What Is the Right To Be Forgotten?

The right to be forgotten allows consumers to have personal information erased from company data if it meets specific criteria.
We may receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

The majority of internet users are likely opting into privacy and cookie policies multiple times a day. These policies help define what information companies can collect, and how they can use that information in the future. However, once you’ve opted in, can you ever change your mind? Or does that company have access to your data for eternity?

Just as the General Data Protection Regulation (GDPR) outlines how companies use your data, it also outlines how consumers can have their data removed. The right to be forgotten (RBTF) or the right to erasure is the part of the GDPR that outlines a consumer’s ability to be forgotten. Even if you request to be forgotten, that doesn’t mean a company will erase all of your data. The GDPR outlines the exact reasons consumers can be forgotten and the reasons why a company could maintain your information.

Let’s look at a consumer’s right to be forgotten and how it protects both individual data and companies.

In this article
What is the right to be forgotten?
When does the right to be forgotten apply?
How does the right to be forgotten affect you?
Right to be forgotten FAQs
Bottom line

What is the right to be forgotten?

The GDPR is a robust policy that protects consumers and their personally identifiable information (PII). The right to be forgotten is outlined in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without undue delay.”

The GDPR discusses the data subject, which is the person whose personal information is being collected. It also specifies the data controller, which is the entity or business that is responsible for the data being collected and how it is used.

Essentially, Section 17 says that consumers who have opted in to a privacy policy have the right to request that their personal information be erased from the company. Section 17 outlines the right to be forgotten, but it also details when a company has the right to continue to use your information.

Being forgotten is more than just clearing your cookies; each time you agree to a company’s privacy policy, it’s collecting data about you. It’s likely that you’re not keeping a spreadsheet of every webpage you visit, so how can you know which websites have your data and what information is being collected specifically? The GDPR also outlines this in Section 15. Section 15 outlines consumers’ rights to request their personal information found within the company's database.

A person may want to pursue the right to be forgotten and remove their information from a company’s database in order to protect their identity or other information. However, the right to be forgotten also applies to data about you that is available on the internet. In several instances, people have requested that Google or other search engines remove information about them from the internet.

Does the right to be forgotten exist in other countries?

The GDPR outlines the right to be forgotten for people who do business with companies in the European Union (EU). The California Consumer Privacy Act (CCPA) also outlines a similar right for consumers in California. Other countries have similar legislation as the right to be forgotten, including Russia, Argentina, and the Philippines.

When does the right to be forgotten apply?

While the right to be forgotten sounds all-encompassing, the GDPR does not give consumers the full liberty to have all of their information erased. The GDPR outlines reasons for which a consumer can be forgotten. The reason could be as simple as the company no longer needing the data or it could be more substantial if the company is using your data inappropriately.

Article 17 details the situations where the right to be forgotten applies. An individual in an EU member state has the right to have their personal data erased in the following scenarios:

  • “The personal data is no longer necessary for the purpose an organization originally collected or processed it.
  • An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
  • An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
  • An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
  • An organization processed an individual’s personal data unlawfully.
  • An organization must erase personal data in order to comply with a legal ruling or obligation.
  • An organization has processed a child’s personal data to offer their information society services.”[1]

When do organizations trump your right to be forgotten?

The GDPR also understands the importance that personal data plays in day-to-day business. It lists why an organization does not have to erase or forget its information. Many of the reasons for not being forgotten depend on greater circumstances, such as a legal obligation or public health.

The following are the GDPR’s reasons why a company’s need for the data may be more important than the right to be forgotten:

  • “The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a legal ruling or obligation.
  • The data is being used to perform a task being carried out in the public interest or when exercising an organization’s official authority.
  • The data being processed is necessary for public health purposes and serves in the public interest.
  • The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
  • The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress toward the achievement that was the goal of the processing.
  • The data is being used for the establishment of a legal defense or in the exercise of other legal claims.”[1]

The first right to be forgotten case

The Court of Justice of the European Union first ruled on the right to be forgotten in 2014. This was the first time the legislation was used in court. In this case, Mario Costeja González was asking Google Spain to remove information about a foreclosed property from the search engine. González claimed that the dispute had been resolved and that the information was no longer correct.

In the end, the court decided that a search engine or other entity should remove someone’s personal information if it meets certain criteria. The criteria they outlined include:

  • Search results are inadequate.
  • Search results are irrelevant or no longer relevant.
  • Search results are excessive given the length of time since publication.

How does the right to be forgotten affect you?

Even if you don’t live in the EU, the GDPR may still affect you. The GDPR has been used as the foundation of other legislation, such as the CCPA. The GDPR and its components, such as the right to be forgotten, are focused on protecting consumers’ personal information.

What if you want to be “forgotten” when it comes to your social media profiles? Does this same regulation apply when you want to delete your social media profile? Although you can delete your profiles on your own, you can also submit a request to be forgotten to the social media companies to have them remove your personal data throughout the platform.

What do you do if you feel like your data should be removed from a company’s database? After looking at the reasons outlined for removal, the next step in the process includes submitting a Right to Erasure Request.

The request is pretty straightforward. To have your data removed, you will need to provide some information about the data subject (you) and explain the reason for the erasure. Once a request is submitted, an organization has about one month to remove the information or reject the request.

The right to be forgotten and freedom of expression

In many instances, the right to be forgotten is used to remove unnecessary information. However, there have been concerns about how the right to erasure limits the freedom of expression. Although the GDPR only applies to companies doing business with patrons in the EU, some believe it limits one's freedom of expression as outlined in the First Amendment to the U.S. Constitution.

Let’s say someone requests their personal information be deleted from a website. The information in question is about the person’s criminal record. The person has a right to be forgotten, as outlined in the GDPR. However, removing this information could infringe on the freedom of the press.

The GDPR regulates any company that does business with consumers in the EU, so many businesses in the U.S. have to be aligned with the regulation.

Right to be forgotten FAQs


What is the right to be forgotten also known as?

The right to be forgotten is also known as the right to erasure. As outlined in Section 17 of the General Data Protection Regulation, the right to be forgotten gives consumers the power to request that their personal data be removed from a company’s database.


Does the right to be forgotten exist in the U.S.?

The right to be forgotten does not explicitly exist in the U.S. The CCPA includes a right-to-be-forgotten clause, but it is not a regulation for the U.S.


What are the pros and cons of the right to be forgotten?

The pros of the right to be forgotten include greater control of personal information — and the ability to remove it when it is incorrect or no longer necessary. However, the legislation also opens the opportunity for people to submit right-to-be-forgotten requests for anything they may see as unfair or inaccurate. Some argue this could be a violation of freedom of the press and freedom of speech in the U.S.

Bottom line

The right to be forgotten is an important part of the EU General Data Protection Regulation. It allows consumers to remove information that is no longer being used from company data. As a consumer, you may be worried about the information accessible by various companies. The GDPR allows you to request a copy of the data on hand, and then you are able to request for that information to be erased if it meets certain criteria.

Although you may not need to use the GDPR’s right to be forgotten, it is a good idea to know what information about you is online and how to remove your information from Google’s search results. Although legislation such as the GDPR and the CCPA help protect PII, it is important for individuals to be vigilant in protecting their own data. The right to be forgotten will continue to evolve as more and more legislation is created.

Author Details
Andrew Strom Adams is a freelance writer focused on online privacy and digital security. He writes on various topics to help individuals protect themselves on the internet. Andrew has worked in legal marketing, technology, and startups. He has more than 12 years of experience in marketing and communications. He holds an M.B.A. from Westminster College and a B.A. in journalism from Oklahoma Baptist University. When he’s not writing, he’s playing with his two kids or watching reality TV.


[1] Everything you need to know about the “Right to be forgotten”