Getting data brokers to delete your personal data can be very frustrating as their business model depends on this data. Simply put, they use deceptive patterns to avoid complying with data protection requests. We have put together this guide which describes the most common deceptive patterns and how to counter them.
For example, in many cases data brokers cannot ask you to send excessive personal information in order to verify your identity. You also don't need to fill in online forms.
It is great that a free opt out service exists, but, "search for organization..." one-at-a-time deletion requests isn't much of an improvement over doing things fully manually.
A way of handling bulk requests would be nice. E.g., if only making requests to data brokers, you are looking at around 700 different companies that collect/sell data on Californians. If also, additionally, making requests to the companies that originated the data, it would easily be over 1000 requests.
Web UIs are terrible, but even a giant list with check boxes would be better than one-at-a-time (but, this would mean the server needs to remember state between visits to avoid an extremely frustrating user experience). Download complete list as CSV, add some value to a "selected" column, and re-upload would be nice for some of us, but probably a turn off to most-- especially since merging future changes of the upstream file into the modified user copy is probably beyond the capabilities of most users. At the risk of creating records where a broker had none before, maybe just the option to splat the request out to all companies* in your list that do business in a particular region of the world? Super easy for the user, and no state to retain on your end.
Anyway, thanks for working on this. But, one-at-a-time requests is too high a usability bar for me.
* Or, all companies per category in your region. E.g., all databrokers in region, all retail companies in region, all financial/insurance companies in region... etc. Although I'd guess that most folks would just select all categories, and your back to just selecting a region with additional steps.
Adding a bulk send option is easy. The problem is that you will then get 700 reply emails, each slightly different at which point you will be stuck. That said, we are working on automating it.
Thank you for the great, free resource. Do you have any advice for people who are not in a supported jurisdiction? eg. Have you heard of anyone having success for using GDPR as an excuse to be removed despite not living in the EU?
Yes, 90% of companies do not check where you are from and will comply with your request, however data brokers and other companies who's business model depends on personal data usually do check just to add more friction to the opt-out process. Still, I recommend trying.
I always go back to this list every year or so to look through the major ones. At least for my relatively unpublic life, I have never gotten readded after the initial time I went through to delete everything. YMMV if you are more prolific with your public persona than I am, but like other comments have said, don't trust those 3rd-party services to do this for you because many use Mechanical Turk type of labor with your personal info to basically walk through this list themselves (i.e. people that might keep your PII for nefarious identity theft purposes).
Edit: one thing I have that helps a lot that is unique is that my name is a slight misspelling of a famous athlete in a sport that is not at all popular where I live. When people search "_huayra_", they usually get results for "_huayrack_ the legendary athlete in some far-flung non-mainstream sport", in a sense.
I've been hesitant to submit removal requests due to requirement of uploading a picture of your ID. How can I trust these shady companies won't use this irresponsibly?
Same here. I know that a fair bit of the data they have on me is inaccurate. Yet, to delete that, along with accurate data, I’m being asked to enrich their data with even more accurate data. It feels like the old “click here to unsubscribe” scam that actually just confirms a real person behind an email.
I would love to know who sold them my data though. That would allow me to stop the flow more effectively before I felt okay deleting at the terminal data broker.
I've started to give services domain-specific email addresses as a sort of reverse-tracking identifier. So I give google@mydomain.com and apple@mydomain.com and so on. I figure I'm using a password manager for all of my passwords anyway. It obviously won't work in all situations, but it might provide some leads.
The way to determine who sold them the data is a service and agent I've envisioned for a long time, but never had the wherewithal to produce. (I won't go into all the hurdles.)
Everyone should have their own email domain, and an agent that also serves as your email client will generate a proper looking (for some definition of that) email address within your domain for every new correspondent.
Now, whenever you see your identity (email address) associated with anything at all you can determine the original source.
Maybe the data is sold from some of the apps on our smartphones. Also, pretty sure most of the payment providers folk e-shops use on their checkouts sell the data to Google (and I am dead certain Google were bragging about knowing about almost any transaction which happens on the on the web). That is a part in the chain which not even most online shops would even be aware of.
I had the same concern. I almost went through with DeleteMe, but it felt paradoxical to give all my info to one company so they could remove it from others. I understand they need it to do the work but it didn't feel right. They requested photo ID, SSN, all past addresses, online handles, family member information, etc. It was just too much.
Of the three listed, it looks like Albine is just DeleteMe (they have the same ToS link.)
Neither of them have a forced arbitration clause, class action waiver, etc. which is refreshing. These waivers are regularly upheld and make it very difficult to sue companies who do something wrong.
Having no forced arbitration clause is a good thing! It doesn't make me trust them more per-se, but it means I don't need to trust them as much in the first place.
You can trust them only as much as you think they have self interest in not being sued for doing something nefarious.
That said, they could very easily have a data breach and every customers full info would then be out in the wild.
Were not talking about ordinary payment details either, just full on dox - every address you have lived at, your license scan, all emails, phone numbers, its crazy. Id be willing to bet all these services are targeted quite alot as well because the people who would be willing to pay for this stuff are likely the ones with the most to lose.
I made a post lower in this thread but in general this entire model is flawed. Deletions should happen directly between your device and the service in question.
Also, its just as important to wipe the data YOU create as the data other people create about you. Just like databrokers, you can either do it manually or automated.
Check out https://redact.dev if you want to automate that part at least (I'm on the team)
> they could very easily have a data breach and every customers full info would then be out in the wild
Based on the many notifications I've received from hospitals and insurance providers telling me they've allowed my private information to get repeatedly pilfered, at this point I operate under the assumption that if any organization collects information about me, it's going to leak within the next 5-ish years.
The first and most effective line of defense is to not let the data brokers collect your information in the first place.
There are 683 data brokers that either completed registration with the California Attorney General's office, or had incomplete registrations as of 2023 [1].
None of the removal services come close to covering all of them.
If you live in California, on 1 August, 2026, data brokers will be required to check a list at the California Privacy Protection Agency, and if you added your name to the list (you cannot yet), the data broker must a) not sell your data, and b) if you selected this option, also must delete your data. The brokers must check the list no less than every 45 days [2].
(Also, LexisNexis should be on the list of top 10 data brokers. They likely have several tens of pages of data on every US adult, and perhaps hundreds of pages, if you drive a late model car that collects "telemetry" as you drive)
I have been using Optery (YC W22) and are happy with them. It's more money than I wanted to spend on this. But they have cleared my name out of more than a hundred sites.
The article linked here refers to ten data brokers. But there are far more than that that are handling and selling your data. There's no way you can delete your information from all of them without subscribing to a service to do it for you.
>There's no way you can delete your information from all of them without subscribing to a service to do it for you.
There is no way you can delete your information from all of them [period].
My personal recommendations to lessen data-associations:
1) Actually use cash
2) Shop at places which don't require membership (e.g. for discounts)
3) Buy a domain name which allows you to `catch-all@your.domain` and then give each requestor a unique-to-them "email address" e.g. WalMart @ JoeSmith2222333.com
4) Don't carry your cell phone with you everywhere; Don't sleep with your phone
5) Remove/unplug/disable voice assistants
6) Run LLMs/ChatGPT on local instances
7) Have your DHCP auto-issue an IP to your own local DNS server (e.g: PiHole)
uBlock + NoScript would also be good additions for desktop browsers. I'm impressed I can browse most of the web fine without scripts, or at most, with scripts hosted from the same domain.
What I wish I had, and maybe someone here knows of something that fulfills the role, is a means of providing erroneous information about myself to data brokers. I'd like to insert some fake addresses, wrong phone numbers, made up familial relationships, etc and let that propagate, rather than go through all the hoops to try (largely in vain) to have the information removed.
I feel a bit reluctant giving them much of my data just to match me with their potentially non-existent records and so allowing them initiating new records on me covertly. Also no way checking if they lie about the dataset on me. I feel better not sharing data in general, anywhere, except when it is really essential. So many businesses lost me on potential or factual trade because before(!) answering my questions or giving very basic information (e.g. price!) on their services they wanted to collect lots of factual data on me. I said no, good bye!
I tried Optery, Incogni, and long time ago OneRep, way to lazy to do it myself, don't worry they will have my info, data is already on internet.
Incogni at least in there's claim offers opt-out from private databases (no way to verify ) and some but not all public database (eg. google searches).
Optery has largest list of public databases (with most expensive subscription) out of everyone else, there's costumer service is responsive regarding failed removal.
OneRep was not bad long time ago when they run it from Belarus (I know, crazy), but they would refresh somehow search caches too (it could be ok, or make things worse), they don't seem to offer advertise this service any more.
Don't search your self only via google, for example, bing will give different results, some databases will have misspelled names (could be deliberately), so there still some work to make sure all records are removed.
At this point, this is like privacy tax that you have to budget to have at least your address on cell phone number not easily discoverable.
Readit News
Getting data brokers to delete your personal data can be very frustrating as their business model depends on this data. Simply put, they use deceptive patterns to avoid complying with data protection requests. We have put together this guide which describes the most common deceptive patterns and how to counter them.
For example, in many cases data brokers cannot ask you to send excessive personal information in order to verify your identity. You also don't need to fill in online forms.
Hope this helps: https://consciousdigital.org/wp-content/uploads/2023/04/dark...
I'm one of the creators of https://databrokerswatch.org and https://yourdigitalrights.org/
A way of handling bulk requests would be nice. E.g., if only making requests to data brokers, you are looking at around 700 different companies that collect/sell data on Californians. If also, additionally, making requests to the companies that originated the data, it would easily be over 1000 requests.
Web UIs are terrible, but even a giant list with check boxes would be better than one-at-a-time (but, this would mean the server needs to remember state between visits to avoid an extremely frustrating user experience). Download complete list as CSV, add some value to a "selected" column, and re-upload would be nice for some of us, but probably a turn off to most-- especially since merging future changes of the upstream file into the modified user copy is probably beyond the capabilities of most users. At the risk of creating records where a broker had none before, maybe just the option to splat the request out to all companies* in your list that do business in a particular region of the world? Super easy for the user, and no state to retain on your end.
Anyway, thanks for working on this. But, one-at-a-time requests is too high a usability bar for me.
* Or, all companies per category in your region. E.g., all databrokers in region, all retail companies in region, all financial/insurance companies in region... etc. Although I'd guess that most folks would just select all categories, and your back to just selecting a region with additional steps.
Public service announcement.
What's a doggy company?
I always go back to this list every year or so to look through the major ones. At least for my relatively unpublic life, I have never gotten readded after the initial time I went through to delete everything. YMMV if you are more prolific with your public persona than I am, but like other comments have said, don't trust those 3rd-party services to do this for you because many use Mechanical Turk type of labor with your personal info to basically walk through this list themselves (i.e. people that might keep your PII for nefarious identity theft purposes).
Edit: one thing I have that helps a lot that is unique is that my name is a slight misspelling of a famous athlete in a sport that is not at all popular where I live. When people search "_huayra_", they usually get results for "_huayrack_ the legendary athlete in some far-flung non-mainstream sport", in a sense.
I would love to know who sold them my data though. That would allow me to stop the flow more effectively before I felt okay deleting at the terminal data broker.
Everyone should have their own email domain, and an agent that also serves as your email client will generate a proper looking (for some definition of that) email address within your domain for every new correspondent.
Now, whenever you see your identity (email address) associated with anything at all you can determine the original source.
There’s commercial services now which make it easy, but I’ve been doing it for decades now. The joys of running your own inbound mail server.
Makes it easy to know who’s either sold your data or had their db liberated, and block them.
Neither of them have a forced arbitration clause, class action waiver, etc. which is refreshing. These waivers are regularly upheld and make it very difficult to sue companies who do something wrong.
Having no forced arbitration clause is a good thing! It doesn't make me trust them more per-se, but it means I don't need to trust them as much in the first place.
That said, they could very easily have a data breach and every customers full info would then be out in the wild. Were not talking about ordinary payment details either, just full on dox - every address you have lived at, your license scan, all emails, phone numbers, its crazy. Id be willing to bet all these services are targeted quite alot as well because the people who would be willing to pay for this stuff are likely the ones with the most to lose.
I made a post lower in this thread but in general this entire model is flawed. Deletions should happen directly between your device and the service in question.
Also, its just as important to wipe the data YOU create as the data other people create about you. Just like databrokers, you can either do it manually or automated.
Check out https://redact.dev if you want to automate that part at least (I'm on the team)
Based on the many notifications I've received from hospitals and insurance providers telling me they've allowed my private information to get repeatedly pilfered, at this point I operate under the assumption that if any organization collects information about me, it's going to leak within the next 5-ish years.
The first and most effective line of defense is to not let the data brokers collect your information in the first place.
None of the removal services come close to covering all of them.
If you live in California, on 1 August, 2026, data brokers will be required to check a list at the California Privacy Protection Agency, and if you added your name to the list (you cannot yet), the data broker must a) not sell your data, and b) if you selected this option, also must delete your data. The brokers must check the list no less than every 45 days [2].
[1] https://oag.ca.gov/data-brokers
[2] https://cppa.ca.gov/data_brokers/
(Also, LexisNexis should be on the list of top 10 data brokers. They likely have several tens of pages of data on every US adult, and perhaps hundreds of pages, if you drive a late model car that collects "telemetry" as you drive)
The article linked here refers to ten data brokers. But there are far more than that that are handling and selling your data. There's no way you can delete your information from all of them without subscribing to a service to do it for you.
Ex: photo ID, SSN, all past addresses, online handles, family member details
Do they keep these forever? So many companies eventually get hacked.
Required seems to be,
First name, last name, country, state, city.
You can add more info if needed. Don't see anything about ID, SSN.
You can add other addresses. You can add extra family members. These aren't required but I'm sure it would help from what I've seen on other websites.
There is no way you can delete your information from all of them [period].
My personal recommendations to lessen data-associations:
1) Actually use cash
2) Shop at places which don't require membership (e.g. for discounts)
3) Buy a domain name which allows you to `catch-all@your.domain` and then give each requestor a unique-to-them "email address" e.g. WalMart @ JoeSmith2222333.com
4) Don't carry your cell phone with you everywhere; Don't sleep with your phone
5) Remove/unplug/disable voice assistants
6) Run LLMs/ChatGPT on local instances
7) Have your DHCP auto-issue an IP to your own local DNS server (e.g: PiHole)
There are benefits to doing this that are beyond just privacy.
May also try switching to Fastmail this year.
Incogni at least in there's claim offers opt-out from private databases (no way to verify ) and some but not all public database (eg. google searches).
Optery has largest list of public databases (with most expensive subscription) out of everyone else, there's costumer service is responsive regarding failed removal.
OneRep was not bad long time ago when they run it from Belarus (I know, crazy), but they would refresh somehow search caches too (it could be ok, or make things worse), they don't seem to offer advertise this service any more.
Don't search your self only via google, for example, bing will give different results, some databases will have misspelled names (could be deliberately), so there still some work to make sure all records are removed.
At this point, this is like privacy tax that you have to budget to have at least your address on cell phone number not easily discoverable.