The right to erasure (also called the right to be forgotten) is the GDPR provision (Article 17) that lets EU residents request deletion of their personal data held by data controllers under specified conditions. Established in EU law by the 2014 CJEU Google Spain ruling and codified in the 2018 GDPR. Supplemented by California CCPA right-to-delete, Brazilian LGPD equivalent, and the broader spread of comparable rights through US state-level laws (Virginia, Colorado, Connecticut, Utah, others by 2026).
What it means in practice
The mechanic of a deletion request: the data subject submits a request to the data controller (the company holding the data), the controller has 30 days to respond (extendable to 90 in complex cases), the response is either compliance (data deleted), partial compliance (some data deleted, some retained for legitimate-basis reasons), or refusal (with documented basis). The legitimate-basis exemptions are significant: legal-obligation retention (financial records held for tax purposes, regulatory records held under industry rules), public-interest journalism and research, freedom of expression, public-health purposes, and the broader category of “necessary for the performance of a contract.” The operational reality: the right is real and enforceable through Data Protection Authority complaints when ignored, but the exemptions narrow the practical reach for the categories most users want deleted.
Where it shows up
Operationally relevant for: EU residents seeking deletion of personal data from social-media platforms, search engines (the original Google Spain ruling concerned search-result delisting), data brokers (the right reaches the wholesale layer that consumer-facing brokers depend on), advertising-data aggregators, and the broader category of any data controller whose retention extends beyond the legal basis. The non-EU equivalents (CCPA in California with a $25M revenue threshold for application, the spreading state-level laws through 2026) provide similar rights with varying scope and exemptions. For data brokers specifically: GDPR-based deletion requests have driven significant changes in EU operations, with some US-only brokers refusing service to EU residents to avoid the compliance burden; the resulting market split is informative about the cost of meaningful deletion.
What you can change today
Three actions for EU residents (and partial actions for US residents in covered states). First, identify the data controllers holding meaningful personal data about you: search-engine results (Google, Bing), social-media platforms, data brokers (Spokeo, Whitepages, BeenVerified, LexisNexis-equivalent for the FCRA-non-covered subset), and the long tail of services you have accounts with. Second, file deletion requests through each controller’s privacy portal (most maintain GDPR-specific request flows; for those that do not, a written request to the privacy or legal contact with the GDPR Article 17 reference is the standard approach). Third, follow up on non-response or refusal: the EU Data Protection Authority complaint mechanism is the enforcement layer, and complaints are taken seriously by major DPAs (Ireland, France, Germany lead the enforcement activity). For US residents in covered states, the equivalent state-AG complaint mechanisms apply with similar-but-narrower force.