[ManBlanket]

I know you wrote this 8 days ago and I dunno if you'll even see my response but deleted has always been a vague term. There are a ton of reasons not to hard-delete data before you arrive at data mining. I know a lot of concerns regarding GDPR and data mining would contend for the hard delete, but a couple people gave you good examples. I just wanted to share one I am looking at right now. Our users have the ability to perform an action over a large set of their own data. Sometimes they do things like deleting relations they didn't realize would have a larger impact. Luckily the code in question doesn't hard-delete the entities, because I just got a ticket today asking if a huge list of IDs could be restored.

I think looking at deletion as the solution to privacy concerns is the wrong way to go about it. Really, the problem is app developers think, "possession is 9/10ths of the law" when it comes to data, when in reality their relationship with the user never captured use of that data for purposes not related to the application. Just because you give your data to the bank when you make an account doesn't mean you consent to them selling it on the dark web. The same concept applies but it is much harder to police and you can even say you're going to misuse the data in the EULAs that nobody reads. In my opinion using user data for purposes unrelated to the application should straight up require explicit consent from every user, lest the seller and recipient be subjected to a fine.