Right to Be Forgotten in the US: Do State Privacy Laws Give You Deletion Rights?

What Is the Right to Be Forgotten?

The "right to be forgotten" is a legal concept that allows individuals to request that organizations delete their personal data. The term became famous in 2014 when the European Court of Justice ruled that individuals could ask search engines to remove links to outdated or irrelevant personal information. Today, the right is codified in Article 17 of the EU's General Data Protection Regulation (GDPR), which grants EU residents a formal "right to erasure."

But what about the United States? There is no single federal law that grants Americans a blanket right to be forgotten. Instead, a growing patchwork of state privacy laws provides data deletion rights that function similarly — though with important differences from the EU model.

Does the US Have a Right to Be Forgotten?

The short answer: not exactly, but increasingly yes. The US has no federal equivalent to the GDPR's right to erasure. However, as of 2026, 21 US states have enacted comprehensive privacy laws that include a consumer right to request deletion of personal data. For millions of Americans, the practical effect is similar to Europe's right to be forgotten — companies must delete personal information when asked.

Use our Privacy Law Calculator to find out which state deletion rights apply to your business based on your revenue, user count, and where you operate.

State-by-State Data Deletion Rights

Every comprehensive state privacy law enacted so far includes a right to deletion, but the scope and mechanics vary significantly:

California (CCPA/CPRA) — The Strongest US Deletion Right

California's CCPA/CPRA provides the most robust deletion rights in the US. Consumers can request that businesses delete any personal information collected from them. Key features include:

Broad scope — Applies to businesses with $25M+ revenue, or data on 100,000+ consumers, or 50%+ revenue from selling data
Service provider chain — Businesses must direct service providers and contractors to delete the data too
No reason required — Consumers do not need to explain why they want their data deleted
45-day response deadline — Businesses must respond within 45 calendar days (extendable by 45 more with notice)
Enforcement teeth — The California Privacy Protection Agency has issued fines for making deletion too difficult, including the $1.1M PlayOn Sports fine and the $375K Ford fine for requiring email verification before processing opt-out requests

Virginia, Colorado, Connecticut — The "Standard" Model

Most state privacy laws follow a similar template originally based on the Virginia Consumer Data Protection Act. Virginia, Colorado, and Connecticut provide deletion rights with these typical features:

Right to delete personal data provided by the consumer to the controller
30-day response window (some states allow a 30-day extension)
Exceptions apply — Controllers can refuse deletion if the data is needed to complete a transaction, comply with legal obligations, detect security incidents, or exercise free speech
Appeal process — Consumers have the right to appeal a denied deletion request

See our state comparison tool to view deletion right details side-by-side across all 21 states.

Maryland (MODPA) — The Strictest New Entrant

Maryland's Online Data Privacy Act, with enforcement starting April 1, 2026, adds a critical twist: its data minimization requirements mean businesses should not have collected unnecessary data in the first place. This effectively strengthens the deletion right because there is less justification for retaining data beyond its original purpose. Maryland also has no revenue threshold — the law applies to any business processing data of Maryland residents.

Texas — Large-State Impact

Texas's TDPSA covers the second-largest US state by population with a deletion right similar to the standard model. Texas has been particularly aggressive in enforcement, securing a billion-dollar settlement with a major tech company. The Texas AG has signaled that failure to honor deletion requests will be a priority enforcement area.

Oregon — Expanded Scope for Data Brokers

Oregon's Consumer Privacy Act is notable because it does not exempt nonprofits and has a relatively low applicability threshold (100,000 consumers, or 25,000 if selling data). Oregon's deletion right is paired with strict data broker registration requirements, creating a more comprehensive framework for personal data removal.

Other States with Deletion Rights

The following states also provide consumers a right to request deletion of personal data: Utah, Iowa, Indiana, Kentucky, Tennessee, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Rhode Island, Minnesota, Maine, and Oklahoma. See each state page for specific thresholds and timelines.

US Deletion Rights vs. EU Right to Be Forgotten: Key Differences

While US state deletion rights are often compared to the EU's right to be forgotten, there are important structural differences:

Feature	EU GDPR (Right to Erasure)	US State Laws (Deletion Rights)
Coverage	All EU/EEA residents, unified law	Varies by state — 21 states as of 2026, each with different thresholds
Search engine delisting	Yes — can request search engines remove links	Generally no — US deletion rights target the data controller, not search engines
Scope of deletion	All personal data processed by the controller	Typically data "provided by the consumer" (some states broader)
Data broker requirements	Covered under general right to erasure	California Delete Act creates separate one-click deletion mechanism; several states require data broker registration
Private right of action	Yes, through data protection authorities and courts	Only California (limited to data breaches); most states AG-only enforcement
Response time	30 days (extendable by 60 days)	30-45 days depending on state (most allow extensions)
Exceptions	Free expression, public interest, legal claims, public health	Similar plus completing transactions, internal analytics, security incident detection

The California Delete Act: The Closest US Equivalent

California's Delete Act (SB 362) creates the mechanism closest to a true "right to be forgotten" in the US. Starting August 1, 2026, the DELETE Request Online Portal (DROP) will allow California residents to submit a single deletion request that reaches all registered data brokers simultaneously. Key features:

One-click deletion — A single request triggers deletion across all 500+ registered data brokers
45-day processing — Data brokers must process DROP requests every 45 days
Severe penalties — $200 per consumer per day for non-compliance, with no cure period
Already enforced — The CPPA has already taken 8+ enforcement actions against data brokers for registration failures

If you operate as a data broker, compliance with the Delete Act is critical. Check our data broker registration guide for details.

What Businesses Must Do to Comply with Deletion Requests

If your business is subject to any state privacy law, you need a reliable process for handling data deletion requests. Here is a practical compliance checklist:

Accept requests through multiple channels — Most states require at least two methods (web form, email, toll-free number). California requires a web form. Never require account creation to submit a deletion request.
Verify the requestor's identity — You must confirm the person is who they claim to be, but verification cannot be so burdensome that it discourages requests. The Ford enforcement action showed that requiring email verification for opt-outs can cross the line.
Acknowledge receipt promptly — Send confirmation within 10 days (California) or as required by applicable law.
Complete deletion within the deadline — 45 days for California, 30 days for most other states. Extensions are available with notice.
Notify service providers — Direct your processors, service providers, and contractors to delete the data as well.
Document exceptions — If you deny a request based on an exemption (legal obligation, security, free speech), explain the reason in writing and inform the consumer of their appeal rights.
Maintain records — Track all deletion requests, responses, and timelines for at least 24 months. California requires businesses to disclose annual metrics on DSAR volume.
Build a data retention policy — Proactive data retention limits reduce the volume of data subject to deletion requests and strengthen your data minimization compliance.

Is a Federal Right to Be Forgotten Coming?

As of March 2026, there is no federal privacy law providing a right to data deletion. The American Data Privacy and Protection Act (ADPPA) advanced further than any previous federal proposal in 2022 but stalled in the House. More recently, COPPA 2.0 passed the Senate in March 2026 with provisions banning targeted advertising to children and requiring opt-in consent for teens 13-16 — but it is a children's privacy law, not a comprehensive right to deletion for all consumers.

Without federal action, the patchwork of state laws will continue to expand. Businesses operating nationally should build their compliance programs around the most protective state standards — primarily California and Maryland — to ensure they meet requirements everywhere.

Frequently Asked Questions

Can I ask Google to delete my personal information in the US?

Google has a voluntary removal tool for certain types of personal information (phone numbers, email addresses, physical addresses) that appear in search results. However, this is a Google policy — not a legal right under US law. Under the California Delete Act, if Google qualifies as a data broker (which it has not been registered as), the deletion mechanism would apply differently. For now, state privacy laws give you the right to request deletion from the companies that collected your data, but generally not from search engines that index publicly available information.

Does the right to be forgotten apply to social media in the US?

If a social media company meets the applicability thresholds of a state privacy law (which major platforms do for California, Texas, and most other states), you can submit a deletion request. The company must delete your personal data, though they may retain data necessary for legal compliance or security purposes. This does not mean the company must remove content you posted that was reshared by others — the deletion applies to the data the company holds, not copies distributed across the internet.

What happens if a company ignores my deletion request?

In most states, enforcement is handled by the state attorney general. If a company fails to respond or refuses without a valid exemption, you can file a complaint with your state AG's office. In California, complaints go to the CPPA. Only California provides a limited private right of action, and only for data breaches — not for denied deletion requests. Some states offer a cure period (30-60 days to fix the violation before penalties apply), though California eliminated its cure period for most violations. See our penalties guide for state-by-state enforcement details.

Do small businesses have to honor deletion requests?

Only if you meet a state's applicability thresholds. Most states require processing data of 25,000-100,000 consumers, generating $25M+ in revenue, or earning a significant share of revenue from data sales. However, thresholds vary — Maryland has no revenue threshold, and Oregon applies at just 25,000 consumers if you sell data. Use our calculator to check if your business is covered.

How does the right to be forgotten differ from the right to opt out?

The right to opt out prevents a company from selling or sharing your data going forward, but the company can keep the data it already has. The right to deletion (right to be forgotten) requires the company to actually erase the personal data it has collected. Many privacy-conscious consumers exercise both rights together — opting out of future sales and requesting deletion of existing data.

Last updated: March 29, 2026.