For anyone considering, here are the 3 opt-outions that appear after you email verify:
1. Just remove my email address from public search
No one using the public HIBP search feature will be able to see your email address in the results. You’ll still be able to search your own address through the notification service, which verifies that you control the email before showing any results. If your email is part of a domain monitored by someone else (e.g., your employer), the domain controller will still be able to see it in domain-level searches.
2. Remove my email address from public search and delete the list of breaches it appears in
Your email address is no longer searchable — neither through the public service nor by you, even if you verify ownership — because the associated breaches have been deleted from the database. However, your email address is still retained by HIBP to ensure it is excluded from any future breaches and not added to your record.
3. Delete my email address completely
The record containing your email address will be completely deleted, meaning it will no longer appear in search results — for you or the public — at the time of deletion. However, if your email address appears in future data breaches, it will become publicly searchable again, as the opt-out record itself has also been deleted.
I assume if that ever happens, someone will register https://haveibeenpwnedbyhaveibeenpwned.com. It'll be the top post of HN for a couple of says while everyone argues in the comments about how the state of online security is "fundamentally broken" while someone asks if they can sue. Then we'll all forget and move on.
I think there was an earlier blog post from Troy sometime ago describing that HIBP never stores unencrypted email addresses; i.e. they are all hashed and any lookups go against the hash, not the actual email address.
https://haveibeenpwned.com/OptOut