[For this project, we are using EPiServer Commerce 7.12.0]
Every time a cart is created, an anonymous user is also created in the commerce database (not the CMS database). I'd like to remove the users belonging to since-long deleted unused carts and old purchase orders, i.e. I don't want to remove all users there ("there" being the aspnet_* tables in the commerce database).
Since they are created in the commerce database, I can't use Membership to retrieve them, and CustomerContext.Current.GetAllContacts() only seem to retrieve users/contacts from the CMS database and not the commerce database.
Is there a way of retrieving those users and deleting them?
So far I have about 20 million anonymous users in the commerce database, and I want to delete the ones created more than 180 days ago.
I know I can do it directly in SQL, but I'm wondering if there is a way of doing it in code.
There is no builtin function to delete old users (IIRC then you can't even delete users, let alone do it in batch. You can delete contacts, but not users). If your purpose of doing that would be performance, then upgrading to latest version will yield much better return on investment.
If you do it for GDPR compliance then it can be much trickier. I'd suggest to contact our develop support for that.
It's not really a problem, but I like to keep a clean system :)
Those 20 million users consume about 11 GB of storage in the database, and it feels a bit wasteful to keep all those anonymous users when they aren't used for anything (users never log in to the commerce part of the site, so there should hopefully not be any personal information connected to those users (the shipping info should only be stored on the cart/purchase order)).
For GDPR purposes, how would you recommend deleting users to keep in line with the right to be forgotten?
I'm not an GDPR expert - far from it - but what I understand is that you can just delete that contact and that should be enough. The orders are "financial contracts" and therefore are exempted from GDPR rules. But again don't take my words for granted.
Thanks a lot. Will investigate a bit further, but it's already a good lead. have a gr8 friday!
Financial records are (at least in Sweden and Denmark) regulated by different laws which override GDPR. In Sweden you must keep the financial records for 7 years, and in Denmark 5 years, so you are legally obligated to keep those records for that amount of time.
An important thing a lot of people forget is that they also have to erase personal information from log files, which means that if a customers sends a "Right to be Forgotten", you have to erase their information from log4net (or other logging solution) logs as well.
I use Serilog for most of our logging (logging to a database), and tag each entry with something I can use to find the log entries with (such as an order number, or an e-mail address), and then finding log entries to remove is quite easily done.
Thanks for the extra info Patrick. Will keep that in mind. have a good one!
Hi again guys,
UserManager<>.Delete(user) works fine. Contact is succesfully deleted from the cms.
However, i am using CustomerContext.CurrentContact.DeleteCustomerContactOnly(); to delete contact from the commerce db, but nothing seems to happen.
Is there something that I am missing regarding deleting users from commerce?
I would suggest to go with DeleteWithAllDependents. It only deletes contact-related information (billing address, etc.) It does not delete the orders associated
That was the first one i tried. Nothing happened either :/ i suppose i am missing something. not sure what tho.
It does not delete the users, it deletes the current contact. If you go to this
and the contact disappears then it worked
Yes i am aware. But contact doesn't disappear from that table :) Maybe I have to log out user after deleting? I know that a user is created in the commerce db upon first login. Maybe if he's still logged in after deletion he is recreated?
Do you have a feature that allows customers to delete their own contact information?
It seems to me this is a cache problem. Does it disappear if you IIS reset? If you actually looked into db then ... is there anything in log?
Yes i am. Goal is to be in compliance with GDPR right to be forgotten. Do you suggest a different approach?
I can confirm that if i sign out user after deleting it from commerce, it is removed from the commerce db.