Your Pricing Page Is Your Highest-Intent AEO Asset. Most Hide It.
Italy's Garante fined OpenAI EUR 15 million, Hamburg's DPA said model weights are not personal data, and the French CNIL is publishing per-stage guidance for AI providers. The right to erasure has collided with a technology that cannot meaningfully forget. This is what EU data protection authorities are actually demanding from AI search providers and the operators who depend on them.
By Katrina Voss, Competitive Intelligence · May 26, 2026
Right to be forgotten AI: how GDPR Article 17 applies to LLM training data, the Italian Garante OpenAI ruling, CNIL guidance, Hamburg DPA opinion, and operator-side AEO impact.
Frequently Asked Questions
Does the GDPR right to be forgotten apply to ChatGPT and other LLMs?
Yes, but with a contested scope that European data protection authorities are still defining. Article 17 of the GDPR gives any EU data subject the right to demand erasure of personal data a controller holds, and the European Data Protection Board has confirmed in its December 2024 Opinion 28/2024 that LLM providers are controllers when they process personal data through training and inference. What is contested is whether memorized personal data inside model weights counts as personal data the controller still 'holds,' or whether it has been transformed into a statistical artifact outside the GDPR's reach. The Hamburg Commissioner for Data Protection took the second view in a July 2024 discussion paper. The Italian Garante, the French CNIL, and the EDPB itself have taken the first view. OpenAI, Anthropic, and Google all currently accept Article 17 requests through formal intake forms, regardless of the doctrinal debate.
How do I submit a right-to-be-forgotten request to OpenAI, Anthropic, or Google for AI search?
Each provider operates a distinct intake. OpenAI uses a personal data removal request form linked from its EU privacy notice that asks for identity verification, a description of the personal data, and the exact prompts that elicit the data. The default response is a 'we will not use your data for training' commitment plus an output filter that blocks the model from returning the named individual; full weight modification is not offered. Anthropic accepts requests through privacy@anthropic.com with a similar identity-verification step and a documented commitment to filter Claude outputs about the requester, again without weight modification. Google handles AI Overviews and Gemini erasure requests through its existing 'Right to be forgotten' web form, then applies retrieval-time suppression. None of the three currently retrain models on demand, and EU regulators have so far accepted output suppression as a partial remedy.
What did the Italian Garante actually fine OpenAI for in 2024?
Italy's Garante per la Protezione dei Dati Personali fined OpenAI EUR 15 million on December 20, 2024, after concluding that the company processed personal data to train ChatGPT without an adequate legal basis, failed to notify the authority of a March 2023 data breach affecting Italian users, and lacked an age-verification mechanism to keep users under 13 out of the product. The Garante also ordered OpenAI to run a six-month public information campaign across Italian media explaining how ChatGPT processes data and how users can exercise their GDPR rights. The fine was the second major intervention by the Garante against OpenAI, following the temporary March 2023 ban that briefly took ChatGPT offline in Italy. The 2024 ruling is the highest-profile GDPR enforcement against a generative AI provider to date and has become the template other DPAs are referencing.
Can a data subject force OpenAI or Anthropic to retrain a model to remove their personal data?
Not in current practice, and probably not in current law. No EU data protection authority has yet ordered a full retraining as a remedy under Article 17, partly because the cost would be disproportionate (typically USD 50-150 million per frontier-model run) and partly because the EDPB has accepted output-layer suppression as a reasonable measure when weight-level deletion is technically infeasible. The closer question is whether a controller can be ordered to perform machine-unlearning techniques that target specific training examples; the field is real, but no production-scale technique reliably erases memorized data without degrading the model. The current de facto standard is a layered remedy: removal from future training corpora, retrieval-time filters that suppress live citations, output classifiers that refuse to generate the named individual, and a documented log of compliance steps. EU regulators have indicated they will revisit the standard once unlearning techniques mature.
How does the right to be forgotten affect operators who want to be cited by AI search?
Operators sit on both sides of the Article 17 question. As data subjects, your founders, executives, and named employees can demand erasure of personal data from LLM training corpora and AI search outputs; as data controllers publishing content about customers, employees, and third parties, you can receive erasure requests yourself and become liable for re-publishing data after the original source has been delisted. The AEO consequence is that any content strategy that depends on persistent biographical detail (founder profiles, customer-story names, deal-announcement quotes) carries a latent compliance risk if the named individual later exercises Article 17. The operator response is to design citation-magnet content with replaceable name slots, written consent for AEO-targeted bios, and a documented takedown workflow that can suppress a page from AI crawlers within 30 days of a verified request.
Related Articles
- Anthropic Claude Skills Marketplace: A New AEO Surface for B2B SaaS — EU DMA, DOJ, CMA, and FTC actions are converging on one outcome — mandated citation transparency. AEO operators have eig
- AEO Vendor RFP Template: A Procurement-Ready Framework for Buying AEO Software in 2026 — How DSA Article 22, AI Act risk tiers, DSM TDM opt-outs, and GDPR data-subject rights now shape what European brands mus
- G2 and Capterra as AEO Channels: Review Counts Drive AI Citations Over Star Ratings — Why news.ycombinator.com front-page archives feed Common Crawl, Algolia HN Search, and direct LLM scraping pipelines — p
- Multimodal Search Optimization: Image, Audio, and Text AEO in the Same Pipeline — Apple Intelligence, Google Gemini Nano, and Qualcomm AI Hub pushed inference onto smartphones — and into compliance-lock
Topics: AEO, GDPR, AI Regulation, Privacy, EU Compliance, LLM Training Data
Browse all articles | About Signal