<b>A user demanded I delete their data — do I have to, and how?</b>
Q: Someone invoked their "right to be forgotten." I'm a small affiliate. Do I really have to comply?
A: If the user is covered by GDPR and you hold their personal data, yes — the right to erasure applies regardless of your size. But it isn't absolute, and knowing the limits keeps you compliant without panic.
What you must do:
— Verify the request is genuinely from that person, so you don't hand data to an impostor.
— Delete or anonymize identifiers you hold: stored emails, IPs, click records tied to them.
— Respond within the legal window, generally one month, even if the answer is a partial refusal.
What you can lawfully keep:
— Data you're legally required to retain, such as records needed for a financial or tax obligation.
— Information genuinely necessary to defend an active dispute or chargeback.
The smart setup is knowing where the data even lives — tracker, spreadsheet, network dashboard — before a request lands. You can't delete what you can't find.
Short version: yes, you comply, but you may keep what law or an active dispute requires. Verify the requester, act within a month, document it.
Still stuck? Drop your case in the comments.
Clean Traffic Desk
@CleanTrafficDesk
<b>A user demanded I delete their data — do I have to, and how?</b>
Этот пост опубликован в Telegram-канале Clean Traffic Desk. Подписаться можно по ссылке: @CleanTrafficDesk.