Fact is that private keys which were supposed to be deleted were seized.
I don't think that was written anywhere, and I neither think private keys should be deleted at all. You should never delete a private key.
From their FAQ:
How long do you keep logs?
Your session lasts for 7 days. After that, your session and all its data will be removed. You can also destroy your session before time is up. We keep statistical data ie. how much was donated.
The fact that they destroy the session doesn't mean they destroy private keys. I'm confident that they must have deleted the logs, as they said.
For a mixer, it would probably be better if they did periodically delete private keys. Blockchain analysis can help find most of the addresses associated with CM, but there are likely some it can't find. Deleting private keys will prevent anyone with access to the server from knowing 100% of addresses associated with CM.
With that being said, CM did not promise (to my knowledge) to delete old private keys. But also, I think it is unlikely that CM had 6 TB worth of private keys stored on their servers.