues by having solid evidence.

But

  • Deleting a account, can save some server space and prevent users from claiming that there is a privacy/respect issue.

What can be done to prevent users discomfort and always have a legal backup?

share|improve this question
As a side note, does anyone know if sites like ebay and amazon actually complete delete their user records? – Dave Valentine Aug 22 '12 at 2:03
I don't know about eBay/Amazon, but this is a negative point for me if a site keeps my information even if I don't want it to. Respecting your users' privacy is a common courtesy that is so missed dearly here in the US... – littleadv Aug 22 '12 at 4:40
1  
BTW: Some information must be kept (for example, billing history) even if the account is deleted. Check it with your local legal advice. – littleadv Aug 22 '12 at 4:41
information required for tax purposes will also be kept – mhoran_psprep Aug 22 '12 at 12:19
1  
Where are you based? Different countries have different rules on this. – DJClayworth Aug 22 '12 at 19:43
show 2 more comments

4 Answers

up vote 3 down vote

I don't think it's really viable to delete their information. Even if you remove it from your application, you aren't going to go back to every back up that contains them and remove them from those as well. With that in mind, claiming you have deleted them would be somewhat dishonest.

You can delete them from your database if you like (it is probably a good idea to help limit database growth), but don't claim in your terms that you delete all their data.

share|improve this answer
Backups should not be retained indefinitely. – DJClayworth Aug 22 '12 at 19:59
1  
Why not? I think it's a good idea to keep backups at different intervals? ie. daily for the last month, weekly for the last 6 months, monthly for the last year, and then yearly indefinitely? Storage is so cheap, why wouldn't you? – Joel Friedlaender Aug 22 '12 at 23:05
Because if you have data from customers who think they have deleted their accounts, and they are stolen, then suddenly those customers find thieves have their data even though they thought it had been deleted. That will get you in a lot of legal hot water. See my answer for more details. – DJClayworth Aug 23 '12 at 2:27
1  
As long as you are clear in your terms of service/privacy policy, I can't imagine how this can be a problem. Assuming your service is optional, and people opt to use it and agree to your terms, I am not a lawyer but it would be pretty tough for that to be illegal. – Joel Friedlaender Aug 24 '12 at 0:44
1  
@JoelFriedlaender I agree. People should certainly check with their lawyers. – DJClayworth Aug 24 '12 at 13:23
show 5 more comments
up vote 3 down vote

You should be very aware of the rules on data retention and data privacy for the legal jurisdiction(s) you operate in. Some places will give you a lot of legal trouble if you retain the information of a user who has 'deleted' their account.

For example the Privacy Commisioner of Canada conducted an investigation into Facebook and found them to be in contravention of the Personal Information Protection and Electronic Documents Act. She was able to effectively compel them to remove both deactivated and deleted accounts completely from their databases after a reasonable time or face penalties under the act. From the investigation: "The Act is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes, that organizations should develop guidelines and implement procedures with respect to the retention of personal information, and that such guidelines should include minimum and maximum retention periods." A similar investigation in the UK led to similar results.

share|improve this answer
This is absolutely correct. If you're an international company, you can spend a LOT of time (legal and IT departments, especially) dedicated to getting this right. It could have significant impacts on system architecture as well, especially if you don't anticipate up-front the potential for wildly differing jurisdiction rules and your business requirements. – Mark Freedman Aug 24 '12 at 18:40
up vote 1 down vote

Be very clear in your cancellation policy. There are situations where a temporary 'soft' delete might be appreciated: accidents happen, accounts get compromised, disgruntled employees act maliciously. It would benefit you if an owner could verify themselves and have their account and data restored. You could keep it for 30 days. It could also be a great excuse to send a former client and email telling them their time is up, but if they would like to return as a customer, you have their data.

You are taking a risk when you manage client's data and there is little reward from former clients. Be dilligent and as Joel recommends, don't forget about the backups. Clients need to know they exist, how long you intend on keeping them, and that they are in a secured location.

share|improve this answer
up vote 0 down vote

In general, not much is deleted these days, as storage is so cheap. However, if you are concerned about server space, why not just archive the "deleted" data to an offline store?

Perhaps you should mention your data-retention policy in your terms, so that people know what will happen. If you are silent on the matter, the rules will depend upon your jurisdiction. Furthermore, in some jurisdictions, whatever you have in your terms is over-ruled by local regulations.

For example, it used to be required to delete telecoms call records within 12 months in Germany, while the UK allowed you to keep them.

share|improve this answer
"We will keep your personal data for ever, even if you ask for it to be deleted" would certainly stop me from signing up for your service. In some countries it would get you in legal trouble. – DJClayworth Aug 23 '12 at 14:26
Yes, that's why I mentioned "...the rules will depend upon your jurisdiction." – Steve Jones Aug 23 '12 at 14:39
You seemed to say that the rules will apply only if you are silent on the matter. I think you will find that some rules will apply whatever you say. I believe it's also bad policy to keep users private data for ever. – DJClayworth Aug 23 '12 at 15:22
I was talking about defaults, i.e. implied terms of contract. Not worded well, I guess. – Steve Jones Aug 24 '12 at 6:41

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.