How to Delete Your Data Online: A Practical Guide

In its 2014 "Data Brokers: A Call for Transparency and Accountability" report, the US Federal Trade Commission examined nine data brokers as a sample. From just that nine-company sample, one broker held information on more than 1.4 billion consumer transactions and 700 billion data elements, and another was adding more than 3 billion new data points to its database each month. Most users have never heard of these companies and never agreed to anything with them. Data brokers compose profiles by scraping public records (voter rolls, real estate filings, court documents), buying marketing data, indexing social-media activity, harvesting from warranty registrations, and ingesting telemetry from free apps. So when someone asks how to delete your data online, the honest answer is that the request is really a four-layer job — deleting the accounts you signed up for, requesting removal from data brokers, opting out of people-search aggregators that resell broker data, and (often unsuccessfully) asking persistent caches like the Wayback Machine to remove archived copies. Complete deletion is rarely possible. Significant reduction is achievable.

The short answer. A realistic 1–2 month sustained effort, combining manual workflow and (optionally) a paid removal service, can reduce visible PII on the first page of Google search results by roughly 60–80% — though brokers re-scrape public sources, so quarterly maintenance is required indefinitely. The legal basis for deletion depends on residency. EU and UK residents have the strongest right under GDPR Article 17. Californians have CCPA/CPRA plus the 2023 California Delete Act (SB 362), whose Delete Request and Opt-out Platform (DROP) went live January 1, 2026 and whose broker deletion-processing mandate begins August 1, 2026. About 20 other US states have comprehensive privacy laws in effect by 2026, with broadly similar but not identical erasure rights. Canadian PIPEDA does not provide a direct right of erasure (Principle 4.5.3 covers retention/destruction obligations on organizations). Every law has exceptions — public interest, legal obligation, free expression, credit-reporting compliance — so 100% deletion is never guaranteed. The practical workflow that follows assumes those constraints honestly.

This post walks through seven things — (1) why "delete" is harder than it sounds (the four-layer data ecosystem), (2) the legal basis for deletion across major jurisdictions, (3) Google's "Results about you" tool and its limits, (4) data brokers as the central deletion target, (5) removal services compared functionally without endorsement, (6) manual deletion steps by category with major broker opt-out URLs, and (7) email aliasing as forward-looking prevention.

How to delete your data online — why it's a four-layer problem

Most users equate "delete my data" with "close my accounts." The actual data footprint is layered. The four layers worth distinguishing:

1. Active sources — services the user signed up for (email, social, shopping, banking)
2. Passive sources / data brokers — companies that scrape public records, buy marketing data, and aggregate behavioral signals (Acxiom/LiveRamp, Experian Marketing Services, LexisNexis Risk Solutions, Oracle Data Cloud)
3. People-search aggregators — broker data repackaged into searchable consumer-facing form (Whitepages, Spokeo, BeenVerified, MyLife, Radaris)
4. Persistent caches — the Web's institutional memory (the Wayback Machine, Google cache, archive.org)

The crucial distinction is account deletion ≠ data deletion ≠ aggregated-record deletion. Closing an account at a service stops the service from collecting new data, but anything that service has already shared with brokers continues circulating. Brokers re-scrape public records on an ongoing basis, so even a successful broker opt-out is typically partial and time-bounded.

The FTC 2014 report described data brokers as operating "with minimal transparency and ... virtually no statutory consumer protections," a framing the agency used to call for federal legislation that has not yet materialized at the federal level. The Internet Archive's removal request page is more direct about the persistent-cache layer: "Internet Archive does not make any guarantees beforehand about the outcome of a request." Both statements set realistic expectations — the layers exist, and deleting from one does not delete from the others.

The legal basis for deletion across major jurisdictions

GDPR Article 17 (EU and UK). The most extensive statutory right of erasure. Six grounds qualify a deletion request — original purpose fulfilled; consent withdrawn; data subject objects under Article 21; unlawful processing; legal obligation; or data of a child collected for information-society services. Five exemptions can override — freedom of expression and information; compliance with legal obligation or public interest; public-health purposes; archiving for public-interest, scientific, historical, or statistical research; legal claims. Controllers must respond "without undue delay," and where data was made public, controllers must take "reasonable steps, including technical measures" to inform other processors of the deletion request. GDPR's territorial scope is broad — it applies wherever the data controller, processor, or subject is in the EU, plus extraterritorially when goods and services are offered to EU residents or their behavior is monitored.

CCPA / CPRA (California). The California Attorney General describes the right plainly — Californians may "request that businesses delete personal information they collected from you and to tell their service providers to do the same." Businesses must respond within 45 days, with one 90-day extension available. Exemptions include publicly available information, processing necessary to complete a transaction, exercise of legal claims, and certain medical or credit-reporting data. The AG's page explicitly notes that "credit reporting agencies like Equifax, Experian, and TransUnion can still collect and disclose your credit information" under federal law (FCRA).

California Delete Act (SB 362, signed October 10, 2023). The most consequential 2026 development for data brokers specifically. Broker registration with the California Privacy Protection Agency began January 31, 2024. The Delete Request and Opt-out Platform (DROP) went live January 1, 2026, with 545 registered brokers at launch. Beginning August 1, 2026, registered brokers are required to process deletion requests received through DROP within 45 days and to stop selling or sharing the deleted person's data going forward. Triennial audits begin in 2028. The Act applies to brokers with $25M+ in annual revenue that derive 50%+ of revenue from selling personal information of 100,000+ consumers.

Other US states. About 20 states have comprehensive privacy laws taking effect by 2026, including Virginia VCDPA (2021), Colorado CPA, Connecticut CTDPA (effective July 1, 2023), Texas TDPSA (signed June 18, 2023; effective July 1, 2024), Oregon OCPA (effective July 1, 2024), and new 2026 effective dates for Indiana, Kentucky, and Rhode Island. The right-to-delete provisions are broadly similar but not identical — Virginia VCDPA has no broker-specific provisions, Texas TDPSA has different revenue thresholds. The IAPP's US State Privacy Legislation Tracker is the most reliable comparison resource.

Other jurisdictions briefly. China's PIPL (effective November 1, 2021) provides erasure rights conditional on specified grounds. Brazil's LGPD provides deletion rights. Australia's APP framework focuses on accuracy, correction, and access rather than direct deletion. Canada's PIPEDA does not provide a direct right of erasure — but Principle 4.5.3 (Limiting Use, Disclosure, and Retention) requires organizations to destroy or anonymize personal information when it is no longer needed for the purposes for which it was collected.

Google's "Results about you" tool — what it does and doesn't do

Google launched the "Results about you" tool in 2022 as a way to request that personally identifying search results be hidden from Google Search. It does not delete the original page or remove data from the source site — it removes the link from Google's index for that PII, while the page itself continues to exist on the source site and may still appear in other search engines (Bing, DuckDuckGo).

Categories Google explicitly accepts:

• Phone numbers
• Home addresses
• Email addresses
• Other types of personally identifiable information

Google declines requests where the information is "valuable to the public" — the page typically describes educational institutions, government, news, or business websites as common rejection contexts. People under 18 use a separate dedicated removal form. The tool also includes an ongoing monitoring feature that scans for new appearances of the registered PII and lets the user request removal as new results appear. As a practical workflow step, registering with "Results about you" is the lowest-effort first action — it has the largest visible impact on what search results other people see when they search for the user's name.

Data brokers — the central deletion target

The most persistent and least transparent layer of the data ecosystem is the broker layer. Users typically have no direct relationship with these companies, and the brokers' default operating model is to compose profiles continuously from public-record sources, marketing data feeds, and behavioral signals. When a user opts out of one broker, the data often re-appears within months because the broker re-scrapes the underlying public sources. People-search sites (Spokeo, Whitepages, BeenVerified, MyLife, Radaris) are a re-packaged consumer-facing layer that resells broker data.

Spokeo's own opt-out page describes this dynamic plainly: "Opting out your listing from Spokeo will not remove the data from its original source. Your information may still appear on other websites." Privacy Bee, a removal-service vendor, similarly acknowledges in its own marketing that "exposures return every few months, requiring repeated deletions." This is a structural feature of the broker industry, not a marketing exaggeration.

The California Delete Act DROP is the first regulatory mechanism designed to address the re-population problem at scale — once an opt-out is registered through DROP, the registered broker is required to keep the data deleted, not just delete it once. As of May 2026, DROP is live but the broker deletion-processing mandate begins August 1, 2026, so the practical effect is still being established. For non-Californians, the indirect benefit is that brokers building DROP-compliant systems for California customers may extend similar functionality more broadly, though there is no requirement to do so.

Removal services compared (functional, not endorsement)

Several commercial services automate or assist with broker opt-outs and people-search removals. Each makes specific trade-offs across automation versus human-assisted work, claimed broker coverage versus actually-automated coverage, and price. None can guarantee 100% deletion because the broker industry's re-scraping pattern is structural. Manual approach is free but typically takes 10–20 hours for the initial pass plus quarterly maintenance.

Service	Annual price (May 2026, individual)	Approach	Broker coverage (claimed)	Notes
DeleteMe (Abine)	$129 (1-Person), $229 (2-Person), $329 (4-Person Family)	Human-assisted	"over 950 sites" claimed; process largely manual	Quarterly reports
Incogni (Surfshark)	$95.88 Standard, $179.88 Unlimited, $191.88 Family Standard, $275.88 Family Unlimited	Automated	420+ brokers + 2,000+ custom-request sites	30-day money-back
Optery	Free Basic; $39 Core; $149 Extended; $249 Ultimate	Automated (Core) → humans+machines (Ultimate)	Core 365+; Extended 540+; Ultimate 635+ + 950+ custom	Tiered
Privacy Bee	$96 Essentials; $216 Pro; $804 Signature	Automation + human (Pro/Signature)	1,033 brokers + 181,048 custom-request sites	"Limited Power of Attorney" model
Manual	Free	Self-service	Theoretically unlimited but limited by user time	~10–20 hrs initial + quarterly maintenance

A note on the "broker coverage" numbers: these are vendor-claimed, and independent reviews have repeatedly found gaps between marketing claims and actually-automated coverage. Treat them as upper bounds rather than measured guarantees. Pricing reflects May 2026 and may change. Affiliate-driven comparison content dominates this space; the table above cites only the vendors' own pricing and feature pages, not third-party reviews that may carry affiliate incentives.

Manual deletion — concrete steps by category

The manual workflow takes time but costs nothing and gives the deepest visibility into where data exists. Six categories worth processing in order:

1. Search engines. Google "Results about you" first (covered above) — quickest wins. Bing supports a webmaster-tools removal flow for content the user owns; many smaller search engines (DuckDuckGo, Yahoo) use Bing as a backend, so a successful Bing removal often propagates. Google cache requests are part of "Results about you."

2. Social media. Facebook deletion vs deactivation are separate options — deletion is permanent after a 30-day grace period. Instagram supports permanent account deletion. X/Twitter, LinkedIn, and Reddit each have their own deletion flow with different waiting periods. For each platform, deletion typically removes the user-controlled profile and posts, but does not remove content other users have shared, replied to, or screenshotted.

3. People-search sites. Each broker's opt-out flow is different. The major opt-out URLs are listed below (verify the URL on the broker's privacy page if a direct link does not load — these change occasionally):

Broker	Opt-out flow
Spokeo	spokeo.com/privacy/control/opt-out — profile URL plus email confirmation, 24–48 hours
BeenVerified	beenverified.com/app/optout/search — search, claim, email confirmation
Whitepages	whitepages.com/suppression-requests — includes phone verification
MyLife	mylife.com/ccpa/index.pubview — CCPA form, often processed for non-California residents as well
Acxiom (LiveRamp)	liveramp.com/opt_out
Experian Marketing Services	experian.com/privacy/opting_out
LexisNexis Risk Solutions	risk.lexisnexis.com/group/optout — consumer-facing form

If a direct opt-out URL does not load, the broker's privacy or "Do Not Sell My Personal Information" page typically links to the current form. Privacy Rights Clearinghouse maintains a more extensive directory at privacyrights.org/data-brokers.

4. Forgotten old accounts. The justdeleteme.xyz directory categorizes deletion difficulty for thousands of services on a five-step scale (Easy / Medium / Hard / Impossible / Limited). Working through old accounts here is a high-leverage step because passive accounts often continue to leak data without the user knowing.

5. The Wayback Machine. Email info@archive.org with the URL, the time period archived, and the user's relationship to the content. Per the Internet Archive's own help page, removal is not guaranteed — they evaluate requests case-by-case and do not commit to outcomes in advance.

6. Old email accounts. Gmail, Outlook, and Yahoo each have account-deletion procedures that take effect after a waiting period. Closing primary email accounts is high-impact because email serves as the recovery mechanism for many other accounts — but also high-risk for the same reason. Some workflows recommend setting up replacements (with email aliasing, see next section) before closing primary mailboxes.

For accounts that have already been part of a breach, see Have I Been Pwned? What to Do If Your Email Was Leaked for the response workflow that pairs naturally with deletion. For the metadata that travels with photos shared online, see What Your Photos Reveal About You: Understanding EXIF Metadata.

Email aliasing for forward-looking prevention

Deletion is retroactive — pulling data out of broker databases and search indexes after it has already accumulated. Forward-looking prevention uses a different mechanism: a unique email alias for each new signup. The result is that brokers cannot cross-link the user's identity across sites — the identity graph fragments, and broker coverage tends to decrease over time without further effort. For most users, the ROI of preventing new data accumulation is higher than the ROI of repeatedly deleting what already exists.

Service	Notes
SimpleLogin (Proton)	Open-source. Operated by Proton AG, registered in Switzerland. Chrome/Firefox/Safari extensions plus iOS/Android apps. PGP support. Free tier plus paid plans.
Apple Hide My Email	Integrated with Sign in with Apple. @privaterelay.appleid.com domain. Apple "delete[s] [messages] from our relay servers after they're delivered to you, usually within seconds." Requires iCloud+ subscription for full management.
Firefox Relay	Free tier with 5 masks; Premium adds unlimited masks, email tracker removal, phone masking, and Mozilla VPN bundle. 30+ countries supported.

The combination is the most-effective long-term posture — delete what is already out there in a sustained 1–2 month effort, then aliasize new signups going forward so the deleted data does not get refreshed by new behavioral signals. Maintenance from there is a quarterly Google self-search plus a Have I Been Pwned check.

For visibility into what your browser is leaking on every site you visit (a separate forward-looking layer that overlaps with deletion's prevention goals), the Browser Privacy Checker runs roughly 20 fingerprinting and tracker-visibility tests in your browser and produces a letter-grade report.

Data deletion addresses the data already collected. Browser fingerprinting and tracker visibility are about what your browser is leaking on every site visit going forward — a complementary layer.

Free tool

Browser Privacy Checker →

See what your browser actually leaks across roughly 20 fingerprinting and tracker-visibility tests, with a letter-grade report card. Runs entirely in your browser; nothing sent to any server.

Common questions about deleting your data online

Can I really delete all my data online?
No, complete deletion is rarely possible. A 1–2 month sustained effort can reduce visible PII on the first page of Google search results by roughly 60–80%, and continuing maintenance can keep that level. Brokers re-scrape public records continuously, so deletion is not "one and done" — it is a maintained baseline.

Do I have a legal right to delete my data?
It depends on residency. EU and UK residents have GDPR Article 17 (right to erasure). Californians have CCPA/CPRA plus the California Delete Act DROP (live January 2026, broker compliance mandate August 2026). About 20 other US states have comprehensive privacy laws by 2026 with broadly similar but not identical rights. Canadian PIPEDA does not provide a direct right of erasure but does require organizations to destroy data no longer needed (Principle 4.5.3). All laws have exemptions; this is not legal advice — for high-stakes situations, consult a qualified attorney.

Is paying for a removal service worth it?
It depends on time and threat model. Manual deletion is free but takes 10–20 hours initially plus quarterly maintenance. Paid services cost $40–250+ per year and automate parts of the workflow. Independent reviews have found gaps between vendor marketing claims and actually-automated coverage, so the headline "broker coverage" numbers should be treated as upper bounds. For most users, a paid service is reasonable for the initial pass with manual quarterly maintenance, but no service can guarantee complete deletion.

How do I remove my information from people-search sites like Spokeo or Whitepages?
Each site has its own opt-out form. Spokeo: spokeo.com/privacy/control/opt-out. Whitepages: whitepages.com/suppression-requests (includes phone verification). BeenVerified: beenverified.com/app/optout/search. MyLife: mylife.com/ccpa/index.pubview. Each typically processes within 24–72 hours, but the data may reappear within months as the underlying broker DBs are re-scraped. Privacy Rights Clearinghouse maintains a directory at privacyrights.org/data-brokers.

Will deleting my Google account remove my data from search results?
No. Closing a Google account stops Google from collecting new data on the user, but pages on the public web that contain the user's information remain. The Google "Results about you" tool is the right path for removing search-result links — it requests Google to hide pages from search rather than delete the source pages.

How long does it take to delete my data online?
A reasonable timeline: week 1 register Google "Results about you" + close obvious unused accounts; weeks 2–3 process the major data-broker opt-outs from the table above; week 4 close old email accounts you no longer need. Plan on quarterly maintenance for the next year (re-check Google search self-results, re-run broker opt-outs that have re-populated, monitor Have I Been Pwned). For paid services, expect 60–90 days for the bulk of automated coverage to land plus ongoing background work.

What is the California Delete Act?
California Senate Bill 362, signed in October 2023. The Delete Request and Opt-out Platform (DROP) went live January 1, 2026, with 545 registered data brokers. Beginning August 1, 2026, registered brokers are required to process deletion requests received through DROP within 45 days and to stop selling or sharing the deleted person's data going forward. Triennial audits begin in 2028. The Act applies to brokers with $25M+ in revenue from selling personal information of 100,000+ consumers when 50%+ of revenue comes from such sales.