The right to be forgotten gives you the power to demand that companies erase your personal data. Originally a European legal concept, it has evolved into one of the most important privacy rights of the digital age, and its influence is now being felt in the United States through a growing wave of state privacy laws.
What Is the Right to Be Forgotten?
The right to be forgotten, also known as the right to erasure, is a legal principle that allows individuals to request that organizations delete their personal data. The concept gained global attention in 2014 when the Court of Justice of the European Union ruled that individuals could ask search engines to remove links to outdated or irrelevant information about them.
Today, this right is formally codified in Article 17 of the General Data Protection Regulation (GDPR), which applies across the European Union and the European Economic Area. Under the GDPR, you can request erasure of your personal data when:
- The data is no longer necessary for the purpose it was originally collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing for direct marketing purposes
- Your data has been unlawfully processed
- The data was collected when you were a child for an online service
Once a valid request is received, organizations must erase the data "without undue delay," which regulators have interpreted as roughly one month. They must also take reasonable steps to inform third parties that have received the data about the erasure request.
Key Distinction
The right to be forgotten does not mean all traces of you disappear from the internet. Removing a link from search results, for example, does not delete the underlying webpage. Anyone with the direct URL can still access it. True data deletion requires the source organization to erase the data from their systems entirely.
When Organizations Can Refuse
The right to erasure is not absolute. Under the GDPR, organizations can refuse a deletion request if the data is needed for:
- Freedom of expression and information: Journalism, academic work, and artistic expression are protected
- Legal obligations: Data required by law to be retained cannot be erased
- Public health interests: Data necessary for public health research or monitoring
- Scientific, historical, or statistical research: When deletion would seriously impair the research
- Legal claims: Data needed for establishing, exercising, or defending legal claims
The Right to Delete in the United States
The United States does not have a federal equivalent to the GDPR, and courts have ruled that the European-style right to be forgotten conflicts with First Amendment protections. However, the landscape is changing rapidly at the state level.
As of 2026, 20 states have enacted comprehensive consumer privacy laws that include some form of deletion right. These include California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Indiana, Kentucky, and Rhode Island all had their laws take effect on January 1, 2026.
Most of these state laws grant consumers the right to:
- Request access to the personal data a company holds about them
- Request deletion of that personal data
- Opt out of the sale of their personal data
- Opt out of targeted advertising
California Leads the Way
California has gone further than any other state with the California Delete Act (SB 362), which created a revolutionary centralized deletion system. The law established the Delete Request and Opt-Out Platform (DROP), operated by the California Privacy Protection Agency, which opened to consumers on January 1, 2026.
DROP allows California residents to submit a single deletion request that applies to all 500+ registered data brokers in the state. Starting August 1, 2026, data brokers must check the platform at least every 45 days and process deletion requests within 90 days. Failure to comply can result in penalties of $200 per request per day.
Important Limitation
State deletion rights typically only apply to data a company has collected directly from you. They do not cover data that data brokers have aggregated from public records, purchased from third parties, or scraped from the web. This is why proactive data removal from broker sites is essential, as exercising your deletion rights with one company does not stop others from collecting and selling your information.
GDPR vs. US State Laws: Key Differences
Understanding the differences between European and American approaches helps clarify your rights:
- Scope: The GDPR applies to all organizations handling EU residents' data, regardless of where the company is based. US state laws only apply within their respective states.
- Data sources: The GDPR covers data from any source. The CCPA initially only covered data collected directly from consumers, though the Delete Act has expanded protections against data brokers.
- Enforcement: GDPR violations can result in fines of up to 4% of annual global revenue. US state laws typically cap penalties at $7,500 to $10,000 per violation and are enforced exclusively by state attorneys general.
- Exemptions: The CCPA provides nine exemptions to deletion requests, while the GDPR limits refusals to five specific conditions.
How to Exercise Your Right to Deletion
Here are practical steps you can take to exercise your data deletion rights:
- Identify who has your data: Search for yourself on people-search sites, review your online accounts, and check data broker databases
- Submit formal requests: Send deletion requests to each company individually, citing the applicable law (GDPR, CCPA, or your state's privacy statute)
- Document everything: Keep records of every request, including dates, confirmation numbers, and responses
- Follow up: Companies must respond within legally mandated timeframes, typically 30 to 45 days
- Escalate if necessary: File complaints with the relevant regulatory body if a company fails to comply
The Challenge of Manual Deletion
While the legal right to request data deletion is powerful in theory, exercising it effectively is a different story. With over 100 data broker sites holding your personal information, submitting individual requests to each one is an exhausting process. Worse, many brokers re-add your information within months, requiring continuous monitoring and repeat requests.
This is where a service like PrivacyOn becomes invaluable. Rather than spending dozens of hours navigating different opt-out processes, PrivacyOn handles removal requests across 100+ data broker sites on your behalf. With 24/7 monitoring, your data stays removed even when brokers attempt to re-list it. Family plans covering up to five people start at just $8.33 per month, making comprehensive privacy protection accessible.
Looking Ahead
The right to be forgotten continues to expand globally. More US states are expected to pass comprehensive privacy legislation in the coming years, and the success of California's DROP platform may inspire similar centralized deletion systems elsewhere. In the meantime, exercising your existing rights, combined with proactive data removal, remains the most effective strategy for taking control of your digital footprint.