The Right to Be Forgotten: Can You Actually Get Companies to Delete Your Data?

The Short Answer

The right to be forgotten — officially GDPR Article 17, the "right to erasure" — lets individuals in the EU demand that companies delete their personal data. When it works, it means a company must erase your information from their systems, stop processing it, and in some cases, tell other companies they've shared it with to delete it too. In practice, the right is real but messy. Companies comply at different speeds, with different levels of thoroughness, and with plenty of exceptions they're happy to hide behind.

If you're in the United States, you don't have an equivalent federal right — but state laws like the CCPA are starting to close the gap.

Where This Right Comes From

The right to be forgotten entered mainstream consciousness in 2014 when the European Court of Justice ruled in *Google Spain v. AEPD* that individuals could request the removal of search results linked to their name. Google was forced to create a process for Europeans to request delisting of specific URLs from search results.

GDPR, which took effect in May 2018, codified and expanded this into Article 17. It gives EU residents the right to request erasure of their personal data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was processed unlawfully
• The data must be erased to comply with a legal obligation
• The data was collected from a minor

This isn't just about search results anymore. It applies to any personal data any company holds about you.

How It Works in Practice

The process typically looks like this:

1. **You submit a deletion request** through the company's privacy portal or by contacting their Data Protection Officer.
2. **The company has one month** to respond (extendable to three months for complex requests).
3. **They either comply** and delete your data, or **they refuse** and explain which legal exception applies.
4. **If they've shared your data** with third parties, they must "take reasonable steps" to inform those parties of the deletion request.

Sounds straightforward. The reality is more complicated.

How Major Companies Handle Deletion Requests

Google **Google** has processed millions of delisting requests since 2014 and has a dedicated form for URL removal requests. For account data deletion, you can use Google's "Delete your account" tools or request specific data removal. But here's the catch: Google maintains multiple justifications for retaining data, including "legitimate interest" and legal compliance. Deleting your Google account doesn't guarantee all data associated with you is purged from their systems — analytics data, ad profiles, and data shared with partners may persist in various forms.

Facebook / Instagram **Facebook** and **Instagram** (both Meta) offer account deletion tools and data download options. Meta says full deletion can take up to 90 days after your request, during which time some data may remain in backup systems. The question of whether Meta truly deletes everything — versus just making it inaccessible to you — has been raised by privacy researchers. Meta's internal data infrastructure is so complex that complete erasure is genuinely challenging, which isn't an excuse but is a reality.

LinkedIn **LinkedIn** allows account closure and data deletion requests. However, some data may be retained for legal compliance, and content you've shared publicly (posts, comments) may remain visible even after your account is deleted if it was indexed by search engines or shared by other users. LinkedIn's privacy policy notes that they retain some data even after deletion "as required or permitted by law."

X (Twitter) After account deactivation, **X** says data is deleted after 30 days. But the platform has faced criticism for retaining data longer than stated and for the opacity of its deletion processes, particularly since the platform's ownership change. Privacy advocates have questioned whether X's reduced trust and safety teams have the capacity to handle GDPR deletion requests properly.

The Exceptions Companies Love

The right to erasure isn't absolute, and companies know every exception by heart:

• **Freedom of expression and information** — Companies can refuse deletion if the data is being used for journalistic, academic, or artistic purposes.
• **Legal obligations** — If law requires them to keep data (tax records, financial transactions), deletion can be refused.
• **Public interest** — Data processed for public health, research, or archiving in the public interest can be retained.
• **Legal claims** — If data is needed for establishing, exercising, or defending legal claims, it stays.
• **Legitimate interest** — The vaguest and most abused exception. Companies claim a "legitimate interest" in retaining data, and the burden shifts to you to prove otherwise.

These exceptions are necessary in principle but abused in practice. "Legitimate interest" has become a catch-all for companies that simply don't want to delete profitable data.

What About the United States?

There is no federal right to be forgotten in the U.S. However, state-level privacy laws are creating a patchwork of deletion rights:

• **California (CCPA/CPRA)**: Gives California residents the right to request deletion of personal information collected by businesses. Companies must comply within 45 days. However, exceptions are broader than GDPR, and enforcement has been inconsistent.
• **Virginia, Colorado, Connecticut, and others**: Multiple states have passed consumer privacy laws with deletion rights, though enforcement mechanisms vary.
• **No federal law**: Despite years of discussion, the U.S. has not passed a comprehensive federal privacy law. The American Data Privacy and Protection Act has been proposed but not enacted.

For Americans, the practical reality is that your deletion rights depend on where you live, and companies often apply the most permissive standard rather than the most protective one.

The Practical Limits

Even when companies comply in good faith, true deletion is harder than it sounds:

• **Backups**: Your data may exist in backup systems that aren't immediately purged.
• **Third-party sharing**: Data already shared with partners, advertisers, or data brokers is often beyond the original company's ability to recall.
• **Derived data**: Even if your raw data is deleted, insights derived from it (ad profiles, behavioral models, aggregated statistics) may persist.
• **Cached content**: Search engine caches, web archives, and screenshots can preserve information indefinitely.

The right to be forgotten is better understood as the right to make it significantly harder to find your data — not the right to make it vanish from existence.

What You Can Do

1. **Exercise your rights now.** If you're in the EU, use GDPR Article 17. If you're in California, use CCPA. Don't wait. Companies are required to respond, and they do — even if imperfectly.
2. **Use each platform's privacy dashboard.** Google, Facebook, Instagram, and LinkedIn all have data download and deletion tools. Start with the platforms that have the most of your data.
3. **Follow up.** If a company doesn't respond within the legal timeframe (one month for GDPR, 45 days for CCPA), file a complaint with the relevant supervisory authority. This is how enforcement happens.
4. **Request your data first.** Before requesting deletion, download everything the company has on you. You'll want to know what existed, and you may need it as evidence if the deletion is incomplete.
5. **Check FinePrint's grades** on data deletion practices. We evaluate how easy companies make it to request deletion and how thoroughly they comply.
6. **Use data removal services** for data brokers. Companies like your data being everywhere; services that submit deletion requests on your behalf can help reduce your exposure across the data broker ecosystem.