Letting Members delete their accounts

Maybe others have run into this … I was surprised that I cannot allow users to delete their account … to reverse a signup.

Do we not generally accept now that if we signup for something that we can sign off or delete our account if we decide not to continue?

I understand that you can unsubscribe from the newsletter. But if you do that, the account remains.

#idea

2 Likes

One-click account deletions are a pretty essential feature for me, personally. I really feel compromised when I deal with sites that make you chase them down to delete your info. Would love to have it available for members.

1 Like

Having had to deal with this on various platforms over the course of over 13 years I want to ask how you would deal with the content (if any) these members may have contributed to?

In Ghost this is less of an issue because there is no mechanism for direct contribution but it still needs to be considered.

For example

If as a member they opened an email they contribute to the send/open numbers. Do these need to be decremented?

I use Cove for commenting and that uses a separate database. Are the comments deleted? How? That would need to be done by the developer, not Ghost, and because a lot of the value of my community is in contributed comments I don’t want those to disappear.

Becoming a member creates a customer record in Stripe, and that needs to be deleted. If the member has subscribed to a premium tier then all that data gets deleted and could mess up the roll-up counts in the dashboard.

There may be other dependencies that need to be considered, updates to the API, and making sure integrations are kept in sync and that the API handles all of the disparate needs of those integrations. And I don’t want to have to rely on Zapier or Integromat or similar service to do the heavy lifting as I am then also constrained by their capabilities.

What happens with a one-click delete can be a real challenge and should be carefully thought through, IMO and in my experience. Other platforms I have worked with have much more granular ACLs and permissions regarding privacy and email sending and making this work could require expanding those options and putting some of them on the user Account page.

3 Likes

Well said, it takes a simple thought/idea and really makes us think about the complications :call_me_hand:.

That’s true, it does illuminate some of the complexities, but from a moral standpoint it charges nothing – a straightforward deletion mechanism ought to be implemented nonetheless. It is unquestionably a moral wrong to knowingly provide software that prevents it’s users (website owners / content creators like us) from respecting the data privacy wishes of our own users. We can’t even easily change the members sign-up screen to warn our users that their data can’t be deleted without hacking ghost itself (it’s not just a simple settings change or theme modification), and even if we as a content creator have the skill to do that, it gets overridden every time we update ghost.

In terms deleting the actual data, there’s no real technical issue, and much of it can be anonymized for record-keepig purposes. Even comments can be made anonymous, though I will say that anything you say in a public forum you should generally assume will be out there forever (not only is it not practically deletable once a handful of people have seen/heard it, but there is no moral obligation to protect that data since it was shared openly and freely in the first place). What I’m concerned about here is private data. If you like me believe it’s important to live in a world where individuals – not corporations – should have control over their private data, then anything that can’t be anonymized and can be traced back to the individual user should be deletable if that person so desires. If you want to live in the other world – one where corporations/other people control our data and decide how it is used without our consent without even telling us before we sign up – well, I suppose we have very different ambitions for the future…

1 Like

I am much further down the privacy end of the spectrum than most people but I also see things from multiple points of view and their are always trade-offs. It’s not so much the corporations per se but that they are beholden to shareholders who mostly only care about their pound of flesh, so yes, I do worry a lot about were we are heading. But I also worry that someone will grab a headline, throw massive amounts of effort into getting people behind whatever idea something invokes (due to emotions) without actually taking a second to even try to think it through. I probably didn’t say that very well. So yes, I see what your saying and basically agree with you though also acknowledge that things aren’t always as simple as they seem. Software development takes a lot of money and manpower so you need to keep the money coming in (that’s more important for some companies than others), so that usually means spending your resources on things that will keep customers around or gain new ones at the expense of things that the average person doesn’t notice or usually even care about. I have conversations with family and friends about privacy and every single one of them probably thinks i’m a loony, because they either have no idea or worse they don’t care and usually respond with ‘I have nothing to hide’… i’m talking generally here, not specifically about this.

In a perfect world we would all care about privacy, but unfortunately this world is far from perfect…

The world is far from perfect, but that doesn’t mean we shouldn’t aim to make it perfect. :slight_smile:
Sure, as I have no knowledge of the financials of the company that seems to be shaping the future of ghost, I can’t speak to their priorities / timeline, only to the moral responsibility of whether it should or should not be done.

There are at least four huge areas to consider here, they are privacy implications, legal implications, moral implications, and technical implications. I was pointing out some of the technical implications of a one-click account delete. This was allowed on Ning back in the day and I had one member of my community who got pissed off when I sent a private message to tone down the rhetoric towards other members – and they deleted their account and along with it every bit of useful content (original posts, comments, and photos) they contributed over the course of several years. If there were comments to an original post then the contributions of others were also deleted. I was able to retrieve a private stash of most of the content via the Wayback machine so, yeah, there’s that to consider in this context.

When I moved over to Jamroom one of the things I liked was the granularity of the ACL with respect to permissions that extended from privacy/visibility to email and I would recommend anyone examine them as a part of any discussion with respect to account deletion.

What I would like is the ability to set an account to inactive and make the status available to third-party programs like Cove who could then anonymize any contributions they made. This would ensure that any replies to comments were not un-parented and that the context for the reply would remain.

I should also point out there may be financial reporting issues and so a one-click delete that filters through to Stripe could delete necessary financial records. I do have a Privacy Policy page and I would make it perfectly clear what my policy is in this regard. I explain on that page why I do not use GA for analytics (choosing Fathom) – and will not use AdWords or AdSense or any ad-serving tech. My site sets exactly four cookies which all appear to be about maintaining session state and there are no detectable trackers. That’s where my privacy focus is.

On the overarching philosophical point, I believe that the precise implementation of answers to the moral and legal questions should belong in the hands of the publisher rather than Ghost, whose role should be to facilitate. I will argue for a granular approach to permissions that would enable me to decide how I want to handle things. (What this suggests is that if there is a “delete” button on the Account page that there be a modal dialog with customizable text that explains what will happen, and importantly, clicking on delete should trigger an event (or events) that notify/ies admins either in the UI or by email or both. From hard experience, I can tell you I have found value in anonymizing UGC and keeping it around for a variety of reasons rather than outright deleting it. It’s been hugely valuable to me over the course of over 13 years of moderating my community on what is now four platforms.

1 Like

Yes, exactly. :ok_hand: The creators of Ghost need take no moral position one way or another and simply let their users determine how they want to handle deletions — whether that be guided by moral principles, legal statute, or otherwise.

That said, I do grant that it does indeed seem like it could be a complicated feature to add in to the full extent desired, but at the very least in the near term it’d be nice if we can edit the sign up page more easily (i.e. from the admin panel).

Sounds like a serious problem. The GDPR requires all businesses to allow customers to have their data deleted when requested. Personally, I’m ok with manually doing this… But it’s a headache that, eg, a ghost-cli cmd would make far easier to do

1 Like

@Axon - but part of the problem is that not all of the data are in Ghost and are thus beyond the reach of a cli command. I use Cove for comments, Stripe as a payment gateway, and Mailgun. Others are using Zapier or Integromat or Snipcart and/or some combination of included or custom integrations that make automatic deletion of all data, can we charitably agree, impractical?

Given the size of my community (up to 10,000 members of which maybe 20% could be considered active at any time) and how often this happened in more than twelve years (a handful), I am happy to do it manually. I have found the consequences of not being able to control/manage the deletion of data consequential.