CCPA Member Deletion
The RSA Platform supports California Consumer Privacy Act (CCPA) right-to-deletion via the Shopper API. Members can request deletion of their personal data directly from the shopper app.
Self-Serve Deletion
/api/v1/members/mecurl -X DELETE "http://localhost:5001/api/v1/members/me" \
-H "Authorization: Bearer SHOPPER_JWT"
Response (204 No Content) — deletion queued.
This operation is irreversible. The member's account, profile, and personal data are permanently deleted.
What Is Deleted
| Data | Outcome |
|---|---|
| Member profile (name, email, phone) | Deleted |
| Notification preferences | Deleted |
| Consent records | Deleted |
| Campaign enrollments | Deleted |
| Redis cache entries | Immediately invalidated |
| Loyalty transaction ledger | Retained (immutable, required for financial audit) |
| Basket transaction records | Retained (anonymized, required for financial reconciliation) |
Post-Deletion Behavior
After deletion, any active JWT for the deleted member will return 401 Unauthorized on subsequent requests. The sub claim is invalidated in the Identity database.
Tenant Responsibility
As a tenant, you are responsible for:
- Providing a deletion request flow in your shopper app
- Processing deletion requests within the CCPA-required timeframe (45 days)
- Notifying users of the outcome
The RSA Platform handles the technical deletion upon receiving the API call. The tenant remains responsible for any downstream data copies (data warehouse exports, email marketing lists, etc.).
Testing Deletion
In development, create a test member, exercise the delete endpoint, and confirm:
GET /api/v1/members/mereturns401with the deleted member's token- The member does not appear in Admin API user lists
- Loyalty transactions still exist but the
member_idforeign key is nullified