What is the process for users to request deletion of their data
What is the process for users to request deletion of their data
What is the process for users to request deletion of their data
Data Deletion Request Handling
The technical solution detailed in this specification provides the means to signal consumer requests for data deletion. Companies supporting the US Privacy Framework (i.e., service providers) will respond to the signals by deleting the consumer’s relevant personal data to the extent required by CCPA. The process for deletion depends on the company’s technology and operational practices in place. How a Vendor deletes a consumer’s personal data is out of scope for this specification.
Every Vendor that provides a service for a Publisher must host a JavaScript file for that Publisher. The Publisher must include the Vendor-provided JavaScript file as a script html element with a src attribute equal to the Vendor’s specified hosting URL on every page that the Publisher intends to invoke the Data Deletion Request (eg. ). The Vendor-hosted JavaScript registers a Vendor-proprietary callback function with the USP API to be invoked if a deletion request occurs.
USP API Commands
A Data Deletion Request is accomplished by the registerDeletion and performDeletion Commands invoked on the USP API.
This Command registers a Vendor-specific callback function with the USP API. The callback will only be called when the performDeletion Command is invoked.
| Argument Name | Type | Value |
|---|---|---|
| command | string | ‘registerDeletion’ |
| version | number | US Privacy spec version |
| callback | function | function() |
The Publisher, or its CMP where applicable, invokes this Command when a consumer action to initiate the deletion process occurs. The Command invokes all callbacks registered via the registerDeletion Command in no specified order.
| Argument Name | Type | Optional | Value |
|---|---|---|---|
| command | string | ‘registerDeletion’ | |
| version | number | US Privacy spec version | |
| callback | null | no callback | |
| param | Identifiers | X | Optional Identifiers object for In-App |
The callback parameter of the __uspapi is not used in this case and shall be passed as null. The Identifiers argument is only required when handling in-app deletion requests.
When operating in an in-app environment that leverages WebViews (Mobile, CTV, etc), cookies do not persist beyond a session. Without persistant cookies, Vendors will need more information to correctly identify the consumer and the assosciated data to delete. When WebView limitations exist, A Publisher shall invoke the performDeletion with an Identifiers object as an argument for the Param. This Identifiers object will contain the platform name, the unique app identifier used in the app store, and the device identifier for that platform / store. A Publisher shall open a WebView with a web page where a consumer can complete the request to have their data deleted.
The performDeletion Command may be invoked with an optional Identifiers arguments as the Param. A hosting app passes app-specific identifier information to the WebView that invokes the performDeletion Command so that it may construct an Identifiers object to apply as an agrument.
The following is the list of platform identifiers.
| Platform Name | Store | Identifier |
|---|---|---|
| Android | Google Play Store | «google» |
| Android | Amazon Store | «amazon» |
| iOS | App Store | «ios» |
| Samsung | App Store | «samsung» |
| Huawei | App Store | «huawei» |
| Sony | App Store | «sony» |
| LG | App Store | «lg» |
Example Publisher Script
In this example, the Publisher has an Array of strings. Each of those strings contains a URL to a Vendor delete script src. This Publisher also has a CCPA delete button with the class name ccpa-delete on their page. First the script will append all of the Vendor scripts to the body of the document and then stage a listener to listen for a user clicking the ccpa-delete button. When the user clicks that button, the handler function will call the ‘performDeletion’ Command on the __uspapi function.
Example Vendor Script
Below is an example script demonstrating how a vendor script can properly handle receiving the data deletion directive request from the consumer.
GDPR data deletion request
As part of our continuing dedication to data security, customer privacy, and GDPR compliance, OnceHub offers all customers the opportunity to request data deletion for any data associated with their account. Under Article 17 of the GDPR, data subjects have the right to request erasure of personal data if the data is no longer needed or consent has been withdrawn. Learn more about GDPR compliance
Who can request data deletion?
If your customer requests you delete their data, your developers can delete that customer’s contact record through the OnceHub API by:
Next, you can delete their bookings in your Activity stream. If you don’t have access to developers, you can start with this step. Learn more
For any other data deletion, any OnceHub User can request data deletion for themselves or their Users, regardless of whether or not they are located in the EU. The request will need to be made from the email address associated with the account and the User will be asked to provide identifying security information to confirm account ownership.
What is the data deletion process?
Once data deletion is requested and account ownership is confirmed, the data deletion request enters our queue. Generally, the data is deleted within 14 calendar days of the initial request. During the deletion process data is securely purged from OnceHub databases and servers. All related backup and log data will be deleted within 30 calendar days. Once data has been deleted it cannot be recovered.
What happens to calendar appointments after activity data is deleted?
The deletion process only removes the data from OnceHub’s internal databases and servers. Calendar events in the User’s connected calendar will not be modified or deleted.
How will billing and transaction history be affected?
Some monetary amounts shown in the application and invoices will be calculated excluding any amounts related to deleted meetings. This means that the amount shown will not reflect the true amount debited/credited. This applies to the following:
How can I request data deletion?
You can submit a data deletion request request in our Trust Center. Please include as much information as possible regarding which data you would like to be deleted. The request will be escalated to the proper team for evaluation and processing. We will reach out every step of the way to keep you updated on the deletion progress.
How can I learn more about OnceHub security and compliance?
To learn more about OnceHub’s compliance with the GDPR, read our practical guide to using OnceHub in a GDPR compliant manner or visit our Trust Center.
Documentation
The Data privacy functionality provides the workflow for users to submit a data request (also known as a subject access request or SAR) and for the site administrator or privacy officer to process these requests.
Contents
Privacy officer role
It is recommended that you create a Privacy officer role and assign it to the person responsible. If there is nobody on the site with the role of privacy officer i.e. nobody with the capability to manage data requests, then a site admin can respond to data requests and manage the data registry.
Data requests
Any user can send a message to the privacy officer via the ‘Contact the privacy officer’ link on their profile page.
In addition, they can request a copy of all of their personal data or request that their personal data should be deleted as follows:
The privacy officer will then receive a data request notification.
If the user has requested a copy of all of their personal data, once the request is approved, they will receive a notification to inform them that their personal data may be downloaded from their Data requests page. In Moodle 3.5.2 onwards, the user has by default one week to download their data before the download link expires. (An administrator can set a different expiry time for the data request in ‘Privacy settings’ in the Site administration.)
If the user has requested that their personal data should be deleted, once the request is approved, they will receive an email to inform them and they will no longer be able to log in to the site.
Responding to data requests
The privacy officer can respond to data requests as follows:
If the user has sent a message, the privacy officer can view the message and copy the user’s email address, then reply via email. In Moodle 3.5.2 onwards, after replying they can mark it as complete.
Automatic approval of data export and deletion requests
Data export and deletion requests may be automatically approved, rather than the privacy officer having to manually approve each one. This feature may be enabled in Site administration / Users / Privacy and policies / Privacy settings.
Deletion of user data
When a user’s data is deleted, any forum posts are blanked and replaced with a sentence stating that the post has been removed. However, if the user started any discussions, their name is currently still shown on the forum page (MDL-62865).
Allowing only the privacy officer to download data
In Moodle 3.5.2 onwards, organisations with multiple systems and a centralised request process can prevent users from downloading their own data and instead enable a privacy officer to download it for them.
The privacy officer can then make a data request on behalf of a user (via ‘Data requests’ in the Site administration), approve it and later download it via the Actions dropdown menu. In this situation, the privacy officer will receive notification messages and NOT the user.
Data registry
The privacy officer can set purposes (why the organisation is processing data) with retention periods and categories for data stored in Moodle in the data registry. Different types of data may need to be stored for different lengths of time. For example, student submissions to an assessment may need to be retained indefinitely to be able to provide evidence of student accomplishments, whereas general coursework such as forum posts might only be retained until graduation + 12 months.
A default purpose and retention period may be set for course categories, courses, activity modules and blocks. The retention period is measured from the course end date for the course that an activity is in. For a user it is from the last login time for any user who is no longer enrolled (or has already been deleted).
Example categories
Data registry set-up
To add purposes and categories:
Purposes and categories need to be created before they can be set as defaults. Note that default data registry categories and purposes are only applied to all newly created instances of that type (a course for example). Any content that has been created before defaults are set are not impacted.
To set default categories and purposes:
Setting categories and purposes for existing contexts
The Data registry interface is used for navigation the contexts of the site to set the category and purpose for them, and thus the data retention period for that context.
At the very least, the site admin should set the category and purpose at the site level. Once this is saved, all lower contexts will inherit from that level. The admin can then choose to set different category and purposes for different levels of context, such as having a specific course with a longer or shorter retention period thus overriding the inherited values.
Data deletion
The Data deletion page (Site administration / Users / Privacy and policies / Data deletion) lists the contexts that are past their allocated retention period and need to be confirmed for user data deletion. Once the selected contexts have been confirmed for deletion, the user data related to these contexts will be deleted on the next execution of the «Delete expired contexts» scheduled task.
Capabilities
Plugin privacy registry
The Plugin privacy registry (Site administration / Users / Privacy and policies / Plugin privacy registry) lists all plugins in Moodle, and identifies whether they comply with the privacy API or not. Any plugins which are flagged with the warning icon do not yet implement the Moodle privacy API. If this plugin stores any personal data it will not be able to be exported or deleted through Moodle’s privacy system.
Offering account deletion in your app
Starting June 30, 2022, apps submitted to the App Store that support account creation must also let users initiate deletion of their account within the app. Deleting an account removes the account from the developer’s records, along with any data associated with the account that the developer isn’t legally required to maintain. Providing this capability gives people more control of the personal data they’ve shared. If you’re updating an app or submitting a new app with account creation, please read the guidance below to prevent delays in review.
Account deletion guidance
Account deletion is a significant decision for the user, and the process for initiating and confirming deletion should be straightforward and transparent:
Note: Follow applicable legal requirements for storing and retaining user account information and for handling account deletion. This includes complying with local laws where your apps are available. If you have questions regarding your legal obligations, check with your legal counsel.
Frequently asked questions
Can I direct users to a customer service flow to complete account deletion?
Can I require reauthentication or add confirmation steps to ensure that the account isn’t deleted by accident or by someone other than the account holder?
Yes. It is appropriate to ensure that the deletion is intentional and desired by the user. You may add steps to verify the identity of the person making the request, and to confirm that they want to delete the account (such as by entering a code from an email or phone number already associated with the account). However, apps that make it unnecessarily difficult for a user to delete their account will not pass review.
My app uses Sign in with Apple to provide account creation and authentication to users. What changes are necessary to support users who delete their accounts?
If my app links out to the default web browser for account creation, does it still need to offer account deletion within the app?
My app automatically creates an account for the user. Do I need to include an option to initiate account deletion?
Yes. Users should have the option to delete automatically generated accounts (sometimes called “guest” accounts) and the data associated with those accounts. Ensure any automatic account creation in your app complies with local laws where your app is available.
I manually delete user accounts and this takes time. Does account deletion need to be immediate and automatic?
No. If your process for account deletion is manual or otherwise takes time to complete, this is acceptable. Inform the user how long it will take to delete the account and provide a confirmation when the deletion has been completed. Ensure the time taken to delete accounts complies with local laws where your app is available.
Does the content provided by a user need to be deleted in apps that display and share user-generated content?
Yes. People expect that all data associated with their account will be deleted when the account is deleted. This includes user-generated content that’s shared with others, such as photos, video, text posts, and reviews. If local laws or regulations require that you maintain some data, let your users know.
I currently allow account deletion in compliance with CCPA, GDPR, or other local laws in some of the locations where my app is available. Is this sufficient?
How do I handle users with auto-renewable subscriptions? I don’t want to accidentally charge someone after they’ve deleted their account.
If the user has auto-renewable subscriptions, notify them that their billing will continue through Apple and request that they cancel their subscription before continuing. If you’re using App Store Server Notifications for auto-renewable subscriptions, you can verify the status of the user’s subscription in real time, or use the Subscription Status API to identify subscription status.
Use showManageSubscription in iOS 15 and iPadOS 15, or later, or provide the following link to let users manage their subscriptions: https://apps.apple.com/account/subscriptions. For tvOS, provide onscreen instructions to change or cancel a subscription, as described in the Apple TV User Guide.
In addition, you can use beginRefundRequest in iOS 15 and iPadOS 15, or later, or provide the following Apple Support link to allow customers to submit refund requests: https://support.apple.com/en-us/HT204084.
You can also provide an option to schedule account deletion at a later time to align with the subscription’s expiration date, as long as there is also an option to delete the account immediately.
Resources
Feedback Assistant
Submit bug reports and request enhancements to APIs and developer tools.
Send us feedback
Forums
Ask questions and discuss development topics with Apple engineers and other developers.
Contact us
Have a question or request? We can help by phone or email.
How to respond to a user requesting deletion of their online account
My website occasionally receives requests from users asking for their account to be deleted. The website itself is a dating site that stores messages between users, personal information they add to their public profile, logs and stats about their usage, etc.
While the site currently lets an admin ‘deactivate’ a user’s account such that it no longer appears publicly, actually deleting the user record and its associated data from the database is problematic. Information we’d be deleting about a user is occasionally necessary and always useful.
One alternative I have toyed with would be to attempt to anonymize the user by clearing all personally identifying pieces of information. Reading about the de-anonymization that occurred with the Netflix dump, it looks as though this could be quite hard to do effectively.
The company is incorporated in New Zealand, the servers are located in the US and users are from all over the world. Here are some relevant points in the Terms and Conditions:
If you wish to terminate your membership you must advise [us] by e-mail. Termination of your membership is effective from our receipt of your e-mail after which time your profile will be removed.
[We] will remove records of any conversations, photos or videos of a deactivated user upon their removal from the site. These records will also be removed from any user who may have communicated with the deactivated user.
How must I respond to this request? Does the site need to have functionality that allows us to completely delete all traces of a user? Would attempting to anonymise a user be sufficient? I understand Facebook allow for your account to be ‘deleted’, but do their really remove all traces? In the worst case scenario and the database was hacked and dumped online, would we be liable for any deanonymization that occurred?