What Is The Right To Be Forgotten? (2026 Updated)

If you run a business (or you’re building one), you’ve probably had that moment where you realise just how much information about people lives online - on websites, social media, customer databases, and search results.

That’s where the “right to be forgotten” comes in. It’s a concept that sounds simple (delete my data), but in practice it’s tied up with privacy law, public interest, record-keeping obligations, and how your business actually uses information day-to-day.

This update reflects how privacy expectations and enforcement have matured in recent years, especially as more Kiwi businesses operate online, collect analytics, and use digital marketing tools as part of normal operations.

What Does “Right To Be Forgotten” Actually Mean?

The “right to be forgotten” is generally understood as a person’s ability to ask an organisation to remove or delete personal information about them in certain circumstances.

People often associate it with Google search results and European privacy law (GDPR). But in New Zealand, it’s not a single, standalone “right” set out in one neat clause.

Instead, in NZ it usually shows up through a combination of rights under the Privacy Act 2020, including:

• The right to access personal information held about you (so you know what’s there).
• The right to request correction of personal information that’s wrong or misleading.
• Expectations around retention and deletion - businesses should not keep personal information for longer than necessary for lawful purposes.
• Expectations around fairness - how information is collected, used, stored and disclosed should be transparent and not unfairly harmful.

So when someone says, “I want to be forgotten,” what they usually mean is one of these practical outcomes:

• They want you to delete their customer account and associated data.
• They want you to stop marketing to them and remove them from mailing lists.
• They want an old review, testimonial, photo or blog post removed.
• They want you to stop publishing information that identifies them.
• They want a platform (like a search engine) to de-index a page about them.

The key point for business owners is this: you can’t assume every “delete my data” request must be granted. But you also can’t ignore it - you need a proper process and a legally sensible response.

How Does The Right To Be Forgotten Work In New Zealand Under The Privacy Act 2020?

In New Zealand, requests that look like “right to be forgotten” requests will usually be handled under the Privacy Act 2020 and its information privacy principles (IPPs).

While the principles don’t say “you must delete everything whenever someone asks,” they do create strong obligations that often lead to deletion where it’s appropriate.

When Deletion Is Often The Sensible (And Expected) Outcome

Even though “deletion” isn’t always the exact legal term used, in practice you should consider deleting personal information where:

• You no longer need it for the purpose you collected it for (for example, the service was delivered long ago and there’s no ongoing relationship).
• The person withdraws consent and you don’t have another lawful reason to keep using the data.
• Keeping the information creates unnecessary privacy risk (for example, storing old ID documents or outdated sensitive information).
• The information is inaccurate and can’t reasonably be corrected, or shouldn’t be kept in the first place.

This is why having a clear Privacy Policy and a practical internal process matters. If you’re collecting data, you need to be able to explain what you’re collecting, why you need it, and how long you keep it.

When You Might Be Allowed (Or Required) To Keep Information

There are also plenty of situations where you may be justified in refusing to delete information - or where deletion would actually create other legal or commercial problems.

Common examples include where you need to keep information for:

• Legal compliance (for example, tax and accounting record-keeping).
• Resolving disputes or enforcing your contracts (for example, where there’s an unpaid invoice, chargeback, or warranty claim).
• Establishing what happened if there’s a complaint, investigation, or safety incident.
• Employment record-keeping (for example, employment agreements, wage and time records, and disciplinary documentation).

This is where it’s important not to treat privacy as a “delete everything” exercise. Privacy compliance is really about being thoughtful, fair, and proportionate - and documenting your reasons.

If you handle staff information, privacy also intersects with your overall workplace rules and contracts. For example, your Employment Contract and related policies often set expectations about confidentiality, device use, and what happens to business systems access when employment ends.

What Personal Information Can People Ask You To Remove?

Personal information is any information about an identifiable individual. It’s broader than many business owners expect.

Depending on your business, it can include:

• Names, addresses, phone numbers, email addresses
• Customer order history and invoices
• IP addresses and device identifiers (where linked to an individual)
• Photos and videos (including CCTV if someone is identifiable)
• Customer support messages and call recordings
• Health information or other “sensitive” information
• Reviews and testimonials that identify a person

One area that catches businesses out is marketing data. If you run email campaigns, you may be collecting and storing:

• Subscription status and consent records
• Tracking data (opens, clicks, browsing behaviour)
• Segment tags (for example “high value customer” or “interested in X”)

If someone asks you to be “forgotten,” you’ll need to separate out what you can delete, what you should keep, and what you must keep for compliance or legitimate business purposes.

What About Public Content (Reviews, Articles, Social Media)?

This is where the concept gets tricky. If information is publicly available (for example, a review on your Google Business Profile, or a tagged social media post), you may not have full control over it.

But you still have responsibilities if:

• You published it (for example, you posted a client story or testimonial on your website).
• You control the platform (for example, your own website or community forum).
• You’re continuing to share it in marketing materials.

If you publish testimonials or case studies, it’s a smart move to use clear written permissions so you know what you can keep using and what you’ll take down if consent is withdrawn. If you’re unsure what documentation you need, a tailored Model Release Form can help where images or likeness are involved.

When Can A Business Refuse A “Right To Be Forgotten” Request?

It’s completely normal to feel uneasy when a customer (or former customer) demands that you erase everything immediately.

The good news is: NZ privacy law recognises that deletion isn’t always appropriate. You can sometimes refuse a request, or partially comply, as long as your decision is lawful and reasonable.

Common Lawful Reasons To Refuse Or Limit Deletion

You may be justified in refusing, or in keeping certain records, where:

• You’re legally required to keep it (for example, financial records, minimum retention periods, or other statutory obligations).
• The information is needed for a legitimate business purpose that’s not overridden by the person’s privacy interests (for example, managing a dispute or enforcing payment).
• Deleting it would be misleading or would compromise record integrity (for example, deleting key transaction details could create inaccurate accounts).
• You need it for health and safety reasons (for example, incident reports where a person is involved).

Just as importantly, even where you refuse deletion, you should still consider whether you can:

• Stop using it for marketing
• Restrict access internally to only people who genuinely need it
• De-identify or anonymise the data (so it’s no longer “personal information”)
• Put a note on file about the request and your decision

Be Careful With “We Need It For Our Records”

A vague reason like “we need it for our records” often isn’t enough on its own.

If you’re going to keep someone’s personal information after they’ve asked for deletion, you should be able to articulate:

• What specific information you’re keeping
• Why you need to keep it
• How long you’ll retain it
• How you’re keeping it secure

From a risk management perspective, it’s also worth checking whether your customer-facing terms line up with your privacy position. For example, strong Business Terms can help you manage disputes and record-keeping expectations in a way that’s consistent with privacy obligations.

What Should You Do If Someone Asks To Be Forgotten?

If you receive a request (by email, social media DM, support ticket, or even in person), don’t stress - but don’t ignore it either.

The most practical approach is to treat it like a structured privacy request and run through a clear checklist.

Step-By-Step: Handling A Deletion Request

1. Confirm what they’re asking for
   People might say “delete everything” when they really mean “stop emailing me” or “remove my testimonial.” Clarify the scope early.
2. Confirm their identity (where appropriate)
   You don’t want to delete or disclose information to the wrong person. If you’re dealing with sensitive data, take reasonable steps to confirm identity.
3. Locate the data across your systems
   Think beyond your CRM. Check email marketing tools, booking platforms, payment providers, cloud storage, internal notes, and archived files.
4. Work out what you can delete vs what you must keep
   Separate “optional” data (like marketing preferences) from “required” records (like invoices).
5. Delete, de-identify, or restrict access
   If you can’t delete it, consider restricting use and access. De-identification can be a good middle ground if you still need the information for analytics.
6. Respond in writing
   Confirm what you’ve done, what you’ve kept (if anything), and why. Keep the tone calm and factual.
7. Document the request and your decision
   If the Privacy Commissioner ever asks how you handled it, you’ll want a clear record.

If you’re collecting personal information through your website, it’s also worth reviewing whether your privacy settings and disclosures match what you’re actually doing (cookies, analytics, embedded tools, contact forms, etc.). A practical Privacy Collection Notice is often the missing piece for businesses that have a decent privacy policy but don’t clearly explain collection at the point of entry.

What If The Request Is About Google Search Results?

If someone asks you to remove search results about them, there are usually two separate issues:

• Removing the content at the source (your website or platform you control)
• De-indexing (search engines stopping the page appearing in results)

If you control the content, removing or updating it may resolve the issue naturally over time as search engines re-crawl your site. If you don’t control it (for example, it’s on a third-party review platform), your options may be more limited - but you can still consider whether the content breaches platform policies or is defamatory (which is a separate legal area).

How Can You Reduce “Right To Be Forgotten” Risk In Your Business?

The easiest way to handle deletion requests is to avoid collecting and keeping unnecessary personal information in the first place.

That doesn’t mean you can’t use data to grow your business - it just means you should be intentional, transparent, and secure from day one.

Practical Privacy Habits That Make A Big Difference

• Only collect what you need (and be clear about why you need it).
• Set retention periods for common categories of information (marketing lists, enquiry forms, old customer accounts).
• Build deletion into your workflow (for example, automate deletion of old leads after X months if there’s no ongoing purpose).
• Limit access internally so only team members who need customer data can view it.
• Train your team on what to do if a privacy request comes in (especially if you have customer support staff).
• Have a response plan so you’re not scrambling if there’s a complaint or data breach.

It’s also worth remembering that privacy issues don’t always come from “hackers” - a lot of problems happen through everyday operations, like oversharing in marketing, using the wrong email list, or giving staff wider access than they need.

Get Your Legal Documents Working Together

Privacy doesn’t sit in a silo. It overlaps with your contracts, your website documents, and your internal policies.

Depending on how your business runs, you may also need to align privacy obligations with:

• Your customer contract or online terms
• Your contractor arrangements (especially if contractors can access customer data)
• Your systems for handling complaints and refunds
• Your approach to testimonials and marketing permissions

If you use third-party suppliers (like a cloud CRM, booking platform, or outsourced admin support), you should also think carefully about who is processing personal information on your behalf and what your contracts say about confidentiality and security. In some cases, a tailored Data Processing Agreement is a good way to set clear rules around how providers handle personal information.

Key Takeaways

• The “right to be forgotten” isn’t a single, standalone rule in New Zealand, but it often arises through rights and obligations under the Privacy Act 2020.
• People can ask you to remove or stop using personal information, but your business may be allowed (or required) to keep certain records for legal compliance, dispute resolution, or legitimate business purposes.
• If someone asks to be forgotten, you should clarify the request, confirm identity where appropriate, locate the relevant data across your systems, and respond with a clear written outcome.
• You can reduce risk by collecting only necessary information, setting retention periods, restricting access, and having privacy documents and processes in place from day one.
• Privacy compliance often overlaps with your other legal foundations, including customer terms, employment documentation, and permissions for marketing content like testimonials and images.

If you’d like help setting up privacy documents or responding to a deletion request in a way that protects your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.