The right to erasure — the GDPR’s Article 17, the equivalent provisions in US state laws — is the privacy right that gets the most attention from individuals trying to manage their own digital presence. It’s easy to understand, it sounds powerful, and it produces a tangible result: you submit a request, you get a confirmation, your data is supposedly deleted.
The reality is more complicated. Erasure requests apply to the company you submit them to. They don’t apply to companies that have already received copies of your data, companies that acquired it before the request, or companies in jurisdictions where the right doesn’t apply. Data that has been shared downstream — sold, licensed, included in a data product — is not recalled by a deletion from the original source. The right to erasure is, in practice, a right to stop future data processing by a specific entity, with limited effect on existing distribution.
This isn’t an argument against using erasure requests. They’re worth submitting, especially to the major data aggregators that serve as upstream sources for others. But understanding what they do and don’t accomplish matters for setting realistic expectations.
The more durable protection is preventing data from being collected in the first place — through the kinds of practices that reduce the creation of linkable records rather than the deletion of records that already exist. This is harder, less legible, and doesn’t produce confirmation emails. It also works better over time. The deletion workflow is reactive; the minimization approach is structural. Both are worth doing, but the second one is doing more of the actual work.
The right to erasure is a useful tool in a larger toolkit. Treating it as the toolkit is where the disappointment comes from.
Doug Alexander 