B
Boring Governance

Removing Everything About Me: What the Right to Be Forgotten Actually Means

What does the right to be forgotten actually cover? Spoiler: not everything. This guide explains the gap between expectation and reality for both consumers making requests and businesses receiving them.

Last updated: 2026-02-07

You want to erase yourself from the internet. Maybe someone published something about you that you would rather not exist. Maybe you are sick of companies having your data. Maybe you just want to start fresh digitally. Whatever the reason, you have searched for "removing everything about me" and ended up here.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR (Regulation (EU) 2016/679), the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100), and related regulations, as of the date of publication.

Here is the honest truth: you probably cannot remove everything. But you can remove a lot more than you think -- if you understand what the law actually allows, which companies have to listen to you, and which ones do not.

This guide is for two audiences. If you are a consumer trying to get your data deleted, we will tell you what is actually possible and how to do it. If you are a business owner receiving these requests, we will tell you what you are actually obligated to do -- and what you can push back on.

The Gap Between Expectation and Reality

When people talk about the "right to be forgotten," they usually imagine something absolute: press a button, and every trace of your existence disappears from the internet. Every search result, every data broker listing, every social media mention, every company database -- all gone.

That is not how it works. Not even close.

The right to be forgotten, as it exists in law, is more accurately described as the right to ask specific companies to delete specific data under specific circumstances. It is powerful, but it is limited. Understanding those limits saves you time, frustration, and unrealistic expectations.

Here is what the right to be forgotten actually covers and what it does not:

What You Can Usually Get Deleted

  • Your account data with a specific company. If you have an account with a company, you can generally ask them to delete your account and the data associated with it. Under GDPR Article 17, this is a clear right. Under CCPA (Cal. Civ. Code § 1798.105) and other US state laws, it applies if the company meets the relevant thresholds.
  • Marketing and advertising data. You can ask companies to stop using your data for marketing and to delete the marketing data they hold about you. Under GDPR, the right to object to direct marketing is absolute.
  • Data collected with consent that you now withdraw. If you originally gave consent for a company to use your data and you withdraw that consent, the company must stop processing and, if you request, delete the data (unless they have another lawful basis).
  • Data that is no longer necessary. If a company is holding your data for a purpose that has been fulfilled, you can request deletion.

What You Probably Cannot Get Deleted

  • News articles and journalism. Freedom of expression protections apply in both the EU and the US. A newspaper that published a story containing your name is not required to delete it because you do not like the coverage.
  • Public records. Government records -- court filings, property records, business registrations, regulatory actions -- are generally not subject to deletion requests. These are matters of public record.
  • Data a company is legally required to keep. Tax records, financial transaction records, employment records for regulatory compliance periods -- if the law says the company must keep it, your deletion request does not override that.
  • Data needed for ongoing legal disputes. If there is an active or reasonably anticipated legal claim involving you and the company, they can retain data relevant to that claim.
  • Third-party content on social media. If someone else posted about you on Facebook, Twitter, or Instagram, the right to be forgotten generally does not give you the ability to force the platform to remove their post. (You may have other options, like reporting content that violates platform policies.)
  • Your complete internet footprint. There is no single request you can make that erases everything about you everywhere. The internet is decentralized. You have to go company by company.

Google Delisting vs. Data Deletion: Two Different Things

There is a crucial distinction that most people miss: removing data from Google search results is not the same as deleting data from its source.

Google Search Result Removal (Delisting)

The original "right to be forgotten" case -- Google Spain SL v AEPD (Case C-131/12) in 2014 -- was about search engine results, not about deleting data from its source. The European Court of Justice ruled that Google must consider requests from individuals to remove search results that are "inadequate, irrelevant or no longer relevant, or excessive."

This means:

  • In the EU: You can ask Google to remove specific search results linked to your name. Google must consider the request and balance your privacy rights against the public interest in the information. Google has processed millions of these requests since 2014 and removes about half of the URLs requested.
  • In the US: There is no legal right to demand Google delist search results based on privacy grounds. Google does offer voluntary removal tools for certain categories of harmful content (see below), but there is no legal compulsion.

Important: Even when Google delists a result, the original content still exists on the source website. It just does not appear in Google searches for your name. Someone who goes directly to the source website, or uses a different search engine, can still find it.

Actual Data Deletion

Separately from search engine delisting, you can ask the company that holds your data to actually delete it from their systems. This is what GDPR Article 17 (right to erasure) and CCPA § 1798.105 (right to delete) address. This is the more substantive right -- when the data is actually removed, not just hidden from search results.

How to Make Deletion Requests as a Consumer

If you want to get your personal data deleted, here is a practical approach, organized from easiest to hardest.

Step 1: Delete Your Own Accounts

Start with the services you actively use:

  • Social media: Most platforms (Facebook, Instagram, Twitter/X, LinkedIn, TikTok) offer account deletion in their settings. Note that some platforms distinguish between "deactivation" (temporary, data retained) and "deletion" (permanent). Choose deletion.
  • Email accounts: You can delete email accounts, but consider what you will lose (emails, contacts, any services authenticated through that email).
  • Shopping accounts: Amazon, eBay, Etsy, and similar platforms allow account closure. Some retain transaction data for legal compliance.
  • Subscriptions and memberships: Cancel and delete accounts with subscription services, loyalty programs, forums, and communities.

For each service, check their privacy policy or settings for a "delete my account" or "request my data" option. Many companies have built self-service deletion tools.

Step 2: Submit Formal Deletion Requests

For companies that do not offer self-service deletion, submit formal requests.

If the company is subject to GDPR (you are in the EU, or the company targets the EU):

  • Send an email to their data protection contact (usually listed in their privacy policy)
  • State clearly that you are exercising your right to erasure under GDPR Article 17 (Regulation (EU) 2016/679)
  • Identify yourself sufficiently for them to find your data
  • Be specific about what you want deleted (or request deletion of all personal data)
  • They must respond within 30 days

If the company is subject to CCPA (you are a California resident and the company meets CCPA thresholds):

  • Use the company's designated request method (often a form or email listed in their privacy policy under "Do Not Sell or Share My Personal Information" or "Privacy Rights")
  • State that you are making a deletion request under CCPA
  • Provide information for identity verification
  • They must acknowledge within 10 business days and respond within 45 days

Template email for an erasure request:

Subject: Data Erasure Request - [Your Name]

To whom it may concern,

I am writing to request the erasure of all personal data you hold about me, in accordance with [Article 17 of the GDPR / the California Consumer Privacy Act (CCPA)].

My details for identification purposes: Name: [Your full name] Email address associated with your service: [Your email] Account number (if applicable): [Account number]

Please confirm deletion of my personal data within [30 days (GDPR) / 45 days (CCPA)] as required by law.

If you require any additional information to verify my identity or locate my data, please let me know as soon as possible.

Thank you, [Your name]

Step 3: Tackle Data Brokers

Data brokers -- companies like Spokeo, WhitePages, BeenVerified, Intelius, and PeopleFinder -- aggregate publicly available information and make it searchable. Getting removed from these services is legal and straightforward, but tedious because there are hundreds of them.

For each data broker:

  • Search for yourself on their site to confirm they have your data
  • Find their opt-out page (usually linked from the bottom of their website or their privacy policy)
  • Submit an opt-out/removal request
  • Follow up if the data is not removed within a reasonable timeframe

This process is time-consuming because there are many brokers and some make the opt-out process deliberately cumbersome. There are paid services (like DeleteMe, Kanary, or Privacy Duck) that automate this process for you. Whether the cost ($100-200/year typically) is worth it depends on how much you value your time.

Step 4: Address Google Search Results

In the EU: Use Google's form at support.google.com to request removal of search results under the right to be forgotten. You will need to specify which URLs you want removed and explain why. Google evaluates each request individually, weighing your privacy interest against the public interest in the information.

In the US: Google offers voluntary removal tools for specific categories:

  • Content containing your Social Security number, bank account number, or credit card number
  • Non-consensual explicit imagery (including deepfakes)
  • Content on sites with exploitative removal practices (sites that charge you to remove your own information)
  • Certain types of doxxing content

Beyond these categories, Google is unlikely to remove search results based on a US request.

Step 5: Accept What Cannot Be Removed

After working through the steps above, there will likely be information about you that cannot be removed:

  • News articles and journalism
  • Public records and court documents
  • Government databases
  • Content posted by other people on platforms you do not control
  • Cached or archived copies of web pages (the Wayback Machine, for example)

This is the reality gap. The right to be forgotten is powerful but not omnipotent.

How to Respond to "Remove Everything About Me" Requests as a Business

If you run a business, you will eventually receive a request from someone who wants you to delete "everything" about them. Here is how to handle it properly.

Take It Seriously

Do not dismiss the request because it sounds dramatic or unreasonable. Under GDPR and various US state laws, people have genuine legal rights to request deletion. Even if the request is broadly worded ("remove everything about me from the internet"), interpret it as a request to delete the personal data you hold about them.

Clarify the Scope

Respond promptly and professionally. Clarify what you can and cannot do:

  • You can delete the personal data you hold about them in your systems
  • You can direct your service providers and vendors to delete their data
  • You cannot control other companies, search engines, or third parties
  • Some data may be subject to legal retention requirements

Follow Your Process

Handle it like any other erasure request:

  1. Acknowledge receipt promptly
  2. Verify the requester's identity
  3. Search all your systems for their personal data
  4. Assess whether any exceptions apply
  5. Delete what you can, retain what you must (with documented reasons)
  6. Notify third parties you have shared the data with
  7. Respond to the requester with a clear summary of what was done

For a detailed walkthrough of the erasure process, see our guide on the right to erasure under GDPR Article 17.

Set Realistic Expectations

In your response, be transparent about what you have done and what limitations exist:

We have deleted your personal data from our systems, including [list of systems/data]. We have also notified our service providers ([list]) to delete your data from their systems.

Please note that we are required by [tax law / other legal obligation] to retain [specific records] until [date]. These records are securely stored and will not be used for any purpose other than legal compliance.

We are unable to control data held by other companies, search engines, or third parties. If you wish to have data removed from other services, you will need to contact those companies directly.

Common Scenarios and How to Handle Them

"Delete my account and all my data." Straightforward. Delete the account and associated data, subject to any legal retention requirements. Confirm in writing.

"Remove me from the internet." This is beyond your control. Delete the data you hold, and explain that you cannot control other companies or search engines. Be helpful by suggesting they contact specific services directly if you know their data exists elsewhere.

"Delete the review I left on your site." If it is their own content, you can usually remove it. If it is on a third-party review platform (Google Reviews, Yelp), direct them to the platform.

"Delete the article/blog post about me." This gets into freedom of expression territory. Under GDPR, you may have a legitimate basis to retain published content if it serves the public interest or falls under journalistic purposes. Under US law, First Amendment protections generally apply to published content. Assess on a case-by-case basis.

"I know you bought my data from a data broker. Delete it." Under GDPR Article 17, if you hold their personal data regardless of how you obtained it, you must address the erasure request. Under CPRA, you must also delete data obtained from third parties. Under the original CCPA (§ 1798.105), the right to delete was more limited to data collected directly from the consumer.

The Business Side: What "Removing Everything" Actually Requires

For business owners, handling these requests means having systems in place. Here is what you need:

Know Where Your Data Is

You cannot delete what you cannot find. Maintain a data map showing every system that contains personal data: your database, CRM, email marketing, analytics, customer support, cloud storage, email accounts, physical records, and backup systems.

Have a Documented Process

A written process for handling deletion requests -- who handles them, how to verify identity, where to search, how to document the process -- is essential. It does not need to be complex, but it needs to exist and be followed consistently.

Understand Your Retention Obligations

Know which data you are legally required to retain and for how long. This varies by jurisdiction and industry, but common examples include:

  • Tax and financial records: typically 6-7 years
  • Employment records: varies by jurisdiction, often 3-7 years after employment ends
  • Contract records: typically for the duration of the contract plus the limitation period for claims
  • Health records: varies by jurisdiction, often 6-10 years

When you receive a deletion request, you can refuse to delete data covered by a retention obligation, but you should delete everything else.

Respond Within Deadlines

  • GDPR: 30 calendar days
  • CCPA: 45 calendar days (with 10 business day acknowledgment)
  • Other US state laws: typically 45 calendar days

Missing these deadlines is one of the most common and easily avoidable compliance failures.

What the Future Looks Like

The right to be forgotten is expanding, not contracting:

  • More US states are adopting deletion rights
  • Federal privacy legislation in the US, if passed, will almost certainly include deletion rights
  • Enforcement is increasing in both the EU and the US
  • Consumer awareness is growing -- more people know they can ask for deletion

For businesses, the implication is clear: building a solid deletion process now is not just about current compliance. It is about being ready for a world where these requests become routine.

For consumers, the implication is equally clear: your ability to control your personal data is growing, but it will never be total. The internet is not designed for erasure. The best strategy combines proactive privacy practices (being careful about what you share) with reactive rights exercise (asking for deletion when needed).

The Practical Bottom Line

For consumers: You can get a lot of your data deleted, but not all of it. Start with your own accounts, then submit formal requests to companies, then tackle data brokers, then address search engines. Accept that some information -- public records, news articles, other people's posts -- will remain. The process is tedious but effective for data you have a legal right to have removed.

For businesses: "Remove everything about me" is usually a straightforward erasure request wrapped in dramatic language. Treat it as a standard deletion request. Search your systems, delete what you can, explain what you cannot delete and why, and document everything. Have a process before you need it, not after.

For more on the specific legal frameworks, see our guides on the right to erasure under GDPR and the right to be forgotten in the US.

References

  • General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
  • GDPR Article 17 (Right to Erasure): Article 17 text
  • California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text
  • Google Spain SL v AEPD (C-131/12): The landmark "Right to Be Forgotten" ruling. CJEU judgment

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Get the Free DSAR Compliance Guide

Whether you are receiving deletion requests or thinking about building a process to handle them, our free DSAR Compliance Guide gives you everything you need. Step-by-step instructions, templates, timelines, and checklists -- designed for small businesses that need to get it right without overcomplicating it.

Download the free DSAR Compliance Guide