You have more legal power over your personal data than most people realise. The right to erasure — the ability to demand that a company delete every piece of data it holds about you — is enshrined in law across multiple jurisdictions and enforced with increasing seriousness.
Most people never use it. They don’t know it exists, don’t know how to invoke it, or don’t believe it actually works.
This piece explains what the right to erasure covers, how to exercise it, where it falls short, and why the companies that make deletion easy are worth choosing over the ones that make it deliberately hard.
The Legal Framework in 2026
Three frameworks govern personal data deletion rights for the majority of English-speaking internet users:
GDPR — European Union
The General Data Protection Regulation includes a “right to erasure” (Article 17) — sometimes called the right to be forgotten. Under GDPR, EU residents can request that a company delete all personal data it holds about them.
The right applies when:
- The data is no longer necessary for its original purpose
- You’ve withdrawn consent and there’s no other legal basis for processing
- You’ve objected to processing and there’s no overriding legitimate interest
- The data was processed unlawfully
Companies have one month to respond. They can request an extension of up to two additional months if the request is complex. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover — penalties that have been imposed on Google, Meta, and Amazon in recent years.
CCPA — California, United States
The California Consumer Privacy Act gives California residents the right to request deletion of their personal information from businesses that collect it. Businesses have 45 days to respond, extendable by a further 45 days with notice to the consumer.
California Delete Act — Operational from 2026
A significant development: the California Delete Act created the Delete Request and Opt-Out Platform (DROP), managed by the California Privacy Protection Agency. Starting August 1, 2026, California residents can submit a single deletion request to the DROP platform covering all registered data brokers simultaneously.
Data brokers — companies that collect and sell personal information about people they have no direct relationship with — are required to check the DROP platform at least every 45 days and process deletion requests. This addresses one of the most frustrating gaps in previous privacy law: the existence of hundreds of data broker companies that had no easy mechanism for individual opt-out.
What the Right to Erasure Actually Covers
The legal right is more comprehensive than most people assume, but it has limits.
What deletion rights typically cover:
- Profile data: name, email address, phone number, date of birth
- Behavioural data: browsing history, purchase history, search history
- Location data: GPS records, IP address history
- Content you’ve uploaded: photos, documents, voice recordings
- Inferences and derived data: advertising profiles, interest categories, behavioural scores
What they don’t always cover:
- Data required for legal compliance (tax records, fraud prevention data, court-ordered retention)
- Data protected by freedom of expression or the public interest
- Data needed to complete a transaction you’ve explicitly requested
- Data the company claims has been anonymised
The “anonymised” exception is the most contested. Companies frequently claim that data has been anonymised when in practice it can be re-identified. Well-crafted deletion requests should ask for deletion of all data — including any the company claims is anonymised — or require the company to demonstrate that re-identification is genuinely impossible.
The Gap Between Legal Rights and Practical Reality
Knowing you have the right to delete is step one. Actually getting it done is a different experience.
Most large platforms have deletion processes, but they vary enormously in quality:
Google offers a data deletion request through its privacy dashboard, and an account deletion option that removes Google’s copy of your data within approximately two months. Google also retains some data for fraud prevention, legal compliance, and “service improvement” purposes for longer periods — the precise scope is described in documentation that’s thorough but not always easy to parse.
Meta / Facebook / Instagram has an account deletion process that takes up to 30 days to complete. The data policy specifies what this covers, but includes retention periods for certain log and backup data.
Dropbox processes deletion requests for qualifying users under GDPR and CCPA. The process requires submitting a request through a web form and waiting for a review cycle.
Data brokers are the most frustrating category. Before the California Delete Act, exercising your right against data brokers — Acxiom, LexisNexis, Intelius, and hundreds of smaller operators — required individual requests to each company. Given that there are hundreds of data brokers and each has its own process, the practical effort was enormous. The DROP platform addresses this specifically for California residents.
A Practical Deletion Checklist
If you want to exercise your data deletion rights, here’s a practical sequence:
Start with the accounts that matter most
- Email providers: If you’re leaving a service, delete the email account, not just the messages. Email addresses are anchor identifiers that connect your data across platforms.
- Cloud storage: Export any content you want to keep before submitting a deletion request.
- Social media: Instagram, Facebook, LinkedIn, Twitter/X, TikTok — all have account deletion processes. Understand the retention period each company specifies.
- Retail and shopping accounts: Amazon, eBay, and similar services hold purchase histories, shipping addresses, and payment information worth removing if you’re no longer using the account.
- Health and fitness apps: This category warrants particular care. Location data, biometrics, and health information are sensitive categories under both GDPR and CCPA, with stricter rules and higher risk of harm if mishandled.
Submit formal GDPR or CCPA requests where relevant
For services that don’t have obvious account deletion options, or where you want confirmation that derived data has also been deleted, submit a formal request:
- Identify the company’s data protection officer (DPO) contact or privacy request form. Under GDPR, this must be easily accessible.
- State clearly: “I am exercising my right to erasure under Article 17 of GDPR” (or the CCPA equivalent if applicable).
- Request confirmation of: (a) what data was held, (b) what has been deleted, (c) what data if any is being retained, and on what legal basis.
Address data brokers
If you’re in California, submit a request through the DROP platform once fully operational. If you’re outside California, you’ll need to submit individual requests — services like DeleteMe and Kanary automate this process for a subscription fee.
The Deletion Process as a Trust Signal
How easy or hard a company makes it to delete your data tells you something important about its relationship to your privacy.
Companies that have designed deletion as a first-class feature — with clear documentation, a straightforward process, and a specific commitment to when deletion completes — are signalling that they treat data as something they’re holding in trust for you, not an asset they own.
Companies that bury deletion options, require multiple escalations, define “deletion” in ways that exclude large categories of data, or create enough friction that most people give up — these are companies where your data is structurally a resource they’d prefer to keep.
This isn’t a minor usability issue. It reflects the actual orientation of the company toward your personal information.
How daftei Handles Deletion
daftei’s deletion process is deliberately clear:
When you delete your account, all your content — photos, files, voice notes, memories — enters a 30-day grace window. During this period, you can restore your account if you change your mind. After 30 days, deletion is permanent and irreversible: there is no backend copy, no “we might retain this for service improvement” exception, no data that gets reclassified as anonymised and kept.
This is the only honest approach to account deletion: either it’s permanent, or it isn’t deletion.
You can export your full archive at any time from Settings before deleting. The export is yours in a format you can use elsewhere — there’s no proprietary lock-in designed to make migration difficult.
daftei is GDPR and CCPA compliant. If you submit a formal erasure request, the process is the same as account deletion: complete, permanent, and within the timeframes required by law.
The Bigger Picture
The right to delete your personal data is not a technical formality. It’s a genuine shift in the legal landscape that gives you meaningful power over what companies know about you.
That power is only useful if you know it exists and exercise it. Most people don’t — which is precisely why terms of service are written the way they are, why deletion processes are designed to be friction-heavy, and why data broker registries exist without ordinary people ever knowing their information is in them.
The California Delete Act is a meaningful step toward making this easier. GDPR enforcement continues to impose real costs on companies that don’t take deletion seriously. The trend, slowly, is toward more usable rights.
But the most effective protection is choosing, in the first place, to give your data to companies whose business model doesn’t depend on holding it as an asset. The right to be deleted is valuable. Not needing to invoke it — because the company never wanted your data beyond the service it provides — is more valuable still.
Start with a storage provider that treats deletion as a feature, not a threat →