The Legal Basics (Not Legal Advice)

Under GDPR, individuals in the EU have the "right to erasure." Under CCPA/CPRA, California residents have the right to request deletion of personal information. Similar laws exist in Brazil (LGPD), Canada (PIPEDA), and a growing list of US states.

The common thread: when someone asks you to delete their data, you generally need to do it within a specific timeframe. GDPR gives you 30 days. CCPA gives you 45 days (with a possible 45-day extension).

This is not optional. The fines for non-compliance are significant. GDPR penalties can reach 4% of global annual revenue.

I'm not a lawyer, and this isn't legal advice. Talk to yours. But the operational and technical processes below apply regardless of which specific regulation you're working under.

Setting Up the Intake Process

Verification First

Before deleting anything, verify the request is legitimate. Someone emailing from a random address asking you to delete "John Smith's account" could be anyone. You need to confirm the requester is the data subject (or their authorized agent).

Verification methods:

• Ask them to submit the request while logged into their account
• Send a verification email to the email address on file
• Ask for identifying information that matches your records
• For authorized agents, request written authorization from the data subject

Dedicated Channel

Create a specific intake point for privacy requests. A form on your website works best (privacy@yourcompany.com also works). Don't make customers submit deletion requests through your normal support queue where they might get lost or deprioritized.

Log Everything

The moment a request comes in, log it. Timestamp, requester identity, what they're asking for, verification status. You need an audit trail proving you received the request and acted on it within the required timeframe.

What to Actually Delete

This is where it gets complicated.

Personal Data You Must Delete

Anything that identifies the person or is linked to them:

• Name, email, phone number, address
• Account profile data
• Support ticket contents (these contain personal information)
• Usage logs tied to their user ID
• Payment information (with caveats, see below)
• Any data they provided through forms, surveys, or conversations

Data You Can (or Must) Keep

Some data has legal retention requirements that override deletion requests:

• Transaction records required for tax/accounting purposes (keep for the legally mandated period, typically 5-7 years)
• Data needed to comply with a legal obligation
• Data necessary for establishing, exercising, or defending legal claims

When you retain data for legal reasons, tell the requester what you're keeping and why.

The Gray Areas

Anonymized data (truly anonymized, not just pseudonymized) isn't personal data under GDPR, so you can keep it. But "anonymized" means it's genuinely impossible to re-identify the person. Removing their name but keeping their unique user behavior pattern isn't anonymization.

Backups are another gray area. Most companies can't selectively delete from backups without rebuilding the entire backup. The accepted practice is to delete from live systems immediately and let backups expire on their natural retention schedule (document this in your privacy policy).

The Technical Implementation

Data Mapping

You can't delete what you can't find. Map every system that stores personal data:

• Your primary database
• Analytics platforms
• Email marketing tools
• CRM systems
• Log files
• Third-party integrations (Slack, Intercom, Zendesk, etc.)
• Backups

This mapping exercise is painful the first time. But you only do it once, then update it when you add new systems.

Deletion Script or Workflow

Build a repeatable process. For small companies, this might be a checklist. For larger ones, a script that hits every system.

Your deletion workflow should:

1. Look up the user across all mapped systems
2. Delete or anonymize their data in each system
3. Generate a confirmation record (what was deleted, from where, when)
4. Send the requester confirmation that deletion is complete

Third-Party Integrations

If you've shared customer data with third parties (analytics tools, marketing platforms, payment processors), you need to notify them of the deletion request too. Check each vendor's data processing agreement for their deletion procedures.

This is the most time-consuming part. Some vendors have APIs for deletion requests. Others require you to email their privacy team and wait.

Response Timelines

Acknowledge receipt within 48 hours (even if you can't complete the deletion yet). Complete the deletion within the legal timeframe. Send written confirmation when it's done.

If you need more time (complex request, lots of systems), communicate that proactively. GDPR allows extensions with justification. CCPA allows a 45-day extension if you notify the requester.

Automating the Process

Once you've handled a few dozen requests, patterns emerge. Most requests are straightforward account deletions. Automating the intake form, verification, and standard deletion workflow saves hours per request.

Supp can classify incoming privacy requests automatically, routing them to the right workflow instantly. A "data-deletion" intent triggers your deletion pipeline. At $0.20 per classification, that's a fraction of the cost of an agent manually triaging privacy requests.