Actually, we already have purge member. Perhaps a tick box (option whether it's ticked by default) that sends a request to the admin upon account deletion (would of course have to be communicated through email). Uses tickets system if implemented to ensure security (can verify the email of the member), else sends a regular email.

For regular email, from site email, to staff email, reply to member email. Always CC to the member.

Staff option:
* Never auto-delete user data on deletion
* Ask user via (above) tick box
* Always delete user data (not recommended because staff would have to customize the hooks to make absolutely sure it is what they want)

Also moved member deleting into a task as it should ideally run in the task queue. But I added protections...

e.g. when a member requests to have their account deleted, it is put in the task queue, however:
* Their session is invalidated (logged out)
* Their password compat scheme is changed to "pending_deletion" which will prevent them from logging in while the account is pending deletion
* The password compat scheme will also trigger member does not exist when others try to view their profile

I don't really understand this one. Are we saying that if a new tickbox is checked, account deletion is paused pending staff doing a manual purge (that they sanity check), but otherwise the account is auto-deleted with data otherwise being left intact?

No,

When a member requests their account to be deleted, it's all automatic. The new process is as follows:
* Their session is invalidated, and their password scheme is changed to a special one indicating it is pending deletion (so they cannot log in again even if it hasn't yet been actualised... and so no one can view their profile). The actual deletion is added to the task queue because it can be a resource-intensive operation depending on how much content there is to delete.
* On the delete page, they are also asked if they want their data to be purged as well. If ticked, a purge operation is also performed on their content in the queued task (before the member is actually deleted). It uses the default actions as specified in the privacy hooks.

Ok, I think maybe we need to have a staff notification for an account being deleted (if it does not already exist). And if the new option is "Never auto-delete user data on deletion", provide a link to do a purge manually.

I can do that