The right to be forgotten is the GDPR right for individuals to ask an organization to delete their personal data. Set out in Article 17, it is also called the right to erasure. It applies only in specific situations and is not absolute.
Below: the six grounds for a valid request, the exceptions that let a company refuse, and the one-month response deadline. Also covered: how to make a request, and how the right compares to a DSAR and to US state law.
What Is the Right to Be Forgotten?
The right to be forgotten is the right, under Article 17 of the GDPR, for individuals to ask an organization to delete their personal data. Also called the right to erasure, it applies in specific situations and is not absolute.
"The right to be forgotten" is the popular name. "The right to erasure" is the formal term the General Data Protection Regulation itself uses in Article 17. Both refer to the same right, and most sources use the two interchangeably.
The right is a qualified one, not a guarantee. It is "very situational and not a blanket right," as one privacy forum commenter summarized it after walking through how the right works in practice. You can withdraw your consent and force deletion of data held on that basis. You cannot force a company to erase records it is legally required to keep, such as tax or contract documentation.
A data controller, the organization that decides why and how personal data is processed, must act on a valid erasure request. A data subject, the individual the data is about, is the one who holds the right.
Where Does the Right to Be Forgotten Come From?
The right to be forgotten traces to a May 13, 2014, ruling by the Court of Justice of the European Union (CJEU). The case is Google Spain SL v AEPD and Mario Costeja González. The GDPR codified the right as Article 17 four years later, in 2018.
The case began in 1998, when a Spanish newspaper published a notice about a forced property sale. The notice was tied to Mario Costeja González's unpaid social security debts. By 2009, searching his name on Google still surfaced that decade-old notice. Costeja argued the matter was long resolved and no longer relevant. The CJEU agreed. Search engines can be required to delist links to information that has become "inadequate, irrelevant or no longer relevant or excessive". That standard depends on how much time has passed.
That ruling only covered search-engine delisting. Article 17 later broadened the concept into a general right to request erasure from any data controller, not just search engines.
When Can You Request Erasure? (The 6 Grounds Under Article 17)
Article 17(1) of the GDPR sets out six grounds for erasure. You can ask in any of these situations.
- The data is no longer necessary. The organization no longer needs the data for the purpose it originally collected it for.
- You withdraw consent. Consent was the legal basis for processing, you withdraw it, and no other legal basis applies.
- You object to the processing. You object under Article 21, and the organization has no overriding legitimate ground to continue, or the processing was for direct marketing.
- The data was processed unlawfully. The organization broke the GDPR's lawfulness rules when it processed the data.
- A legal obligation requires erasure. EU or member-state law obligates the organization to delete the data.
- The data concerns a child's information-society service. The organization collected the data from a child in connection with an online service under Article 8(1).
The most common ground in practice is the second: consent withdrawal. Say a cookie banner or marketing opt-in was the only legal basis for holding your data. Withdrawing that consent obligates the organization to delete what it collected on that basis, unless another lawful basis independently covers it.
Erasure carries a follow-on duty under Article 17(2). If the organization made your data public, it must take reasonable technical steps to notify other controllers processing that data. Those controllers must be told to erase any links to, copies of, or replicas of it. This third-party cleanup duty is easy to miss and rarely covered in short explainers, but it is binding, not optional.
When Can a Company Refuse? (The Article 17 Exceptions)
The right to be forgotten is not absolute. Article 17(3) lets an organization refuse when it needs the data for one of five reasons. Each reason is set out below.
- Freedom of expression and information. This covers journalism, academic work, art, and literature.
- A legal obligation or public-interest task. The organization must comply with a law, or is exercising official authority, that requires keeping the data.
- Public health. The data supports public health protection under the GDPR's special-category rules.
- Archiving, research, or statistics. Deletion would seriously impair or make impossible a genuine public-interest archiving, scientific, historical, or statistical purpose.
- Legal claims. The organization needs the data to establish, exercise, or defend a legal claim.
In practice, the most common refusal ground for a business is retention for tax, accounting, or contractual reasons. Financial records and invoices typically fall under the legal-obligation exception. Anything tied to an active or anticipated legal dispute falls under the legal-claims exception. Payment records specifically can carry multi-year statutory retention periods, depending on local law.
An organization does not always have to fully erase data to satisfy an exception. Anonymizing a record can also count as a valid response where full deletion is not required. That means stripping the details that identify a specific person while keeping the underlying record.
Real-world compliance is uneven. One GDPR forum discussion put it bluntly: requesters will get "entirely mixed responses from every company". A lot of information can legally be held despite an objection. Payment records and similar data often carry their own retention rules. Expect variation, not a guaranteed clean deletion every time you ask.
An organization can also refuse, or charge a reasonable administrative fee, for a request that is manifestly unfounded or excessive. That covers a request made purely to harass, or one that repeats a request already answered. Refusing or mishandling a valid request without a lawful reason is different. That failure is exactly what exposes a business to GDPR fines.
How to Make a Right to Be Forgotten Request
To make a right to be forgotten request:
- Identify who holds your data. Find the organization's privacy contact or GDPR contact, usually listed in its privacy policy. If a third party processes your data on behalf of another company, send the request to that company, not the processor. Requesters commonly send erasure requests to the wrong entity, a frequent source of delay.
- Send the request verbally or in writing. GDPR does not require a specific form. Stating clearly that you want your personal data deleted, and to whom, is enough. A request can go to any part of the organization, not just a dedicated privacy team.
- Be ready to verify your identity. If the organization has doubts about who is asking, it can request proof of identity before acting. This pauses the response clock until you provide it.
- Request a copy of your data first if you also want to see it. Once data is erased, it is gone. Ask for an access copy before or alongside an erasure request if you want a record of what was held.
- For search results, use the search engine's removal tool separately. Delisting a result from Google is a different mechanism from deleting the underlying data at its source. Google provides a dedicated removal-request form for this.
- Escalate to your supervisory authority if ignored or refused without valid grounds. In the UK this is the ICO. Each EU country has its own data protection authority, and regulators can investigate and, in serious cases, fine the organization.
GDPR discussion forums and regulator guidance agree on one point: the right is qualified, not automatic. If your data is genuinely no longer needed and no exception applies, a properly addressed request should succeed. If retention obligations apply, expect at least a partial refusal with a stated reason.
How Long Does a Company Have to Respond?
An organization has one month from receipt of your erasure request to respond, without undue delay. It can extend that deadline by two further months for complex or numerous requests. It must tell you within the first month and explain why.
The one-month clock starts on the day the organization receives the request. If it later requests identity-verification information or a fee, the clock restarts from that point instead. A refusal must also be explained within that same one-month window, along with your right to complain to a supervisory authority. There is usually no fee for a standard erasure request.
How Is the Right to Be Forgotten Different From a DSAR?
A DSAR (subject access request) asks an organization to show you the data it holds about you. The right to be forgotten asks it to delete that data. Both are GDPR data-subject rights. Access is almost always granted, while erasure is conditional and can be refused under one of five exceptions.
| Right of access (DSAR) | Right to erasure (RTBF) | |
|---|---|---|
| What it does | Shows you what data is held and how it is used | Deletes the data, where a valid ground applies |
| GDPR article | Article 15 | Article 17 |
| How often granted | Nearly always, with limited redaction | Conditionally, subject to exceptions |
These two rights sit alongside the full set of GDPR data subject rights, which also includes rectification, restriction, portability, and the right to object. If you want to see your data before deciding whether to request its deletion, read about how a DSAR works first.
Does the United States Have a Right to Be Forgotten?
No single federal right to be forgotten exists in the United States. The First Amendment blocks a broad law requiring the removal of truthful, legally obtained information. Several state privacy laws and search-engine mechanisms instead give Americans narrower, comparable options.
The most prominent state-level equivalent is the CCPA/CPRA "right to delete" in California. It lets a consumer ask a covered business to delete personal information it collected, with statutory exceptions for completing transactions, legal compliance, and security purposes. A business must respond within 45 calendar days, extendable by another 45 for 90 days total, a different timeline than the GDPR's one month. Virginia and Colorado grant residents comparable delete rights under their own state privacy laws.
California also runs a dedicated data-broker mechanism. It is called the Delete Request and Opt-Out Platform (DROP), part of the state's Delete Act. Operated through the California Privacy Protection Agency, it lets a resident submit one request that reaches every registered data broker in the state at once.
Google separately lets US residents request removal of specific personal information from its search results, such as a leaked address, phone number, or doxxing content. This process is independent of any state law. A handful of US newspapers also run voluntary "right to be forgotten" programs that de-index old, minor stories from their own archives. This is an editorial choice, not a legal requirement.
For the fuller map of US and international privacy laws beyond California, see the broader guide to data privacy laws.
What the Right to Be Forgotten Means for Website Owners
If your website collects personal data, the right to be forgotten is a compliance obligation, not background reading. You must find a person's data, delete it when one of the six grounds applies, and keep what you are legally required to retain. You must also tell other parties you shared it with, and respond within a month.
In practice, that means:
- Know what data you hold and its legal basis. You cannot erase what you cannot find. The applicable legal basis (consent, contract, legitimate interest) determines whether a given erasure request even applies.
- Have a working request channel. A request can arrive verbally, so make sure staff who interact with users know how to recognize and route one.
- Log consent so you can act on withdrawal. A timestamped consent record lets you confirm exactly what a visitor agreed to, and act correctly the moment they withdraw it.
- Disclose erasure rights in your privacy policy. State the right and the contact point for a request.
- Track your retention schedule. Know which records you must legally keep, such as tax or contract documentation, so you can honor valid requests while lawfully refusing the rest.
Handling requests like these is one part of a broader compliance picture. See the full guide to making a website GDPR compliant for the rest. The cookie consent rules the GDPR sets cover the banner rules that generate most consent-basis erasure requests in the first place.
How Consently Helps You Honor Erasure and Consent Requests
Consently is a consent management platform, so it supports the consent side of erasure, not fulfillment of deletion requests on your behalf. Say consent is your legal basis, and a visitor withdraws it. You may then need to erase the data held on that basis, under Article 17 ground (b). Consently gives you the audit trail to act on it correctly.
Consently's timestamped Consent Logs record exactly who consented to what, and when, across your site. When a visitor withdraws consent, or asks you to confirm the basis for their data, you export the relevant log entry. That beats reconstructing it from memory. The log also lets you demonstrate, if a regulator ever asks, that you handled the request on a documented basis.
The Cookie Banner and its preference center are where that consent is captured and withdrawn in the first place. The log and the banner work together as one record. Consently's Privacy Policy Generator produces the policy page where you disclose erasure rights and the contact point for a request.
Consently does not process, route, or fulfill erasure requests for you; that part stays with your team. What it gives you is the documented consent trail and the policy disclosure that make handling those requests defensible.
Try Consently free to see the consent log and cookie banner set up on your own site.
FAQs
What is the right to be forgotten in simple terms?
The right to be forgotten is the GDPR right to ask an organization to delete your personal data. It is formally called the right to erasure under Article 17. It only applies in specific situations, and an organization can refuse it for legal reasons.
Is the right to be forgotten absolute?
No. The right to be forgotten is a qualified right. An organization can lawfully refuse when it needs to keep the data for one of five reasons under Article 17(3). A legal obligation or a legal claim are two examples.
What is the difference between the right to be forgotten and the right to erasure?
There is no difference. "The right to be forgotten" is the popular name. "The right to erasure" is the formal legal term used in Article 17 of the GDPR. Both describe the same right.
Can I ask Google to remove search results about me?
Yes, through Google's own removal-request process, separate from GDPR erasure requests to the site that published the content. Removal from Google's search results (delisting) only affects name-based searches; it does not delete the underlying page, which stays live elsewhere online.
How long does a company have to delete my data under GDPR?
One month from receipt of a valid request. That deadline can extend by up to two further months for complex or numerous requests. The organization must tell you within the first month.
Can a company refuse to delete my data?
Yes. A company can refuse when keeping the data is necessary for freedom of expression, a legal obligation, public interest, archiving, research, or a legal claim. It must give you the reason within the one-month response window.
Does the right to be forgotten apply in the US?
Not as a single federal right; the First Amendment blocks a broad version of it. Some states, including California, Virginia, and Colorado, grant a narrower "right to delete" instead, and California's Delete Act adds a data-broker opt-out mechanism.
What happens if a company ignores my erasure request?
Complain to your supervisory authority, such as the ICO in the UK or your national data protection authority in the EU. Regulators can investigate the complaint and, in serious cases, fine the organization for non-compliance.
Can I request erasure if I only withdrew my cookie consent?
Yes. If consent was the only legal basis for processing your data, withdrawing it obligates the organization to erase the data collected on that basis. This does not apply if another lawful basis independently covers the same data.
The right to be forgotten is a real but conditional GDPR right, not a guaranteed data wipe on request. It sits alongside the full set of GDPR data subject rights. For a website owner, it is one piece of the broader GDPR compliance picture, not a standalone task.

