保護DataHogo
Security Encyclopedia/Privacy Best Practices
mediumCWE-16

No Account Deletion

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

How It Works

GDPR Article 17 gives EU users the right to request deletion of their personal data. CCPA gives California users the same right. If your app collects any personal data and doesn't provide a way for users to delete their account and associated data, you're in violation of the law in most major markets.

Vulnerable Code
// BAD: no account deletion option in settings
// Settings page has no delete account button
// No API endpoint for account deletion
// Users must email support to request deletion (often ignored)
Secure Code
// GOOD: self-service account deletion with data erasure
export async function DELETE(req: Request) {
  const { userId } = await requireAuth(req);
  // Delete in order: user content, then user record
  await db.userPosts.deleteMany({ userId });
  await db.userSessions.deleteMany({ userId });
  await db.users.delete({ id: userId });
  // Also: request deletion from third-party services (Stripe customer, etc.)
  return Response.json({ deleted: true });
}

Real-World Example

Multiple companies have been fined under GDPR for not providing accessible account deletion. British Airways was investigated for making deletion requests difficult. Users can file GDPR complaints that trigger regulatory investigations costing far more than building the feature.

How to Prevent It

  • Add a 'Delete Account' option in account settings that actually deletes the user's data
  • Cascade delete all user-associated records — don't just mark the account as inactive
  • Also request deletion from third-party services that have the user's data (Stripe, email providers)
  • Implement a 30-day grace period with a cancellation link before final deletion

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Privacy Policy

low

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

CWE-16

No Terms of Service

low

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

CWE-16

No Cookie Banner

low

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

CWE-16

Payment Data Stored Locally

critical

Storing full card numbers, CVVs, or PANs in localStorage, sessionStorage, or your own database violates PCI DSS and creates massive liability.

CWE-312A02:2021