The Right to Be Forgotten: What US Small Businesses Need to Know

If you run a business in the United States, the "right to be forgotten" can feel like someone else's problem. It is a European thing, right? A GDPR thing?

Not anymore. While the US does not have a single federal privacy law granting a right to be forgotten, the patchwork of state privacy laws -- led by California -- increasingly gives consumers the right to demand that businesses delete their personal data. And the trend is accelerating.

This guide focuses on the US landscape: what laws exist, what they require, how they differ from the European right to be forgotten, and what your business needs to do about it.

The US Has No Federal Right to Be Forgotten

Let us start with the baseline. As of 2026, there is no comprehensive federal privacy law in the United States that grants consumers a right to be forgotten or a right to delete their personal data. The US has a sectoral approach to privacy -- specific laws for specific industries (HIPAA for health, FERPA for education, GLBA for finance) -- but no overarching federal data protection law.

Several attempts to pass comprehensive federal privacy legislation have stalled in Congress. The American Data Privacy and Protection Act (ADPPA) came close in 2022 but did not make it through. Until federal legislation passes, privacy rights in the US are determined at the state level.

This means your obligations depend on where your customers are, not just where your business is.

California: The Right to Delete Under CCPA/CPRA

California is the most important state for US privacy rights. The California Consumer Privacy Act (CCPA, Cal. Civ. Code §§ 1798.100–1798.199.100), enacted in 2020 and significantly amended by the California Privacy Rights Act (CPRA) in 2023, gives California residents a right to delete their personal information.

Who CCPA/CPRA Applies To

CCPA applies to for-profit businesses that do business in California and meet any one of these thresholds:

• Annual gross revenue over $25 million
• Buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices
• Derive 50% or more of annual revenue from selling or sharing California consumers' personal information

Note the key difference from GDPR: CCPA has applicability thresholds. Many small businesses fall below all three thresholds and are not subject to CCPA. This is a genuine exemption that GDPR does not offer. For a full comparison of these two frameworks, see our guide on the right to delete under CCPA vs the right to be forgotten under GDPR.

What the Right to Delete Covers

Under CCPA/CPRA (Cal. Civ. Code § 1798.105), California consumers can request that a business delete personal information the business collected from them. When a business receives a verified deletion request, it must:

• Delete the consumer's personal information from its records
• Direct any service providers or contractors that received the information to delete it as well
• Notify all third parties to whom the business sold or shared the information to delete it

Exceptions to the Right to Delete

CCPA provides several exceptions (Cal. Civ. Code § 1798.105(d)) where a business can refuse a deletion request. These are broader than GDPR's exceptions:

• Completing a transaction for which the information was collected
• Providing a good or service requested by the consumer
• Performing a contract between the business and the consumer
• Detecting security incidents and protecting against fraud or illegal activity
• Debugging to identify and repair errors
• Exercising free speech or another right provided by law
• Complying with the California Electronic Communications Privacy Act
• Scientific, historical, or statistical research in the public interest
• Internal uses reasonably aligned with consumer expectations
• Complying with a legal obligation

Verification Requirements

Before fulfilling a deletion request, you must verify the identity of the person making the request. CCPA requires "reasonable" verification methods. What counts as reasonable depends on the sensitivity of the data and the risk of harm from unauthorized deletion.

For non-sensitive data, matching two data points (name and email, or name and account number) is typically sufficient. For sensitive data, you may need additional verification steps.

Response Timeline

You must acknowledge a deletion request within 10 business days and fulfill it within 45 calendar days. You can extend this by an additional 45 days if reasonably necessary, but you must notify the consumer of the extension.

Other US States with Deletion Rights

California led the way, but it is no longer alone. A growing number of US states have enacted privacy laws that include some form of right to delete.

Virginia (Consumer Data Protection Act)

Effective January 2023. Applies to businesses that conduct business in Virginia or target Virginia residents and either: (a) control or process personal data of at least 100,000 consumers, or (b) derive over 50% of revenue from selling personal data and process data of at least 25,000 consumers.

Virginia consumers can request deletion of personal data they provided. The business must respond within 45 days.

Colorado (Colorado Privacy Act)

Effective July 2023. Similar applicability thresholds to Virginia. Colorado residents can request deletion of their personal data. Businesses must respond within 45 days.

Connecticut (Connecticut Data Privacy Act)

Effective July 2023. Applies to businesses that conduct business in Connecticut or target Connecticut residents and either: (a) control or process personal data of at least 100,000 consumers, or (b) control or process data of 25,000+ consumers and derive more than 25% of revenue from the sale of personal data.

Connecticut residents have a right to delete personal data. Response deadline is 45 days.

Texas (Texas Data Privacy and Security Act)

Effective July 2024. Applies to businesses that conduct business in Texas or produce products/services consumed by Texas residents, process or sell personal data, and are not classified as a small business under the SBA (Small Business Administration) definition. Texas consumers can request deletion.

Oregon (Oregon Consumer Privacy Act)

Effective July 2024. Applies to businesses that conduct business in Oregon or provide products/services to Oregon residents and either: (a) control or process personal data of 100,000+ consumers, or (b) control or process data of 25,000+ consumers and derive 25%+ of gross revenue from selling personal data.

Montana, Iowa, Indiana, Tennessee, and Others

Multiple additional states have enacted or are enacting privacy laws, most following the Virginia model with similar thresholds and deletion rights. The trend is clear: deletion rights are becoming standard across the US.

The Common Pattern

Most state privacy laws share these features:

• Applicability thresholds based on data volume or revenue (unlike GDPR's universal application)
• Right to delete personal data with exceptions
• 45-day response windows (sometimes with extensions)
• Verification requirements before fulfilling requests
• Exceptions for legal compliance, security, contracts, and public interest

The practical impact for multi-state businesses: if you meet the threshold in any one state, building a deletion process that covers all states is more efficient than trying to comply state by state.

How the US Right to Delete Differs from GDPR's Right to Be Forgotten

While the practical outcome -- deleting personal data upon request -- sounds similar, there are meaningful differences between US state deletion rights and the GDPR Article 17 right to erasure (also called the right to be forgotten).

Scope

GDPR (Regulation (EU) 2016/679, Article 17): Applies to any organization that processes personal data of EU/EEA residents, regardless of size. No revenue or data volume thresholds. Covers all personal data the controller holds about the individual, including data obtained from third parties.

US state laws: Apply only to businesses meeting specific thresholds. Generally limited to personal data collected directly from the consumer (though CPRA expanded this).

Grounds for Erasure

GDPR: The individual can request erasure on specific grounds: the data is no longer necessary, consent is withdrawn, the person objects to processing, the data was unlawfully processed, legal obligation requires deletion, or the data was collected from a child for online services.

US state laws: The consumer can request deletion without having to cite a specific ground. It is a broader right of request, but the exceptions available to businesses are also broader.

Third-Party Obligations

GDPR: When you delete data, you must take reasonable steps to inform other controllers processing that data to delete it as well (the "right to be forgotten" aspect).

US state laws: Under CPRA, you must direct service providers and third parties to delete the data. Other state laws vary in the specificity of this requirement.

Enforcement

GDPR: Enforced by independent supervisory authorities (data protection authorities) that can investigate and fine without waiting for a complaint.

US state laws: Primarily enforced by state attorneys general. Most do not provide a private right of action for deletion issues (California provides a limited private right of action for data breaches, not for deletion failures).

For a detailed side-by-side comparison, see our guide on the right to delete under CCPA vs the right to be forgotten under GDPR.

What About Google Search Results?

When most people think "right to be forgotten," they think about removing results from Google. This stems from the landmark 2014 European Court of Justice ruling in Google Spain SL v AEPD (Case C-131/12) that established the right to request delisting of search results under EU law.

In the US, there is no equivalent legal right to delist search results. You cannot compel Google to remove links to publicly available information about you based on privacy grounds alone.

Google does offer voluntary removal tools for certain types of content:

• Personally identifiable information that creates a risk of identity theft (Social Security numbers, bank account numbers)
• Non-consensual explicit imagery
• Content on sites with exploitative removal practices
• Certain outdated content in limited circumstances

But these are Google's policies, not legal rights. They are discretionary and limited.

For businesses, this means: if a customer asks you to "remove everything about them from the internet," you can only control the data you hold. You cannot control search engine results, news articles, social media posts by third parties, or public records. Set realistic expectations. Our guide on what "removing everything about me" actually means covers this in detail.

Practical Steps for US Small Businesses

Whether you are currently subject to state privacy laws or not, building a deletion capability is smart practice. Here is what to do:

1. Determine Your Obligations

Review the applicability thresholds for each state where you have customers. Key questions:

• Do you have annual gross revenue over $25 million? (California)
• Do you process personal information of 100,000+ consumers? (California, Virginia, Colorado, Connecticut)
• Do you derive significant revenue from selling personal data? (Multiple states)
• Are you operating in a state with a privacy law that has lower thresholds?

If you fall below all thresholds in every state, you are not legally required to honor deletion requests under state law. However, it is still good practice -- and many consumers expect it regardless of legal requirements.

2. Map Your Data

Know where personal data lives across your systems. When someone requests deletion, you need to find and remove their data from every location:

• Your database or application
• Email accounts (search for their name and email)
• CRM and marketing tools
• Analytics platforms
• Customer support systems
• Backup systems (more on this below)
• Paper records
• Third-party services you share data with

3. Build a Deletion Process

Document a step-by-step process:

1. Receive the request (via email, web form, or other channel)
2. Acknowledge receipt within 10 business days
3. Verify the requester's identity
4. Search all systems for the individual's data
5. Determine if any exceptions apply
6. Delete the data (or explain why you cannot)
7. Notify service providers and third parties to delete
8. Confirm deletion to the requester
9. Document the request and your response

4. Handle Backups Realistically

Backups are the hardest part of data deletion. Most businesses cannot selectively delete individual records from backup systems. Here is the pragmatic approach:

• Delete the data from all active, production systems
• Document that the data may exist in encrypted backups
• Ensure the backup retention period is reasonable (not indefinite)
• When backups cycle out, the data is naturally deleted
• Do not restore the deleted data from backups unless required for disaster recovery (in which case, delete it again promptly)

Most regulators accept this approach as reasonable, as long as backup retention periods are not excessive and the data in backups is not actively accessed.

5. Provide a Clear Request Mechanism

Make it easy for consumers to submit deletion requests:

• A dedicated email address (privacy@yourcompany.com)
• A web form on your website
• Information in your privacy policy about how to make a request

Do not make people jump through hoops. A request submitted by email should be treated the same as one submitted through your preferred form.

6. Train Your Team

Every customer-facing employee should know:

• That consumers may request data deletion
• Who to escalate those requests to
• Not to ignore or dismiss such requests
• Basic timelines for response

The Trend Is Clear

Even if your business is not currently subject to any state privacy law, the direction is unmistakable. More states are enacting privacy laws, thresholds may decrease over time, and federal legislation remains a possibility. A comprehensive federal privacy law would likely include deletion rights.

Building a reasonable data deletion capability now -- mapping your data, documenting your process, training your team -- is an investment that will pay off regardless of which specific laws end up applying to you. It also builds customer trust, which matters in any regulatory environment.

For the European perspective on the right to erasure, including the specific legal grounds and exceptions under GDPR Article 17, see our detailed guide on the right to erasure.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text
• CCPA Right to Delete (§ 1798.105): Section text
• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
• GDPR Article 17 (Right to Erasure): Article 17 text
• Google Spain SL v AEPD (C-131/12): The landmark "Right to Be Forgotten" ruling. CJEU judgment

---

Get the Free DSAR Compliance Guide

Whether you are handling deletion requests under CCPA, GDPR, or both, having a solid process makes all the difference. Our free DSAR Compliance Guide walks you through handling data subject requests end to end -- with templates, timelines, and checklists designed for small businesses.

Download the free DSAR Compliance Guide