Can users request their data be deleted?
Posted: Wed May 21, 2025 3:47 am
Yes, in many jurisdictions, users can request their data be deleted, a right often referred to as the "right to erasure" or "right to be forgotten." This is a fundamental aspect of modern data privacy laws designed to give individuals more control over their personal information. However, it's important to understand that this right is not absolute and comes with certain conditions and exceptions. Businesses and organizations that collect and process personal data are increasingly obligated to implement mechanisms for handling such requests.
The most prominent example of this right comes from the General Data Protection Regulation (GDPR) in the European Union and the UK. Under Article 17 of the GDPR, individuals have the right to request the deletion of their personal data without undue delay if certain grounds apply. These grounds include, but are not limited to: the data no longer being necessary for the purpose for which it vietnam mobile database was collected; the individual withdrawing their consent (and there being no other legal basis for processing); the individual objecting to the processing and there being no overriding legitimate grounds to continue; the data being unlawfully processed; or the data needing to be erased to comply with a legal obligation. This right is particularly strong for data collected from children in connection with online services.
In the United States, several state-level privacy laws have introduced similar rights to deletion. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents the right to request that businesses delete personal information collected about them. Other states, such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA), have also enacted laws with comparable data deletion rights. These laws generally require businesses to provide at least two methods for consumers to submit deletion requests, often including a toll-free number and a website form.
While the right to deletion is significant, it's not without its limitations. Organizations are not always obligated to delete data, even when requested. Common exceptions include situations where the data is necessary: to comply with a legal obligation (e.g., tax records, financial transactions that must be kept for a certain period); for the establishment, exercise, or defense of legal claims; for reasons of public interest in areas like public health, scientific or historical research, or statistical purposes (where deletion would seriously impair the achievement of those purposes); or to exercise the right of freedom of expression and information. Businesses are typically required to inform the individual if they refuse a deletion request, providing the reasons for the refusal and informing them of their right to complain to a supervisory authority or seek a judicial remedy.
The most prominent example of this right comes from the General Data Protection Regulation (GDPR) in the European Union and the UK. Under Article 17 of the GDPR, individuals have the right to request the deletion of their personal data without undue delay if certain grounds apply. These grounds include, but are not limited to: the data no longer being necessary for the purpose for which it vietnam mobile database was collected; the individual withdrawing their consent (and there being no other legal basis for processing); the individual objecting to the processing and there being no overriding legitimate grounds to continue; the data being unlawfully processed; or the data needing to be erased to comply with a legal obligation. This right is particularly strong for data collected from children in connection with online services.
In the United States, several state-level privacy laws have introduced similar rights to deletion. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents the right to request that businesses delete personal information collected about them. Other states, such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA), have also enacted laws with comparable data deletion rights. These laws generally require businesses to provide at least two methods for consumers to submit deletion requests, often including a toll-free number and a website form.
While the right to deletion is significant, it's not without its limitations. Organizations are not always obligated to delete data, even when requested. Common exceptions include situations where the data is necessary: to comply with a legal obligation (e.g., tax records, financial transactions that must be kept for a certain period); for the establishment, exercise, or defense of legal claims; for reasons of public interest in areas like public health, scientific or historical research, or statistical purposes (where deletion would seriously impair the achievement of those purposes); or to exercise the right of freedom of expression and information. Businesses are typically required to inform the individual if they refuse a deletion request, providing the reasons for the refusal and informing them of their right to complain to a supervisory authority or seek a judicial remedy.