Forget Me If You Can: Auditing User Data Revocation in Recommendation Systems

Zhihao Zhu
Zhihao Zhu
[email protected]
https://orcid.org/0000-0001-5814-1939
Department of Information Systems, Business Statistics and Operations Management (ISOM), Hong Kong University of Science and Technology, Hong Kong
Search for more papers by this author
,
Yi Yang
Corresponding Author
Yi Yang
[email protected]
https://orcid.org/0000-0001-8863-112X
Department of Information Systems, Business Statistics and Operations Management (ISOM), Hong Kong University of Science and Technology, Hong Kong
Search for more papers by this author
,
Yangyang Fan
Yangyang Fan
[email protected]
https://orcid.org/0000-0002-3930-1818
School of Accounting and Finance, Hong Kong Polytechnic University, Hong Kong
Search for more papers by this author
,
Defu Lian
Defu Lian
[email protected]
https://orcid.org/0000-0002-3507-9607
School of Computer Science and Technology, University of Science and Technology of China, Hefei, Anhui 230026, People’s Republic of China
Search for more papers by this author

Department of Information Systems, Business Statistics and Operations Management (ISOM), Hong Kong University of Science and Technology, Hong Kong

Search for more papers by this author

Yi Yang

Corresponding Author

Yi Yang

[email protected]

https://orcid.org/0000-0001-8863-112X

Department of Information Systems, Business Statistics and Operations Management (ISOM), Hong Kong University of Science and Technology, Hong Kong

Search for more papers by this author

Yangyang Fan

[email protected]

https://orcid.org/0000-0002-3930-1818

School of Accounting and Finance, Hong Kong Polytechnic University, Hong Kong

Search for more papers by this author

Defu Lian

[email protected]

https://orcid.org/0000-0002-3507-9607

School of Computer Science and Technology, University of Science and Technology of China, Hefei, Anhui 230026, People’s Republic of China

Search for more papers by this author

Published Online:30 Mar 2026https://doi.org/10.1287/isre.2024.1179

Abstract

Recommendation systems have become integral to modern e-commerce and streaming platforms, enhancing user experience through personalized content and product suggestions. Whereas users benefit from personalized recommendations by allowing platforms to leverage their interaction data for model training, regulations such as the General Data Protection Regulation (GDPR) uphold users’ “right to be forgotten,” which permits individuals to request the deletion of their personal data, including interaction histories. Although removing user data from storage systems is relatively straightforward, it is equally critical to eliminate user-specific behavioral patterns from the trained recommendation model. Otherwise, the model may continue to produce recommendations that reflect a user’s past behaviors or preferences, resulting in continued profiling even after a data deletion request. In this work, we address the novel design problem of user data revocation auditing and propose a method, named RecAudit, to examine whether a sequential recommendation system has effectively forgotten, or continues to retain, an individual user’s behavioral data after a deletion request. Extensive experiments on multiple real-world data sets demonstrate that RecAudit substantially outperforms existing auditing and membership inference baselines across a wide range of settings. We also examine auditing performance when machine unlearning, an increasingly practical approach for removing data from trained models, is applied. As an auditing tool, RecAudit can help identify high-risk users whose data have not been properly forgotten, thereby facilitating targeted model unlearning and enhancing overall user privacy preservation. Our study contributes to information systems research by developing a privacy-preserving IT artifact that operationalizes regulatory requirements on data revocation and profiling in learning-based recommender systems.

History: Olivia Liu Sheng, Senior Editor; Huimin Zhao, Associate Editor.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2024.1179.

cover image Information Systems Research

Articles In Advance

Article Information

Supplemental Material

Metrics

Information

Received:May 16, 2024
Accepted:February 10, 2026
Published Online:March 30, 2026

Cite as

Zhihao Zhu, Yi Yang, Yangyang Fan, Defu Lian (2026) Forget Me If You Can: Auditing User Data Revocation in Recommendation Systems. Information Systems Research 0(0).

https://doi.org/10.1287/isre.2024.1179

Keywords

PDF download

Available Issues

Available Issues

Available Issues

Available Issues

Available Issues

Forget Me If You Can: Auditing User Data Revocation in Recommendation Systems

Abstract

Articles In Advance

Article Information

Supplemental Material

Metrics

Information

Cite as

Keywords

Sign Up for INFORMS Publications Updates and News