Do Online Privacy Laws Really Protect Your Data?

In today’s world, data is currency. Companies collect information about you so they can advertise products and services, train and improve their products, and, in some cases, sell your data to the highest bidder.

But when does it go too far? At what point are you allowed to say “enough,” and ask for your data back? Can you even get it back? 

These are the questions that data privacy specialists have been asking for years. Shouldn’t some information remain private? It should, according to many security experts and some national governments. The European Union (EU) addressed data privacy with its sweeping General Data Protection Regulation (GDPR), passed in 2016. The U.S. state of California followed suit not long after with the California Consumer Protection Act (CCPA) in 2018.

Data is still a hot commodity these days but thanks to some legal protections and policies implemented by private tech companies like Alphabet, you can start asking for your data back. The ethical implications of data removal are complicated but there’s one fundamental idea that underpins it all: you should be in charge of your personal data.

The Right to Be Forgotten

There’s a saying in tech that goes “the internet is forever,” meaning once something’s published online, it stays there. But there’s been a lot of pushback on this idea in the last several years. As data collection expanded and people realized that more and more of their info was publicly available on the internet, a new concept developed, called “the right to be forgotten.”

There are several ideas behind the concept of the right to be forgotten, and these principles are at the heart of most modern data privacy laws:

• Transparency: You should know how your data is being collected, used, and stored.
• Consent: Data collectors should delete upon request, especially if you withdraw consent.
• Purpose Limitation: Organizations should only use data for the purpose it was collected for and delete it when it’s no longer necessary.
• Accountability: Organizations must handle data deletion requests responsibly.
• Fairness: Data deletion practices shouldn’t discriminate.

To be clear, the right to be forgotten and the right to privacy aren’t the same thing. The right to be forgotten is the right to revoke public access to information that was public at one time, whereas the right to privacy is the right to have private information shared in the first place.

The right to be forgotten can also be a bit narrow in scope. It usually only applies to data that is no longer being used or is no longer relevant for the purpose it was collected. For the most part, it applies to search engines and online directories, and less so to individual websites. The right to be forgotten doesn’t always equate to data deletion; in most cases, it simply means reducing the visibility of the information in question by removing it from search engine indexes.

Why Does the Right to Be Forgotten Matter?

Why does the right to be forgotten matter? Imagine you get convicted of a minor crime and it gets reported on in the local news. You pay your fine, serve your time, and now your conviction is in the past. Except it isn’t, because that local news story is still published, and still pops up as a top search result when anyone runs a Google search on your name.

Prospective employers, bank loan officers, college admissions officers, potential romantic partners—anyone can see you were convicted of this crime. So even if you’re no longer legally required to disclose this conviction, it can still be found, pretty easily.

The right to be forgotten would allow you to submit a request to Google asking for information directly related to you to be removed from search results, so it’s no longer the first thing popping up when people search your name. The local news site isn’t obligated to take it down, though, so it’s still findable, just much less visible.

There are many situations in which the right to be forgotten would be beneficial, if not essential:

• Bankruptcy
• Medical Malpractice
• Divorce
• Workplace Harassment

The Right to Be Forgotten: EU Only

It’s worth mentioning that this concept isn’t legally binding in the U.S. The GDPR extends this right to residents of the European Union, but there is no federal U.S. law that requires search engines like Google to accommodate requests to have personal information un-indexed.

The U.S. government has stated that de-indexing search results about individuals this way would be considered a violation of the First Amendment’s protection of free speech and free press.

The CCPA does allow individuals under 18 years of age to request the removal of personal information posted on websites, social media platforms, and online apps. It only applies to California, though, and it’s the only state-level legislation of its kind for now.

Some privately-owned news organizations have started their own data deletion programs, allowing individuals convicted of minor crimes to request to have stories about them deleted.

In 2022, Google also introduced a search tool that lets you find and request the “removal of search results that contain your personal phone number, home address or email address.” You should ideally contact the website with your information published on it first, but if that doesn’t work, Google may try to delete info that could put you at risk for identity theft.

U.S. States with Data Privacy Laws

Although the right to erasure may not be a federal-level law in the U.S., the privacy movement is taking hold. More and more states are introducing data privacy laws meant to protect individuals from having private or personal details published online.

In many cases, it goes beyond privacy—it’s also a question of safety. Having personally identifiable information published online could make it easier for someone to steal your identity. Some states are, therefore, taking a stand and trying to protect their residents’ data online.

Here are the U.S. states with data privacy laws:

• California
• Colorado
• Connecticut
• Delaware
• Florida
• Indiana
• Iowa
• Kentucky
• Maryland
• Minnesota
• Montana
• New Hampshire
• Nebraska
• New Jersey
• Oregon
• Rhode Island
• Tennessee
• Texas
• Utah
• Virginia

Some states don’t have comprehensive data privacy laws, but they do have some narrower consumer privacy laws on the books:

• Maine
• Michigan
• Nevada
• New York
• Vermont
• Washington

How to Get Your Data Removed

If you want to have personal information about you removed online, there’s probably one of several ways to do it. It depends on where the information you want to remove is hosted:

• Public website (such as a news media site): You’ll have to contact the webmaster in charge of the website, in most cases. There may be a process or form to fill out, but in many cases you’ll just have to send an email and ask.
• Data broker websites: Some of the biggest data brokers in the U.S. are Experian, Equifax, Epsilon, Acxiom, and CoreLogic. If you want to get your information removed from their databases, you’ll have to contact them or go through specific processes as well. You can use a personal data scan tool to find out what data brokers have on you and a tool like Incogni to get it removed.
• Search engines: If you’re in the U.S., you can go to Google’s Remove My Data tool to request to have your info removed. If you’re in the EU, you can submit a delisting request.

If you’re asking Google to remove your data from search listings, keep in mind that Google reviews each request and there’s no guarantee that yours will be granted. The GDPR does require Google to accommodate requests but also gives it some authority to evaluate if matters are of “the public interest” and should really be taken down or not.

In the U.S., Google isn’t even legally obligated to acknowledge your request, and the Remove My Data tool is an initiative the company launched on its own.

Asking for a Copy of Your Data: Data Subject Access Requests

The GDPR also established the concept of the Data Subject Access Request (DSAR). It’s the technical term that means you’re asking for a copy of the data a company has on you. In the EU, organizations are required to give you this information when you ask for it.

In the U.S., it’s more complicated. The CCPA requires compliance with DSAR requests, and any U.S.-based organizations processing data of EU residents must also comply.

Data Deletion Ethics: It’s Your Information on the Line

Online privacy laws have come a long way, and you can take a little bit more control of how your information appears online. But there’s still a long way to go. Most individuals would be shocked to know how much information is publicly available about them. Some have had to deal with past mistakes for far longer than necessary because “the internet is forever.”

If you’re worried about what might be floating around on the web about you, you should take a proactive stance and find out. Then, do what you can to get it removed. Even if it’s not fully removed from the website that originally published it, you might have the ability to get it delisted from search results.

Take back control of your data and protect your privacy.