There's some policies that can make it impossible for a user to delete their account (DeviceShowUserNamesOnSignin, MinimumRequiredChromeVersion, DeviceUserWhitelist). We should come up with ways in which users can retain the ability to delete their account.

Context: https://groups.google.com/a/google.com/d/topic/chromeos-privacy/1Cbn414-SBY/discussion

> there will be many ways for admin restrictions to prevent the deletion of user data (put the device in lost-and-stolen mode, hide the pods as you suggest, put the device in auto-start-public-session mode, etc).

If a device is marked as lost-or-stolen there's probably a reason for it and blocking deletion in that case seems reasonable. I'm mostly concerned about the admin (unintentionally) blocking deletion as a side-effect of another action (e.g. hiding user pods).

> Is the option for the user to do a stateful clear sufficient as a fallback, so we don't have to go through all of these features now and in the future to build some kind of "delete my data" escape hatch?

I wouldn't consider wiping the device a reasonable alternative because this clears the state of *all* users on the device. I'd expect that the collateral damage could be a significant deterrent to that.

I don't think that we need to go through all existing features individually, it's probably sufficient to treat two cases:
a) the pod of a specific user is hidden from the login screen
b) the login screen itself is hidden

Let's get together after Easter and brainstorm potential solutions. Cc'ing Christian since he might be interested in integrating account deletion into Clear Browsing Data.