Direct Answer: The right to be forgottenformally called the right to erasure lets you ask companies to delete your personal data. In the EU, it’s a legal right under GDPR Article 17. In California, the CCPA gives residents a similar right to delete. Companies must respond within 30 days (EU) or 45 days (California) once they receive a valid request.
The right to be forgotten how to request data deletion is one of the most common privacy questions online. You Google your own name and find an old forum post, a data broker listing with your home address, or an outdated article that no longer reflects who you are. Can you actually force a company to erase it? The answer depends on where you live. Here’s what the law says across the EU, US, and UK.
The Short Version
- Under GDPR (EU and UK), individuals can request that any company delete their personal data and the company must comply within one month unless an exception applies.
- In California, the CCPA gives residents the right to request deletion from businesses, and the new Delete Act (as of 2026) lets you send one request to all registered data brokers at once.
- Google has removal tools that let you ask for personal information to be taken out of search results though the data stays on the source website.
- The right is not absolute. Companies can refuse if the data is needed for legal claims, public health, journalism, or compliance.
What the Right to Be Forgotten Actually Means Under the Law
The phrase sounds dramatic, but the legal reality is more specific than the name suggests.
In the European Union
The right to be forgotten is codified in Article 17 of the GDPR (General Data Protection Regulation, 2018). It gives individuals the right to ask any data controller the company or organization that decides how your personal data is used to erase that data “without undue delay.”
Under EU law, a company must delete your data when: the data is no longer needed for its original purpose, you withdraw consent, you object and the company has no overriding reason to continue, the data was processed unlawfully, deletion is required by law, or the data was collected from a child for an online service.
The company must respond within one calendar month. If the request is complex, they can extend by two more months ut they must tell you why.
If the company shared your data with others, it must also notify those organizations about the erasure request. This is the cascade obligation under Article 17(2).
The right is not absolute. Companies can refuse when the data is needed for freedom of expression, legal obligations, public health, archiving or research in the public interest, or defending legal claims.
In the United Kingdom
The UK has its own version the UK GDPR which mirrors the EU version almost identically. The same Article 17 applies, with the same grounds, the same one-month response window, and the same exceptions. The Information Commissioner’s Office (ICO) is the regulator that handles complaints if a company ignores or refuses your request.
In the United States
There is no federal “right to be forgotten” in the US. But several states have passed privacy laws that include a right to delete.
The most significant is California’s CCPA (California Consumer Privacy Act, 2018, amended by CPRA in 2020). California residents can request that covered businesses delete personal information collected from them. Businesses have 45 calendar days to respond.
As of 2026, California’s Delete Act (SB 362) adds a centralized platform called DROP the Delete Request and Opt-out Platform. California residents can submit one request, and every registered data broker must process that deletion. Starting August 1, 2026, data brokers must check the platform at least every 45 days.
Google Removal ≠ Full Deletion
Google offers its “Results about you” tool, which lets you request removal of search results containing your phone number, email, home address, or government IDs. As of February 2026, Google expanded this tool to cover more types of sensitive data.
But removing a result from Google does not delete the data from the original website. It can still appear on other search engines or if someone visits the site directly. Google’s tool is one piece of the puzzle not the whole picture.
Real-World Examples
The Old Social Media Profile
Sarah closed her Instagram account years ago, but a data broker site still lists her old email and location. Under GDPR, Sarah can send an erasure request. Since the data is no longer necessary and she never consented to the broker collecting it, they must delete it within 30 days.
The Outdated News Article
James was arrested but never charged. The article still shows up on Google. Under EU law, James may have grounds to request de-indexing asking Google to remove the link from search results. The European Court of Justice recognized this in the landmark Google Spain case (2014). In the US, James would have fewer options most news articles are protected by the First Amendment.
The Data Broker Listing
A California resident finds her name, phone number, and home address on a data broker site. Under the CCPA, she can submit a deletion request directly. In 2026, she can also use California’s DROP platform to send a single request covering all registered data brokers at once.
What People in This Situation Typically Do
- Start with a search. Google your own name including variations with your city, employer, or old email addresses to see what’s out there.
- Identify the data controller. Figure out which company or website holds the data you want deleted.
- Find the privacy contact. Most websites have a privacy policy with a contact email or data request form. In the EU, companies must have a Data Protection Officer (DPO) or a contact point for privacy requests.
- Submit a written request. No special legal language is needed. A clear email stating “I am requesting deletion of my personal data under [GDPR Article 17 / CCPA Section 1798.105]” works. Include your name, the specific data, and how they can verify your identity.
- Track the deadline. GDPR gives companies one month. CCPA gives 45 days.
- Follow up or escalate. If the company ignores you or refuses without a valid reason, file a complaint with your national Data Protection Authority (EU), the ICO (UK), or the CPPA (California).
- Use Google’s removal tools separately. Ask Google to remove search results containing your contact details or government IDs through the “Results about you” feature.
Tools That Can Help
If you’re dealing with dozens of data brokers, doing it manually can take hours. Some paid services handle the removal process on your behalf:
- Incogni Sends removal requests to data brokers on your behalf and monitors for re-listing across US and European databases.
- DeleteMe Searches for your information across major data broker sites, submits opt-out requests, and sends regular reports on what was removed.
These tools automate the process but official, free options always come first. Google’s “Results about you” tool, California’s DROP platform, and direct requests under GDPR or CCPA cost nothing.
Related Articles
- What Is GDPR and Why Should You Care?
- Can Companies Legally Sell Your Personal Data?
- Cookie Consent Laws What Websites Must Tell You (2026)
Frequently Asked Questions
What is a data broker and how do they get my information?
A data broker is a company that collects personal information names, addresses, phone numbers, purchasing habits rom public records, social media, and other sources. They sell this data to other businesses for marketing, background checks, or risk assessment. Most people don’t know a data broker has their information until they search for themselves online.
Is it free to opt out of data brokers?
Yes. Under both GDPR and CCPA, submitting a deletion request is free. Companies cannot charge a fee. California’s DROP platform is also free. Paid services like Incogni and DeleteMe charge a subscription to handle the process on your behalf, but the underlying legal right costs nothing.
How many data brokers have my information?
Privacy researchers suggest the average US adult has data on 100 to 200+ broker sites. California’s data broker registry lists hundreds of registered brokers, and many more operate without registering.
Does opting out of data brokers actually work?
It works, but it’s not always permanent. Brokers often re-collect information from public sources, so your data can reappear. This is why many people use ongoing removal services or re-submit requests periodically. California’s Delete Act addresses this by requiring brokers to keep deleting new data they collect about you after your initial request.
The right to be forgotten how to request deletion is more than a legal concept it’s a practical tool millions of people use to take back control of their personal information. Whether you’re in the EU, the UK, or California, the law gives you a path to ask for deletion. It starts with a single request.
This article is for educational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change frequently. For advice specific to your situation, consult a qualified attorney.
Sources & Further Reading
- Article 17 Right to Erasure, EUR-Lex Full text of GDPR Article 17.
- Right to Erasure ICO Guidance UK ICO guide to erasure rights under UK GDPR.
- CCPA FAQ California Privacy Protection Agency Official CPPA overview of consumer rights including the right to delete.
- California Delete Act Regulations CPPA Official announcement of Delete Act regulations and DROP.
- Google Search Remove Personal Information Google’s help page for requesting removal of personal data from Search.