Data Retention and Deletion

Home / Everything About / Everything About Analytics / Data Retention and Deletion

Keeping data indefinitely is a liability. Privacy law requires that you delete data when you no longer need it. This chapter covers retention policies (how long to keep data) and deletion processes (how to handle user deletion requests and system cleanups).

Why Data Retention Policies Matter

Legal Requirement

GDPR and similar laws require data retention policies. You must delete data after you've achieved your stated purpose. "Keeping data forever just in case" violates data minimization principles and is grounds for fines.

Operational Benefit

Older data is less useful. An event from 2 years ago rarely affects current decisions. Deleting old data reduces storage costs, simplifies backups, and reduces exposure if breached (smaller dataset to expose).

User Expectations

Users expect you to delete their data when it's no longer needed. A cloud-based to-do app should delete your tasks when you close your account, not keep them indefinitely. Clear deletion policies build trust.

Setting Retention Policies

What Data? How Long?

Different data types have different retention needs:

Analytics events: 12 months is typical. After a year, historical events are rarely analyzed. If you need longer, 24 months is reasonable. Don't keep forever.

Customer account data: Keep while the account is active. Delete 90 days after account closure (allows for recovery window). Don't keep indefinitely.

Support tickets: Keep for 2-3 years (statute of limitations for disputes). Then delete.

Financial records: Keep for 7 years (tax/legal requirements). Then delete.

Marketing lists: Keep while customer is on the list. Delete 30 days after unsubscribe.

Longer Retention for Specific Use Cases

Some data may need longer retention: fraud detection (keep for audit trail), legal disputes (keep until resolved), regulatory compliance (vary by industry). These are exceptions. Default should be: delete as soon as no longer useful.

Documenting Your Policy

Write down your retention policy: what data types, retention period for each, legal basis for retention. Make it available to users in your privacy policy. "We keep your data for X months, then delete it." Transparency builds trust.

Implementing Automated Deletion

Scheduled Deletion Jobs

Set up automated jobs that run on a schedule (monthly, quarterly) to delete data past its retention date. Example: a job that deletes all analytics events older than 12 months. Run this automatically so data deletion is not manual or forgotten.

Event-Triggered Deletion

Some deletion is event-triggered: when a user closes their account, delete their data. When a user unsubscribes, delete their email. Set up automated workflows that delete when certain events occur.

Logging Deletion

Log when data is deleted (what data, when, why). This creates an audit trail. If regulators ask why certain data is missing, you can show it was deleted per policy, not hidden.

Handling User Deletion Requests

The Right to Be Forgotten

GDPR gives individuals the "right to be forgotten." Users can request deletion of their personal data. You have 30 days to comply (with exceptions for legal obligations). This means you need the ability to delete user data on request.

Implementing Deletion Workflows

Step 1: Receive request. User submits deletion request via support form or account settings.

Step 2: Verify identity. Confirm the request is from the account owner (not a false request).

Step 3: Identify data. Find all data related to this user: account, analytics events, support tickets, email lists, backups.

Step 4: Delete. Remove from live systems and backups. Confirm deletion in writing to the user.

Step 5: Log. Document the deletion: who requested, when, what was deleted.

Exceptions to Deletion

You don't have to delete if: you have a legal obligation to keep the data (tax records, court orders), you need it for a stated purpose still being fulfilled, or the user consented to further processing after the deletion request. But these are exceptions. Default is to delete when requested.

Challenges in Implementation

Distributed Data

User data is often spread across systems: live database, backups, third-party services (analytics vendors, email providers), employee laptops. Finding all data to delete is complex. Solution: maintain a data inventory. Know where user data lives. Include deletion requirements in vendor agreements.

Backup Retention

Backups contain user data even after deletion from live systems. How long do you keep backups? You likely can't restore from 3-year-old backups daily, but legal holds might require keeping them. Clarify: backups can be kept longer than live data, but they must eventually be deleted too.

Anonymized Data

True anonymized data is not covered by deletion rights (it's not personal data). But most "anonymized" data is actually aggregated or pseudonymized (reversible). If you can re-identify it, it's personal data and must be deleted on request. Understand what you're actually storing.

Privacy by Design: Deletion in Architecture

Design systems with deletion in mind from the start. Use data structures that make deletion efficient. Don't mix data types that have different retention needs. Make it easy to query and delete user data. If you build deletion capability upfront, compliance is simpler later.

What's a realistic analytics data retention timeline for different business types?

What's the exact process for responding to a deletion request within the legal timeline?

How do I know if my 'anonymized' data is actually anonymized or still personal data?

How long should I keep backups, and how do I handle deletion requests for backup data?

What's a step-by-step deletion workflow for data spread across analytics, email, CRM, and vendor tools?

What's the difference between 'operational delay' and violating the 30-day rule?

DEVELOPMENT VERSION