Key Takeaways
- •A valid request triggers a hard clock. Under the CCPA a business has 45 calendar days to respond, extendable to 90 with notice. Under GDPR Article 17 the controller must act 'without undue delay' and in any event within one month.
- •Deletion does not stop at the customer database. California AB 1008, effective January 1, 2025, expanded the CCPA definition of personal information to reach data embedded in AI systems, including model weights and tokens.
- •There is a real gap between what the law demands and what the technology can do. Once your data is baked into model weights, providers like OpenAI and Google concede that the only way to fully remove it is to retrain the model, which they rarely do.
- •The right is not absolute. Both GDPR and the CCPA carve out retention for legal compliance, fraud prevention, completing a transaction you asked for, and defending legal claims.
- •California's DROP platform (Delete Request and Opt-Out Platform) launched in January 2026 and lets you send one deletion request to 500-plus registered data brokers at once; brokers must honor it starting August 1, 2026.
- •If a company trained on data it had no right to use, the FTC can order 'algorithmic disgorgement,' meaning destruction of the model itself, as it did with Rite Aid in December 2023.
Reviewed for accuracy by the document.com legal team. Educational information, not legal advice.
What Is AI Data Deletion Request (Right-to-Delete / Right-to-Erasure)?
An AI data deletion request is a written demand that an artificial intelligence company erase the personal data it holds about you, including data already absorbed into its trained models. It is the AI-era version of two older privacy rights: the GDPR's right to erasure and the CCPA's right to delete. What makes it different is scope. A traditional deletion request clears your name from a customer relationship management system. An AI deletion request asks the company to go further and account for data that may now live inside a model's weights, training corpus, fine-tuning sets, prompt logs, and embeddings.
The request identifies you precisely enough that the company can locate your records, then states the legal basis that obligates the company to act. That basis is usually GDPR Article 17 if you are in the EU or the UK, the California Consumer Privacy Act if you are a California resident, or one of the dozen-plus other US state privacy laws that now mirror those rights. A well-drafted request names the statute, the response deadline, and the specific categories of data you want gone.
This is not a polite opt-out email. Opting out of future training (clicking a toggle in a privacy dashboard) only stops new collection. A deletion request reaches backward at data the company already has. The two are often confused, and companies sometimes answer a deletion demand by pointing you to an opt-out toggle. That is not compliance, and the distinction matters when you escalate to a regulator.
Why This Matters Now
The legal floor moved in 2025. California AB 1008 took effect January 1, 2025, and was the first US law to say in plain terms that 'personal information' under the CCPA includes data that exists inside an AI system, naming model weights and tokens. Before AB 1008, a company could plausibly argue that once your data was statistically blended into a model, it was no longer 'your' personal information. That argument is now much weaker in California, and the rest of the country tends to follow California on privacy.
Enforcement infrastructure that did not exist two years ago is now live. The California Privacy Protection Agency announced in November 2025 that its DROP platform opened to consumers, and the DELETE Act's data-broker obligations switch on August 1, 2026. The European Data Protection Board ran a coordinated enforcement action on the right to erasure across member states and adopted its Erasure Report on February 10, 2026. Regulators are actively measuring whether companies actually delete data when asked.
The OpenAI litigation showed how fragile your deletion rights can be in practice. On May 13, 2025, a federal magistrate judge ordered OpenAI to preserve ChatGPT user logs, including conversations users had deleted, because of the New York Times copyright case. That order stood until October 9, 2025, when the same judge lifted it and allowed deletion to resume. For roughly five months, 'delete' did not mean delete, and most users never knew. A formal written request creates a paper trail that matters if your data is later mishandled.
AI providers have quietly conceded the technical limit. OpenAI, Google, and others now acknowledge in their own help documentation that the only way to completely remove an individual's data from a trained model is to retrain it from scratch, which is prohibitively expensive and almost never done for one person. That concession is exactly why a written request, with a named statute and a deadline, gives you leverage you would not have from a support ticket.
The Legal Backbone
GDPR Article 17: the right to erasure ('right to be forgotten')
Article 17 of the EU General Data Protection Regulation gives a data subject the right to have their personal data erased 'without undue delay' when one of six grounds applies: the data is no longer necessary for the purpose it was collected; you withdraw consent and there is no other legal basis; you object to the processing under Article 21 and no overriding legitimate interest survives; the data was processed unlawfully; erasure is required by EU or member-state law; or the data was collected from a child for online services. The controller normally has one month to respond. The right is not unconditional. Article 17(3) lets a controller keep data where processing is necessary for freedom of expression, compliance with a legal obligation, public health, archiving and research in the public interest, or the establishment, exercise, or defense of legal claims. The European Data Protection Board's Opinion 28/2024, issued December 18, 2024, addressed how these rules apply to AI models and made clear that data unlawfully used in training creates serious exposure, up to and including an order to delete the model.
CCPA right to delete: California Civil Code section 1798.105
Section 1798.105 gives California consumers the right to request that a business delete personal information the business collected from them, and to direct the business's service providers and contractors to do the same. The response window is 45 calendar days, extendable to a total of 90 days where the business notifies you of the extension and the reason. Section 1798.105(d) lists the situations where a business may decline, which include completing a transaction you requested, detecting security incidents and fraud, complying with a legal obligation, and certain internal uses reasonably aligned with your expectations. California AB 1008, effective January 1, 2025, amended the underlying definitions so that 'personal information' reaches data 'in the form of' an AI system, which is the hook for asking that a model, not just a database row, be addressed. AB 1223 added 'neural data' to the CCPA's sensitive-personal-information category the same day.
California DELETE Act (SB 362) and the DROP platform
Senate Bill 362, the Data Broker Deletion Act of 2023, created a single state-run channel for deletion. The Delete Request and Opt-Out Platform, DROP, became available to California residents in January 2026. Starting August 1, 2026, every registered data broker must check DROP at least once every 45 days, must process matching deletion requests within 45 days of retrieving them, and must keep doing so. Brokers also have to register annually with the California Privacy Protection Agency and disclose the categories of data they collect and share. Non-compliance carries administrative fines. With more than 500 brokers registered, DROP turns what used to be hundreds of individual letters into one submission.
The EU AI Act and the retention conflict
The EU AI Act becomes fully applicable on August 2, 2026, with penalties for high-risk systems reaching the greater of 15 million euros or 3 percent of worldwide annual turnover. The Act pulls in the opposite direction from GDPR Article 17. To prove a high-risk system was built responsibly, providers must keep training-data documentation and audit trails, in some cases for up to ten years. So one body of EU law tells a company to delete your data quickly while another tells it to retain records of how the data was used. Regulators have not fully resolved the tension, which is why a deletion request to an AI provider may meet a 'legal obligation' objection rooted in AI Act recordkeeping. That objection has limits and should be tested, not accepted at face value.
FTC Section 5 and algorithmic disgorgement
Outside the privacy statutes, the Federal Trade Commission uses Section 5 of the FTC Act, which bars 'unfair or deceptive' practices, to police AI data handling. Its sharpest remedy is algorithmic disgorgement: an order to destroy not just the wrongfully collected data but the models and algorithms derived from it. In the December 2023 Rite Aid settlement, the FTC required the company to delete photos and videos used for facial recognition and 'any data, models, or algorithms derived in whole or in part therefrom,' and to direct third parties holding the tainted data to do the same. The FTC ordered similar deletions against Amazon (Ring and Alexa), Edmodo, Avast, and WeVenue. Enforcement posture has softened: in December 2025 the FTC reopened and set aside its Rytr consent order, signaling a narrower focus on clearly deceptive conduct rather than speculative harm. The disgorgement tool remains on the books.
States with a Comprehensive Consumer-Privacy Law
A growing number of states now have a comprehensive consumer-privacy law that governs how personal data, including data used by AI, may be collected and used. The states below have one in force or enacted.
| State | Comprehensive privacy law |
|---|---|
| California | California Consumer Privacy Act (CCPA), California Civil... |
| Virginia | Virginia Consumer Data Protection Act (VCDPA), Virginia... |
| Colorado | Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq. |
| Connecticut | Connecticut Data Privacy Act (CTDPA), Connecticut General... |
| Utah | Utah Consumer Privacy Act (UCPA), Utah Code § 13-61-101 et... |
| Montana | Montana Consumer Data Privacy Act (MCDPA), Montana Code... |
| Oregon | Oregon Consumer Privacy Act (OCPA), Oregon Revised Statutes... |
| Texas | Texas Data Privacy and Security Act (TDPSA), Texas Business... |
| Florida | Florida Digital Bill of Rights (FDBR), Florida Statutes §... |
| Arkansas | Arkansas Online Privacy Act (AOPA), HB 1717, codified at... |
| Delaware | Delaware Personal Data Privacy Act (DPDPA), Delaware Code... |
| Iowa | Iowa Consumer Data Protection Act (ICDPA), Iowa Code §... |
| New Hampshire | New Hampshire Privacy Act (NHPA), New Hampshire Revised... |
| New Jersey | New Jersey Data Protection Act (NJDPA), New Jersey Revised... |
| Nebraska | Nebraska Data Privacy Act (NDPA), Nebraska Revised Statutes... |
| Tennessee | Tennessee Information Protection Act (TIPA), Tennessee Code... |
| Minnesota | Minnesota Consumer Data Privacy Act (MCDPA), Minnesota... |
| Maryland | Maryland Online Data Privacy Act (MODPA), Maryland Code... |
| Indiana | Indiana Consumer Data Protection Act (ICDPA), Indiana Code... |
| Kentucky | Kentucky Consumer Data Protection Act (KCDPA), Kentucky... |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act... |
| Oklahoma | Oklahoma Consumer Data Privacy Act (OCDPA), Oklahoma Senate... |
Compiled from primary state statutes and verified against legislative sources in 2026. Privacy laws are being enacted and amended rapidly; confirm current obligations.
What an AI data deletion request should contain
Start with unambiguous identification. A company cannot delete what it cannot find, and it is entitled to verify that you are who you say you are before erasing records, since a deletion request from an impostor is itself a privacy attack. Give your full legal name, any aliases or maiden names the company might have on file, the email addresses and phone numbers you used with the service, account usernames, and approximate dates of use. If you signed up under a work email three years ago and a personal one last year, list both. The more precise your identifiers, the harder it is for the company to claim it could not locate your data.
State your jurisdiction and the legal basis in the same breath. The recipient's obligations differ depending on where you live. If you are a California resident, say so and cite Civil Code section 1798.105. If you are in the EU or the UK, invoke GDPR Article 17 and, where it fits, name the specific ground (for example, 'I withdraw my consent and you have no other lawful basis'). If you live in a state with its own privacy law, such as Colorado, Connecticut, Texas, Virginia, or Oregon, name that statute. A request that names the right law signals you know the rules and shortens the company's room to deflect.
Define the data you want erased, broadly but concretely. Ask for deletion of the personal data the company collected from you and, critically, ask it to address that data wherever it now lives: in production databases, backups, logs, analytics systems, and AI training datasets, fine-tuning sets, embeddings, and model weights. The AB 1008 language about data 'in the form of' an AI system is what makes the model-level ask legitimate in California. Even where you cannot force full retraining, putting the request in writing forces the company to document its position, which is what you want if you later complain to a regulator.
Demand a written response with specifics. Ask the company to confirm in writing what it deleted, what it retained, and the legal exception it relies on for anything retained. A bare 'your request has been processed' is not enough to evaluate compliance. Set the statutory deadline explicitly: 45 days for the CCPA, one month for GDPR. Ask the company to instruct its service providers, processors, and any downstream recipients of your data to delete it too, which both the CCPA and GDPR Article 17(2) contemplate.
Anticipate the lawful refusals. The company may keep data it needs to complete a transaction you asked for, to comply with a legal obligation, to detect and prevent fraud and security incidents, or to establish or defend a legal claim. Expect the response to invoke one or more of these grounds; the statutes draw all of them narrowly. A company cannot retain your entire profile because one field is subject to a legal hold. If a refusal looks broader than the exception it cites, that is your cue to push back or escalate. Keep your own copy of the request and every reply, with dates.
When You Need This
You stopped using an AI product (a chatbot, a voice assistant, a photo app) and want your account history, prompts, uploads, and any model-training contribution erased.
You discovered that a company scraped or licensed content containing your personal data, your face, your voice, or your writing, and used it to train a model without your permission.
You are a California resident and want to use the new DROP platform to clear yourself from hundreds of data brokers at once, or you want to send a parallel direct request to a specific AI provider.
You are in the EU or UK and want to exercise your GDPR Article 17 right to erasure against an AI company, including a demand that it address data embedded in its models.
A data breach exposed information you gave to an AI service, and you want everything the company holds about you deleted to limit further exposure.
You withdrew consent to processing and want to confirm the company actually removed your data rather than merely toggling off future collection.
You are a parent removing a child's data from an AI service, where children's-privacy rules and the CCPA's heightened protections give you a stronger hand.
You are documenting a paper trail before filing a complaint with a regulator (the California Privacy Protection Agency, a EU data protection authority, or the FTC) and need a formal, dated request on the record.
How to Fill Out AI Data Deletion Request (Right-to-Delete / Right-to-Erasure)
1. Identify every place your data might live
List the AI products and companies you have used or that you believe hold your data: chatbots, voice assistants, image generators, the data brokers that feed them, and any service that may have scraped your public content. Note your account identifiers for each. If you cannot tell whether a model was trained on your data, send the request anyway; the company then has to work out what it holds and answer you within the statutory window.
2. Confirm which law applies to you
Pin down your jurisdiction. California residents use Civil Code section 1798.105 and, for brokers, the DROP platform. EU and UK residents use GDPR Article 17. Residents of other US states with comprehensive privacy laws cite their own statute. If more than one applies, cite all of them; companies operating in multiple regions must honor the strongest right that reaches you.
3. Gather your verification details
Collect the identifiers the company will need to locate and verify your records: full legal name, prior names, all email addresses and phone numbers tied to the account, usernames, and rough dates of use. Expect a verification step. Companies are required to confirm your identity before deleting, and a sloppy request invites a 'we could not verify you' brush-off.
4. Draft the request with statute, scope, and deadline
Write the demand. Name the controlling statute, state that you are exercising your right to delete or erase, and define the data: account data, prompt and conversation logs, uploads, analytics, backups, and AI training datasets, fine-tuning sets, embeddings, and model weights. Set the deadline (45 days for CCPA, one month for GDPR) and ask for a written accounting of what was deleted and what was retained.
5. Demand downstream and processor deletion
Add an explicit instruction that the company direct its service providers, processors, contractors, and any third parties it shared your data with to delete it as well. The CCPA requires the business to pass the request along, and GDPR Article 17(2) requires controllers who made data public to take reasonable steps to inform other controllers. Spelling this out closes the gap where data simply migrates to a partner.
6. Submit through the right channel and time-stamp it
Send the request to the company's designated privacy contact, data protection officer, or privacy portal, not a general support inbox. California residents can also submit through DROP for registered brokers. Use a method that produces a dated record: a portal confirmation, a tracked email, or certified mail for high-stakes matters. Save the confirmation.
7. Track the deadline and evaluate the response
Calendar the deadline. When the company responds, read it against the exceptions. A 'we retained X to comply with our legal obligation' answer can stand, provided the retention is narrow and the company names the actual obligation. A vague confirmation, an opt-out toggle offered in place of deletion, or a blanket refusal is not. If the company misses the deadline or over-retains, send a follow-up citing the specific failure.
8. Escalate if the company stalls or refuses
If the response is inadequate, escalate to the right regulator: the California Privacy Protection Agency or the California Attorney General for CCPA matters, your national data protection authority (or the lead authority) for GDPR, and the FTC where the conduct looks unfair or deceptive. Attach your dated request and the company's reply. A clean paper trail is what turns a complaint into an investigation. This page is general information, not legal advice; confirm current deadlines and your specific rights before you escalate.
Key Terms Defined
- Right to erasure (right to be forgotten)
- The GDPR Article 17 right of a data subject to have their personal data deleted without undue delay when one of six legal grounds applies. Often called the 'right to be forgotten,' though the regulation's formal term is erasure.
- Right to delete
- The parallel right under the CCPA (California Civil Code section 1798.105) and most other US state privacy laws, letting a consumer ask a business to delete the personal information it collected from them, subject to statutory exceptions.
- Algorithmic disgorgement
- An FTC remedy under Section 5 of the FTC Act requiring a company to destroy not only data it collected unlawfully but the models, algorithms, and products built from that data. Imposed on Rite Aid in 2023 and on Amazon's Ring and Alexa among others.
- Machine unlearning
- A set of techniques meant to remove the influence of specific training data from a model without retraining it from scratch. As of 2025 and 2026, ICLR research shows approximate unlearning often fails to fully erase a record's traces, and no standardized method proves complete erasure, so regulators have not accepted it as equivalent to deletion.
- Model weights
- The numerical parameters a model learns during training. Once your personal data shapes these weights, it is statistically embedded rather than stored as a retrievable record, which is why true removal usually requires retraining. California AB 1008 expressly brought model weights within the CCPA definition of personal information.
- Data broker
- A business that collects and sells personal information about consumers it has no direct relationship with. Under California's DELETE Act, registered brokers must check the DROP platform every 45 days and honor matching deletion requests starting August 1, 2026.
Related Documents
AI data deletion request vs. AI training opt-out
A deletion request reaches backward and demands erasure of data the company already holds, including, where the law allows, data inside its models. An opt-out only stops the company from using your data for future training. Companies sometimes offer an opt-out toggle in answer to a deletion demand, but the two are legally distinct and an opt-out does not satisfy a right-to-delete request. Send the deletion request first to clear what the company already holds, then set the opt-out so nothing new feeds future training.
GDPR Article 17 vs. CCPA right to delete
Article 17 applies to EU and UK data subjects, runs against any controller, gives six grounds for erasure, and sets a one-month response window. The CCPA applies only to California residents, runs against 'businesses' as defined in the statute, and sets a 45-day window extendable to 90. GDPR's territorial reach is broader and its enforcement fines can be larger, while the CCPA's AB 1008 amendment gives unusually explicit language about data inside AI systems. If both reach you, cite both.
Direct request to an AI provider vs. California DROP submission
A direct request goes to one named company's privacy contact or portal and can target a specific service, account, and dataset, including a model-level ask. A DROP submission goes once to the state platform and reaches every registered data broker at once, but it covers brokers rather than every AI company and only carries enforceable broker obligations from August 1, 2026. Use DROP to clear the broker ecosystem in bulk, and a direct request for the specific provider you actually used.
Legal Authorities & Sources
This page is grounded in primary law. The statutes and official resources below are the authorities behind the guidance above. Verify the current text of any statute before relying on it.
- Art. 17 GDPR, Right to erasure ('right to be forgotten')
- California Consumer Privacy Act (CCPA), California Department of Justice
- About DROP and the DELETE Act, privacy.ca.gov
- California Privacy Protection Agency, DROP launch announcement (Nov. 2025)
- EDPB Opinion 28/2024 on AI models and data protection
- Securiti, California AB 1008 and AI personal data
- Rite Aid FTC settlement on facial recognition, InsidePrivacy
- ICLR 2025, Machine unlearning fails to remove data influence
Frequently Asked Questions
Create your AI Data Deletion Request (Right-to-Delete / Right-to-Erasure) in minutes.
Answer a few questions and download a clear, attorney-drafted document that cites the controlling law and is ready to sign.