Answer: More and more of the time!
If you have to comply with one of the growing number of state and country privacy laws, then a deletion request is much more than a request or hitting the delete key.
While some of the details of each state’s law is different, the basics are the same. Consumers have the right to have their personal data deleted from a company’s systems – most of the time.
Some state laws require you – by law – to only store data that is necessary. But how do you know how long that is? Just because someone contacted your company for information five years ago does not mean that it is still necessary five years later.
Some regulations require that you keep data, even if a consumer asks you to delete it. But you have to explain why your can’t honor their request.
It might be smart to categorize data and document how long you are going to keep it and why.
If you do create such a map then you need to actually comply with it.
Some states require you to provide a consumer clear notice of what data you are collecting and why, how long you plan to store it or if that is not possible, then what your criteria are for determining when it is no longer needed.
My guess is that “we keep data as long as necessary” is probably not going to fly in court.
What happens if you delete data and then, some time later, have to do a restore from backups? Is that data still deleted?
What if you put the data in the (virtual) trash and you are hacked. Can the hacker get the so-called deleted data?
Many states have a carve out for data that is protected by HIPAA or GLBA.
This is DIFFERENT than saying that if your company has to comply with HIPAA or GLBA then you get a free pass. Very different.
This is probably the point where you talk to your privacy attorney and figure out what you have to do, create policies and train people on them.
Oh, yeah, really important. You know those stashes of data that your sales people love to collect on those free, consumer grade cloud storage systems? Yes, those are covered too.