Getting data brokers to delete your personal data can be very frustrating as their business model depends on this data. Simply put, they use deceptive patterns to avoid complying with data protection requests. We have put together this guide which describes the most common deceptive patterns and how to counter them.
For example, in many cases data brokers cannot ask you to send excessive personal information in order to verify your identity. You also don't need to fill in online forms.
It is great that a free opt out service exists, but, "search for organization..." one-at-a-time deletion requests isn't much of an improvement over doing things fully manually.
A way of handling bulk requests would be nice. E.g., if only making requests to data brokers, you are looking at around 700 different companies that collect/sell data on Californians. If also, additionally, making requests to the companies that originated the data, it would easily be over 1000 requests.
Web UIs are terrible, but even a giant list with check boxes would be better than one-at-a-time (but, this would mean the server needs to remember state between visits to avoid an extremely frustrating user experience). Download complete list as CSV, add some value to a "selected" column, and re-upload would be nice for some of us, but probably a turn off to most-- especially since merging future changes of the upstream file into the modified user copy is probably beyond the capabilities of most users. At the risk of creating records where a broker had none before, maybe just the option to splat the request out to all companies* in your list that do business in a particular region of the world? Super easy for the user, and no state to retain on your end.
Anyway, thanks for working on this. But, one-at-a-time requests is too high a usability bar for me.
* Or, all companies per category in your region. E.g., all databrokers in region, all retail companies in region, all financial/insurance companies in region... etc. Although I'd guess that most folks would just select all categories, and your back to just selecting a region with additional steps.
Adding a bulk send option is easy. The problem is that you will then get 700 reply emails, each slightly different at which point you will be stuck. That said, we are working on automating it.
> Adding a bulk send option is easy. The problem is that you will then get 700 reply emails, each slightly different at which point you will be stuck.
Legislative solutions i.e., default to "opt in" for data collection and "sharing" (with a prohibition on nagging the user to do so) seem to be the way, but it seems a universal that politicians do not represent ordinary people's interests.
> That said, we are working on automating it.
I'll keep checking back on your project. Thanks for putting in the effort.
Thank you for the great, free resource. Do you have any advice for people who are not in a supported jurisdiction? eg. Have you heard of anyone having success for using GDPR as an excuse to be removed despite not living in the EU?
Yes, 90% of companies do not check where you are from and will comply with your request, however data brokers and other companies who's business model depends on personal data usually do check just to add more friction to the opt-out process. Still, I recommend trying.
I always go back to this list every year or so to look through the major ones. At least for my relatively unpublic life, I have never gotten readded after the initial time I went through to delete everything. YMMV if you are more prolific with your public persona than I am, but like other comments have said, don't trust those 3rd-party services to do this for you because many use Mechanical Turk type of labor with your personal info to basically walk through this list themselves (i.e. people that might keep your PII for nefarious identity theft purposes).
Edit: one thing I have that helps a lot that is unique is that my name is a slight misspelling of a famous athlete in a sport that is not at all popular where I live. When people search "_huayra_", they usually get results for "_huayrack_ the legendary athlete in some far-flung non-mainstream sport", in a sense.
I've been hesitant to submit removal requests due to requirement of uploading a picture of your ID. How can I trust these shady companies won't use this irresponsibly?
Same here. I know that a fair bit of the data they have on me is inaccurate. Yet, to delete that, along with accurate data, I’m being asked to enrich their data with even more accurate data. It feels like the old “click here to unsubscribe” scam that actually just confirms a real person behind an email.
I would love to know who sold them my data though. That would allow me to stop the flow more effectively before I felt okay deleting at the terminal data broker.
I've started to give services domain-specific email addresses as a sort of reverse-tracking identifier. So I give google@mydomain.com and apple@mydomain.com and so on. I figure I'm using a password manager for all of my passwords anyway. It obviously won't work in all situations, but it might provide some leads.
I've done the same thing for years (yikes-- 20 as of last year-- I'm old!), albeit sometimes I use an opaque identifier for the username portion (because some sites treat addresses with their own domain name in then funnily and I've had humans question it). As a bonus I've identified and reported two previously unknown data breaches by reporting the date I started receiving spam to a one-off address.
Previously I was using service@service.myname.com, and I realized that's leaking a bit too much info.
So, I bought genericname.com and switched to using service@service.genericname.com
Slightly less leakage, although I really doubt anyone is looking. I still have occasional issues with companies rejecting emails with their name in them, but that's easy to work around.
It's great in stores when they ask you to sign up for something and you give them an email that's obviously their name. Raises some eyebrows but most people working the checkout really don't care. A few just comment that it's cool, most are skeptical.
It's all hosted on fastmail and routes via wildcards to my central inbox anyway.
Unless mydomain[.]com is used by more people than just you and maybe your family, doesn’t the domain itself serve as a unique(ish) identifier? I think public aliasing services offer better anonymity, but they’re also blocked by some services.
For humans who are paying attention, sure. In practice, not really, because it's all done by scripts without an easy way to query "is this domain shared".
The way to determine who sold them the data is a service and agent I've envisioned for a long time, but never had the wherewithal to produce. (I won't go into all the hurdles.)
Everyone should have their own email domain, and an agent that also serves as your email client will generate a proper looking (for some definition of that) email address within your domain for every new correspondent.
Now, whenever you see your identity (email address) associated with anything at all you can determine the original source.
Maybe the data is sold from some of the apps on our smartphones. Also, pretty sure most of the payment providers folk e-shops use on their checkouts sell the data to Google (and I am dead certain Google were bragging about knowing about almost any transaction which happens on the on the web). That is a part in the chain which not even most online shops would even be aware of.
Yup, I often speculate that for me, perhaps for many others, apps (and the Android/iOS platforms) are the source.
I’ve been slowly switching to web/desktop based alternatives- those too have their issues (eg correlating all the traffic out of my single home NAT’d IP address.
Mulling deleting apps off my phone as well, but many non-app “mobile” experiences are completely unusable.
I had the same concern. I almost went through with DeleteMe, but it felt paradoxical to give all my info to one company so they could remove it from others. I understand they need it to do the work but it didn't feel right. They requested photo ID, SSN, all past addresses, online handles, family member information, etc. It was just too much.
Of the three listed, it looks like Albine is just DeleteMe (they have the same ToS link.)
Neither of them have a forced arbitration clause, class action waiver, etc. which is refreshing. These waivers are regularly upheld and make it very difficult to sue companies who do something wrong.
Having no forced arbitration clause is a good thing! It doesn't make me trust them more per-se, but it means I don't need to trust them as much in the first place.
You can trust them only as much as you think they have self interest in not being sued for doing something nefarious.
That said, they could very easily have a data breach and every customers full info would then be out in the wild.
Were not talking about ordinary payment details either, just full on dox - every address you have lived at, your license scan, all emails, phone numbers, its crazy. Id be willing to bet all these services are targeted quite alot as well because the people who would be willing to pay for this stuff are likely the ones with the most to lose.
I made a post lower in this thread but in general this entire model is flawed. Deletions should happen directly between your device and the service in question.
Also, its just as important to wipe the data YOU create as the data other people create about you. Just like databrokers, you can either do it manually or automated.
Check out https://redact.dev if you want to automate that part at least (I'm on the team)
> they could very easily have a data breach and every customers full info would then be out in the wild
Based on the many notifications I've received from hospitals and insurance providers telling me they've allowed my private information to get repeatedly pilfered, at this point I operate under the assumption that if any organization collects information about me, it's going to leak within the next 5-ish years.
The first and most effective line of defense is to not let the data brokers collect your information in the first place.
There are 683 data brokers that either completed registration with the California Attorney General's office, or had incomplete registrations as of 2023 [1].
None of the removal services come close to covering all of them.
If you live in California, on 1 August, 2026, data brokers will be required to check a list at the California Privacy Protection Agency, and if you added your name to the list (you cannot yet), the data broker must a) not sell your data, and b) if you selected this option, also must delete your data. The brokers must check the list no less than every 45 days [2].
(Also, LexisNexis should be on the list of top 10 data brokers. They likely have several tens of pages of data on every US adult, and perhaps hundreds of pages, if you drive a late model car that collects "telemetry" as you drive)
I have been using Optery (YC W22) and are happy with them. It's more money than I wanted to spend on this. But they have cleared my name out of more than a hundred sites.
The article linked here refers to ten data brokers. But there are far more than that that are handling and selling your data. There's no way you can delete your information from all of them without subscribing to a service to do it for you.
>There's no way you can delete your information from all of them without subscribing to a service to do it for you.
There is no way you can delete your information from all of them [period].
My personal recommendations to lessen data-associations:
1) Actually use cash
2) Shop at places which don't require membership (e.g. for discounts)
3) Buy a domain name which allows you to `catch-all@your.domain` and then give each requestor a unique-to-them "email address" e.g. WalMart @ JoeSmith2222333.com
4) Don't carry your cell phone with you everywhere; Don't sleep with your phone
5) Remove/unplug/disable voice assistants
6) Run LLMs/ChatGPT on local instances
7) Have your DHCP auto-issue an IP to your own local DNS server (e.g: PiHole)
uBlock + NoScript would also be good additions for desktop browsers. I'm impressed I can browse most of the web fine without scripts, or at most, with scripts hosted from the same domain.
uBlock is definitely an easier implementation for most users. But running Pi-Hole [1] on a RaspberryPi3b [2] is "training wheels EZ," effectively a single SD format with minimal initial configuration (assign IP, credentials), that can then run entirely headless (until the SD card fails... use the best memory you can afford).
Perks of local DNS-resolver include it working across all devices accessing the local network, including outside of the browser. It is ASTONISHING how many connections modern OS'es attempt, by the millesecond.
What I wish I had, and maybe someone here knows of something that fulfills the role, is a means of providing erroneous information about myself to data brokers. I'd like to insert some fake addresses, wrong phone numbers, made up familial relationships, etc and let that propagate, rather than go through all the hoops to try (largely in vain) to have the information removed.
I feel a bit reluctant giving them much of my data just to match me with their potentially non-existent records and so allowing them initiating new records on me covertly. Also no way checking if they lie about the dataset on me. I feel better not sharing data in general, anywhere, except when it is really essential. So many businesses lost me on potential or factual trade because before(!) answering my questions or giving very basic information (e.g. price!) on their services they wanted to collect lots of factual data on me. I said no, good bye!
I tried Optery, Incogni, and long time ago OneRep, way to lazy to do it myself, don't worry they will have my info, data is already on internet.
Incogni at least in there's claim offers opt-out from private databases (no way to verify ) and some but not all public database (eg. google searches).
Optery has largest list of public databases (with most expensive subscription) out of everyone else, there's costumer service is responsive regarding failed removal.
OneRep was not bad long time ago when they run it from Belarus (I know, crazy), but they would refresh somehow search caches too (it could be ok, or make things worse), they don't seem to offer advertise this service any more.
Don't search your self only via google, for example, bing will give different results, some databases will have misspelled names (could be deliberately), so there still some work to make sure all records are removed.
At this point, this is like privacy tax that you have to budget to have at least your address on cell phone number not easily discoverable.
Incogni has been sponsoring a lot of the YouTubers I watch regularly, so I’ve had to ask myself: is that worth it?
There’s, of course, the risk of sharing your personal details with a company that gave money to people to build para-social relationships… not the most compelling case. But there are also questions about jurisdiction: can they get companies based “abroad” to do something? That article from the Cyber Collective seems to focus on US legislation, and the worst abuse I’ve heard about is happening in the US, but I don’t remember finding my details when I asked some of the most egregious actors in that space—for obvious reasons: I don’t live in the US.
I wish that actors like Incogni or DeleteMe shared statistics about how many actors capture your details based on where you live, whether you have a mortgage, a loan on your car, a credit card, social media presence, etc.—or anything else one might do that would help those company flag your details.
Yeah, I can vouch for them too. Their premium service costs about as much as a Netflix sub which is good value. Pretty sure their lowest tier is decent too.
I’ve used both Optery and deleteme. Each one is effective. Optery has been able to handle custom requests that DeleteMe claimed it could not do. Optery costs more though. I was able to clean up my online presence completely after two months. From now on I will try subscribing to Optery every few months instead of a continuous subscription. Anything is better than nothing though. Googling my cell used to yield my full name, pass addresses, etc.
You'll get readded to brokers' DBs. “How can you not, if they aren't tracking you they don't know that new entry is one they shouldn't be tracking!” being one excuse.
Also, new brokers turn up regularly, or often the same broker under sufficiently colours that they can weasel their way to not being recognised instantly. Your removal service requested removal of your info from AnonData Inc, but not DataAnon Ltd. No, despite employing exactly the same directors & managers, and being officially registered from the same collection of PO boxes, they aren't the same company, honest… Shady shit doesn't just stop because you ask once.
Maybe they set a do not store flag for your info, because your data keeps coming in from their partners, even after you requested deletion. So to keep filtering for you and deleting, you need to pay their protection fee.
I'm about to buy a house and I find it insane that I cannot prevent the County Deed Recorder from selling my data to services like Spokeo.
I could set up an LLC and buy the house in that name but that requires cash, and I don't have that much cash.
I could buy an aged LLC, move in cash and then get mortgage as the LLC but that is really extreme (and not sure if that's legal?).
To add to that, services like PermissionSlip assume that you have 1 email address / finite set of email addresses where they send out requests to get your data deleted.
That doesn't work for people who use <company-name>@<my-domain>.<tld>.
Setting up an LLC to own your home costs a few hundred bucks. You don't need any cash beyond filing fees and legal fees (if you use a lawyer).
The bank will not care. Their loan agreement gives them the right to foreclose if the loan is not being repaid. The exact legal owner of the house isn't relevant.
There is one issue to be aware of. If you own your home as an individual, you get a federal capital gains tax break when you sell (the first $250,000 of gains is exempted from tax). If an LLC owns the home, there is no tax break and all of your gains are taxable. This is the real reason why only wealthy people put their homes into LLCs. If you have a $40 million house, this tax break is not particularly meaningful. If you have a $400,000 house, it is very meaningful.
(Consult with your accountant; this is not tax advice.)
The LLC can get a mortgage with you as the personal guarantor. The house is the security anyway.
Then your name is only on the address in the bank’s records, provided you appoint a different manager of the LLC (the corporate records for managers, but not beneficial owners, is public).
Recently I looked myself up in public records, and what I found was quite disturbing, and I'm unable to do anything about it.
For years I've been receiving "misdirected" marketing mail for a small number of women who definitely don't live here, and never have. I always ponder deeply how their names could get associated with my address. Dunno. Anyway, there is now a person listed with my address, phone number, and surname, with a very common Celtic feminine given name, but she doesn't exist. I am not sure if the scam is supposed to be that I'm secretly married, or living with my sister, or what.
So I pulled gently on this thread and a whole sweater emerged. I've not paid for any lookup services, just the free ones. This putative person is related to a large number of people sharing my surname, and I believe that none of them exist. There's another woman who lives within a few miles of me. There are obituaries linking all these people together as a family. WhitePages.COM links them as probably-related. The earliest publication date corresponds very closely to when I first moved into this region, 25 years ago.
So I can't say what, if any, scam is connected to this alleged network of names; I can't remove this person from sharing my address, phone, or surname, because she's not me, but anyone who looks up my PII will turn up this nonexistent "wife" or "sister". Nobody has ever mentioned this to me, I had to go looking for it on my own.
Several of those brokers are also tied to the "credit score" (no, not in China...), so removing yourself has some financial consequences for you. they won't make it easy...
Why play by their rules when the purpose of the data collection and processing was always against us? It should be a fight (legal or technical), not fake collaboration.
Once data is collected, there is absolutely no certainty that requests to delete data will be honoured. IMO I would rather contribute towards efforts that discourage requirement of sharing personal data in the first place, especially when the organizations who request that data are off the hook when that data inevitably leaks out into the internet.
TFA mentions CCPA and GDPR as the "teeth" that make it possible to request personal information removal from these bottom-feeders. The problem is that I don't live in Europe or California. So for me there's no legal requirement for these jackwads to delete my private information from their systems.
I would bet a non-significant number of Krugerrands that when many of them receive these requests they basically just set a bit in your record to indicate that you've requested "removal." The effect of that is that any reports they generate or other outside evidence that they're collecting your information largely go away. But without deep inspection by outside auditors, you really have no idea whether they're continuing to collect your information in a "shadow" profile of sorts. They're certainly incentivized to do just that if they can get away with it. At the very least, I doubt most of them have gone through the trouble of building filters on all their data ingress paths to drop telemetry on the floor if it relates to someone who's "opted-out."
In other words, I absolutely don't trust them to do the right thing, and I also don't trust the government's enforcement to be consistent and universally effective.
So the next-best thing I can do is deny them the telemetry in the first place. I do that by running privacy-oriented software on my computing devices including mobile, paying for everything I can in cash, filing my taxes with minimal involvement from any third parties, and using modes of transportation that don't report my location to anyone.
I've been listening to Vienna Teng's music since she released her Waking Hour album independently in 2001. Hymn of Acxiom is one of her more recent works and is one of my favorites.
Be careful with some of the data removal "services". Some of them just spam random services with your name and email address asking to be removed. You can actually leave behind more data than gets removed.
is it impossible for the government to regulate this stuff with fines for data breaches or something? Effectively incentives not having the data?
I rented a new apartment recently. They wanted so much info including pictures of my driver's license, SSN, etc I'm 100% sure their system is not secure
Until it costs companies to have this data they'll keep collecting it
Google yourself - See what shows up that shouldnt. Go through those sites and manually opt out. Its not too hard and you get the biggest offenders.
Yes, you can use a automated service to do this for you but I think its a really bad idea based on how most of them work.
First of all- Most of the big ones make use of extensive labor in thie phillipines and malaysia to manually type your data into opt out forms. They also have to make use of extensive proxy networks that I can only suspect are not always on the up and up. This is because the databrokers will block IP's from submitting more than a few opt outs per date. So you are supporting both shady practices for the proxys and third world labor thats semi exploited
Second of all- You are trusting yet another company with your data. When you sign up to one of these services, they obviously know everything about you. When one of these services inevitably has a data breach in the future, its going to be a disaster.
The reason that the big services have difficult with the biggest services that are listed in this article is because they: Use captchas, use cloudflare and do email confirmations. They also do things where they show you multiple pieces of data and you have to pick which one is yours, but some of the data is blurred and presented as a image. ( ie- Is this email yours? tee***@gmail.com )
So, what to do if you want to stay on this? Well- Im creating a solution with my team to do what all the big players should have done- Do the optouts from your own device. They of course want you to do it from their servers because its a nice zero friction experience where you just type your info in and they handle most stuff. But as we see, the biggest offenders for databrokers are NOT handled because they are tricky.
So, at our startup https://redact.dev we already built out a ton of tech for this, but targeting social media and messengers. We are now building all of that out for data brokers. And because its ran directly on your own machine there are a TON of advantages:
1: No limit to how often you can scan for new databroker leaks. Most of the players now limit you to once every 30-45 days
2: No limit to adding friends/family to scan/opt them out also.
3: No use of third partys to process your removals. This one is self explanatory. The deletions happen direclty between your device and the databroker- no third world workers involved.
4: Handles the 'hard to delete from' sites listed in the article. Our built in IMAP system can handle email confirmations no problem. Because its running from your own IP, you have no issues with getting blocked there either. Cloudflare/captchas are also no issue
5: Most importantly, you dont have to trust another company with your most personal information. All your data like address/names/phone stay on your device and are only sent to the sites you need to opt out from. Believe it or not, a bunch of these databroker remover sites will just bulk email a bunch of databrokers right now saying "hey, if joe smith @ 123 main street is in your DB, remove him!"
The big drawback is that you need to have a device open that can do the work for you. With other services you can just pay and shut off your PC or phone. You need to keep our solution open for 5 minutes while it does its work. I think thats a definitely good tradeoff for the security you get AND the fact that it instantly removes you from many of these sites. Alot of the players as I mentioned just do emails so it could take weeks or months before they remove you. If you use the databroker sites automated forms, it can be removed instantly or within days or hours.
I mean doing something yourself is often preferable to using a third party especially where privacy is concerned, but this isn't slave labor at slave wages we're talking about here. What job do you think these people would have if they weren't sitting in an office typing PII into computers all day? They wouldn't suddenly be getting six figure remote programming jobs. They'd be doing the same thing for some other company, or they'd be doing something worse. Third world labor is not exploited because it's in the third world and makes less in an absolute sense than other areas.
Edit: Ah you edited while I was replying, yeah it makes sense that you're selling something, hence the mischaracterization.
I am not OK with supporting someone getting paid 2-3 dollars a day for this labor and would prefer to not support that business model if I can.
I also dont trust those workers not to misuse or sell my information on the side because of the unfortunate financial situation they are in financially.
Its acutally a similar answer for why I dont pirate games or software. I dont want to support the behavior and I dont trust that something bad wont happen as a result (virus/malware/etc.)
The dollar amount they're getting paid is irrelevant, what matters is how that compares to what they'd be making otherwise. If you get paid $0.50/day to work on a farm for 12 hours, getting paid $3/day to type for 10 is a pretty fantastic opportunity.
But the median income in Milan is something on the order of $1,200 USD/mo so no your $2-3/day figure is pure fiction.
Edit: Manila seems to be the outlier by about 10-15% but I'm making a guess that most of those types of firms would be located in the major cities and not rural areas.
Id get into this debate, but its been done a million times before.
Heres the cliffnotes of how it goes though, roughly:
* So is minimum wage ok then?
* Why cant a minimum wage person invest all their money into a startup? Why do they have to be a accredited investor?!?
* Why cant I just open up a payday loan place that charges 900% interest? Theres no other payday loan places around and poor people willingly will use it!
* What about prostitution, nobody is forcing them to do it?
* Alright then, Should we let poor people sell their organs? Again, nobody is forcing them to do it!
Cliffnotes: Just because someone will 'willingly' do something, or doesnt have any better options, doesnt make it just or moral. You setting up a 'consulting' company in bangladesh that pays people x$ a day to do something is exploiting those people, plain and simple.
Also, as to your phillipine cost- You are completely wrong. The average wage across the majority of regions in the country is under $10 per day. This is where (see my first link below) most shops get setup, obviously.
Getting data brokers to delete your personal data can be very frustrating as their business model depends on this data. Simply put, they use deceptive patterns to avoid complying with data protection requests. We have put together this guide which describes the most common deceptive patterns and how to counter them.
For example, in many cases data brokers cannot ask you to send excessive personal information in order to verify your identity. You also don't need to fill in online forms.
Hope this helps: https://consciousdigital.org/wp-content/uploads/2023/04/dark...
I'm one of the creators of https://databrokerswatch.org and https://yourdigitalrights.org/