They might like to, but you should definitely consider if saving data no longer required for your business violates privacy regulation/ethical considerations.
Definitely. When a user "deletes" their account, we null out all identifying fields to "DELETED_PII_$user_id". We have running metrics we compute that would go off the rails if we dropped the row completely.