Erasing Illusions: A Statutory Framework for Deletion in U.S. Data Privacy

Authors

Kirsten Worden

Document Type

Comment

Abstract

Since the passage of the California Consumer Privacy Act in 2018, states have rushed to pass their own consumer data protection laws, filling the glaring absence of comprehensive federal privacy law in the United States. These state privacy statutes are largely modeled after the European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”), which introduced the “right to be forgotten.” This right permits EU residents to request that organizations delete their personal information. U.S. state laws have followed the GDPR by adopting a “right to delete.” Yet these new state laws provide little detail about the right to delete and lack mechanisms to ensure enforcement, meaning the U.S. right to delete offers a hollow promise of consumer control. Moreover, the current U.S. privacy regime—including state common law, enforcement by state attorneys general, sector-specific federal laws, and actions by the Federal Trade Commission—fails to compensate for the bare-bones approach to deletion rights employed at the state level. Privacy statutes should include a combination of individual deletion rights and “structural” business requirements to fully protect deletion interests and create meaningful consumer control. Statutes should include broadly drafted deletion provisions, verification requirements, a private right of action, data destruction requirements, data mapping requirements, third-party deletion obligations, and agency reporting mechanisms.

DOI

10.37419/LR.V12.I2.10

First Page

925

Last Page

960

Recommended Citation

Kirsten Worden, Erasing Illusions: A Statutory Framework for Deletion in U.S. Data Privacy, 12 Tex. A&M L. Rev. 925 (2025).
Available at: https://doi.org/10.37419/LR.V12.I2.10