How can I request complete deletion of my personal data and what rights apply in the EU and California?

1. How deletion works in the EU: the legal hook and basic steps

Under the GDPR an individual can request erasure under Article 17 and controllers have an obligation—subject to specific exceptions—to erase personal data without undue delay, and to take reasonable technical steps to inform third parties processing the data to erase links and copies ^{[1] [4]}; in practice the route is to identify the data controller, submit a verifiable erasure request (often in writing or via a company’s privacy portal), and follow any company procedures (for example, contacting privacy@optimizely.com where Optimizely is the controller) so the controller can locate and delete records ^[1].

2. How deletion works in California: who, what and how it’s narrower

California law gives residents a right to request deletion of personal information a business has “collected from” the consumer and imposes procedural deadlines (businesses generally have 45 days to respond to a verifiable request), but the CCPA/CPRA’s deletion right is more limited in scope than the GDPR because it may not reach data obtained about a consumer from other sources and is subject to a list of statutory exceptions ^{[5] [3] [6]}.

3. Common exceptions and practical limits that stop “complete” deletion

Both regimes list important exceptions: controllers can refuse erasure when retention is necessary to exercise freedom of expression, comply with a legal obligation, detect wrongdoing, or for public interest research and other statutory grounds; California separately enumerates nine deletion exceptions including legal compliance and certain internal uses, so a deletion request can be lawfully denied or only partially honored ^{[2] [7] [5]}.

4. What “complete” deletion actually means and third-party copies

GDPR requires reasonable steps to notify third parties to erase copies and links, but it does not guarantee absolute removal from every cache, paper record, or third-party archive; similarly in the U.S. ecosystem a business can delete data it controls but cannot always force unrelated third parties or search engines to purge cached copies, and practical limits (backups, logs, pseudonymized data) mean deletion is often a best-efforts, not binary, outcome ^{[4] [8]}.

5. Practical checklist: how to request deletion and push back if refused

Prepare a verifiable request that identifies the controller or business, specify the data to erase, prove identity as required, use the business’s published privacy request channels (email, web form, or the controller’s contact such as privacy@optimizely.com where offered), expect a statutory response window (about 45 days in California; GDPR requires prompt action without undue delay), and if denied cite the legal ground and escalate to the supervisory authority in the EU or to the California Privacy Protection Agency/attorney general or pursue statutory remedies under California law ^{[1] [5] [9] [10]}.

6. New developments and enforcement angles to watch

California is expanding deletion tools targeting data brokers—a universal deletion mechanism under the California Delete Act will let consumers request broad broker-level removals and gives the California Privacy Protection Agency enforcement power—while EU enforcement continues to emphasize wide territorial reach and heavy fines for noncompliance, so deletion rights are increasingly backed by regulatory tools even as debates about scope and speech exceptions persist ^{[10] [11] [9]}.