Shoppers can request on their account page that their uniquely identifying information in the store be anonymized. Shoppers receive an email confirming the request, and administrators have a page where they can anonymize customer information.
Database Maintenance can now be used to automatically anonymize data after a configurable number of months of inactivity.
NOTE: The Data Retention feature is enabled using Configuration - Settings: DataRetentionPolicies.Enabled . All features discussed below are contingent on this Setting being enabled.
When Data Retention is enabled, a customer's account page will include a Remove Account button. NOTE: This is NOT displayed for admin accounts.
- When clicked it will take the customer to the Remove Account page.
- The Remove Account page displays the removeaccount topic explaining the process of removing their personally identifying information.
- Clicking the Remove button sends an email to the customer acknowledging the request. The Topic removeaccountemail contains the body of this email.
- The requesting customer is then redirected to the Remove Account Confirmation page where Topic removeaccountconfirmation is displayed.
- The administrator honors these customer's requests on the admin Contacts - Data Retention page. The Data Retention page shows a list of customers who have requested to have their personally identifying information removed. Here the admin can anonymize the customer's information by checking the anonymize checkbox and pressing Update. Whether a customer can be anonymized is dependent on their recent activity (see Anonymization Applicability below).
NOTE: Once a customer is anonymized, they can no longer sign into the site. If they wish to order again they will have to create a new account, and this account will have no association with their previous account.
Orders are not removed, only anonymized. This allows the financial data to be retained for tax or reporting purposes.
Automatic Purging of Aged User Data
The admin Database Maintenance page includes a checkbox "Purge aged user data" as one of the possible operations. When checked and maintenance is run, aged user data is purged (anonymized) using the following criteria:
- Customers who are registered and active and are NOT admins, and have had no account or order activity for the number of months in the Configuration - Setting DataRetentionPolicies.MonthsBeforeUserDataAnonymized , are anonymized and their orders anonymized pending Anonymization and Removal Applicability (see below).
- Orders that have had no activity for the number of months in the Configuration - Setting DataRetentionPolicies.MonthsBeforeUserDataAnonymized, are anonymized pending Anonymization and Removal Applicability (see below). NOTE that the same customers who may have had some of their orders anonymized may have more recent orders that are not anonymized.
For both Customers and Orders, the first and last name, email, and street address are anonymized by being replaced with text from the Content - Manage Prompts (string resource) dataretentionpolicies.replacementtext which contains "Removed to comply with data retention policies." by default.
Any errors in the purging are logged in the Configuration - System Log.
Anonymization and Removal Applicability
Not all customers can be anonymized, and not all orders can be anonymized. For a customer to be anonymized (or a customer's orders anonymized), the following criteria must be met:
No active recurring orders.
No orders with transaction state of PENDING or AUTHORIZED.
No orders that are NOT shipped AND the transaction state is CAPTURED.
None of the following activity in the last 7 days: Order placed, order authorized, order captured, order refunded, order voided, or order edited.
If any of these criteria exist for the customer's orders the anonymization will not occur.