Data broker removal services promise to clean your personal data from hundreds of sites with a subscription and a few clicks. They do remove data in many cases, but not evenly, not permanently, and not across every broker that matters.
This article explains how data broker removal actually works under GDPR, CCPA and the California Delete Act, where automated services add value, where DIY is sufficient, and when only a full-scope OSINT investigation closes the gap.
What a data broker is, and what a removal service actually does
The GDPR does not define "data broker" as a term of art, but enforcement work and regulatory commentary describe a clear category. The Federal Trade Commission's 2014 report "Data Brokers: A Call for Transparency and Accountability" describes companies that collect personal data from multiple sources, aggregate and enrich it, and sell or share it for marketing, risk mitigation, and people-search services, often without a direct relationship with the individuals concerned.
In the EU, data broker activity typically falls under the definition of "controller" in Article 4(7) GDPR, because the broker determines the purposes and means of processing the datasets it builds. In May 2018, GDPR Article 6 began requiring a lawful basis for that processing, and Article 14 created specific information duties where data is obtained from other sources rather than directly from the data subject.
A data broker removal service is different. It does not run the underlying databases. It acts as your agent to exercise your rights against controllers that broker your data. In the EU that usually means sending GDPR Article 17 erasure requests, sometimes combined with Article 21 objections where the broker uses your data for direct marketing. In the US, services rely on delete or "do not sell or share" rights under state laws such as the California Consumer Privacy Act (CCPA) and, from October 2023 onward, the Delete Act (SB 362) for registered California data brokers. Whether those erasure requests will hold up legally is covered in more depth in our analysis of whether data broker removal is legal in Europe under GDPR.
For the broader ecosystem view — who the brokers are, what feeds them, and how they interconnect — start with our data broker ecosystem overview.
How data broker removal works mechanically
Almost all removal efforts follow the same basic sequence: discovery, legal framing, broker-specific process, and monitoring.
Under GDPR, Article 17(1) gives individuals the right to obtain erasure of personal data "without undue delay" from a controller when one of several grounds applies, including where the data is no longer necessary for the original purpose, consent is withdrawn with no other lawful basis, or the individual objects to processing under Article 21(1) or (2). Article 17(2) extends this to copies where the controller has made the data public. Controllers must also inform other recipients "where feasible" that the data subject has requested erasure.
In practice, a removal project starts by identifying where a person appears. Consumer services typically work from a fixed list of public-facing people-search and marketing sites. A human-led investigation starts from the subject's identifiers and searches across brokers, people-search engines, and related sources to build a tailored target list.
Once targets are identified, requests are sent. In the EU, those requests cite GDPR Article 17 and, where applicable, an Article 21(2) objection to processing for direct marketing. The individual or their agent must provide enough information to locate the records and prove identity to a reasonable degree. The European Data Protection Board's 2025 Coordinated Enforcement action on erasure, with findings published in February 2026 and drawn from 764 controllers across 32 European data protection authorities, shows many organisations still have inconsistent internal procedures, rely on partial anonymisation rather than deletion, and struggle with deletion in backups and derived datasets.
In California, CCPA grants a right to request deletion of personal information collected from the consumer, subject to exemptions. On 10 October 2023, the Delete Act (SB 362) amended California's data broker registration law to create a central mechanism run by the California Privacy Protection Agency. From 1 August 2026, registered data brokers must process deletion requests submitted via this mechanism and must check it at least every 45 days, significantly changing how California-facing brokers will handle large volumes of erasure requests.
Between request and deletion, verification friction is common. Some brokers require copies of ID documents, some rely on email links sent to the addresses they have on file, and others embed opt-out controls deep in account settings. The EDPB has emphasised that controllers may not impose unreasonable barriers, but the 2025 enforcement review still found inadequate information for data subjects, inconsistent authentication approaches, and delays in practice.
After a broker confirms deletion, the final stage is monitoring. Because many brokers ingest new feeds and republish data periodically, a single erasure event will not hold indefinitely. Serious programmes bake in periodic re-scans and follow-up requests when data reappears.
Automated consumer services, bundled add-ons, and human-led investigations
There are three broad categories of tools and services that claim to remove data from brokers: automated consumer subscriptions, bundled add-ons inside wider security products, and human-led investigations.
Automated consumer services (Incogni, DeleteMe, Optery and similar) work from a predefined list of brokers. The user signs a limited power of attorney or equivalent mandate, supplies identifiers such as name, address, email and date of birth, and the service submits erasure or opt-out requests on their behalf. The marketing often refers to "hundreds" of sites. The service periodically re-runs the list, processes confirmations, and re-issues requests where data reappears. These services are typically strongest in the vendor's home market, for example US-facing people-search and marketing brokers.
Bundled add-ons in identity protection or antivirus suites follow a similar pattern but sit inside a broader product. LifeLock's "Automatic Data Broker Removal" feature, documented by Norton in April 2026, works this way: once a customer confirms their personal data, LifeLock scans top data broker and people-search sites for their information, sends opt-out requests where it finds matches, and repeats the process every 90 days. The feature sits alongside credit monitoring and identity alerts rather than as a standalone privacy product.
Human-led OSINT investigations take a different route. Instead of starting from a static broker list, investigators map names, aliases, historical addresses, phone numbers, emails, employer history, domain registrations, social media handles, and breach or credential exposures. They then search across search engines, people-search sites, known broker lists, and less obvious sources to build a target set that reflects that specific profile rather than the average consumer.
On that target set, human-led teams adapt their strategy per broker. Where a broker is clearly subject to GDPR jurisdiction, requests cite specific articles and, where helpful, prior enforcement positions from authorities like the Dutch AP or the ICO. Where a broker is a registered California data broker, requests can refer to both CCPA and the Delete Act. Where the broker operates in a more opaque or less regulated setting, the focus shifts to practical removal and de-indexing over detailed legal debate.
The methodological detail behind the manual-versus-automated boundary sits in our earlier piece on the limits of automated data broker removal.
For higher-risk profiles, an OSINT-led broker removal project goes beyond fixed lists and treats data brokers as one layer in a broader exposure map — which is what The Eraser is built to do.
Talk to an AnalystWhat "success" actually means in data broker removal
Most services describe success in terms of breadth: the number of brokers or "sites" covered. As an investigator, three other dimensions matter more: re-listing rate, tier coverage, and long-tail gaps.
Re-listing rate measures how often removed records reappear over time. GDPR Article 17 requires controllers to delete personal data where the conditions apply and to take reasonable steps to inform other controllers processing the same data. In practice, many brokers source new feeds from public records, commercial partners and other brokers. If they do not maintain internal suppression lists keyed to persistent identifiers, they can legitimately ingest the same data again six or twelve months after a deletion, and your profile reappears. The EDPB's 2025 enforcement report highlighted that many controllers still lack mature processes for ensuring erasure cascades through derived and replicated data.
Tier coverage distinguishes visible but low-stakes brokers from less visible but higher-risk ones. Public people-search sites are uncomfortable and create harassment risk, but the brokers that feed risk scoring, insurance pricing, fraud models or targeted advertising often pose greater long-term impact. The FTC's 2014 report profiled major US brokers operating in these higher tiers. A removal programme that clears only the public tier but leaves scoring or marketing profiles untouched is cosmetic: it improves how a search result page looks but does less for systemic risk.
Long-tail gaps cover everything that falls outside the mainstream lists: local property aggregators, niche professional directories, alumni databases, sector-specific contact lists, and one-off marketing lists built for particular campaigns. There is no global registry of these actors. Automated tools struggle to detect and maintain coverage for them because each has its own identifiers, language and legal context. Human-led work, combined with regionally focused resources like our data broker opt-out guide for EU brokers, tends to find more of these edges.
A realistic definition of success therefore looks like this: meaningful reduction of exposure across all relevant broker tiers, measured re-listing rates trending down over recurring scans, and few or no uncovered long-tail brokers for the person's risk profile and geography.
When DIY removal is sufficient
DIY removal can work well for individuals with low to moderate risk who have the time and patience to manage the process. Under GDPR, any individual in the EU or EEA can send an Article 17 request directly to a broker that acts as controller. Under CCPA and similar state laws, residents can use statutory deletion and "do not sell or share" rights, subject to the exceptions in those laws.
DIY is usually sufficient when three conditions hold. First, most of your exposure is on a limited number of well-known people-search and marketing sites, rather than in high-value scoring or niche databases. Second, you have a relatively simple identity story: one main legal name, a small number of addresses, and limited cross-border presence. Third, you can invest effort into tracking requests, responding to verification prompts, and revisiting brokers every few months.
Consumer and regulator guides can help. Several DPAs and consumer organisations publish broker lists with opt-out links and template letters referencing the right to erasure. Our EU-focused data broker opt-out guide provides direct URLs and procedural notes, which is often enough for individuals who want control but do not require a formal investigation.
When a subscription data broker removal service is worth it
Subscription services sit between DIY and full OSINT-led work. They are worth considering when your risk profile is moderate, your time is scarce, and your exposure is mostly in the same mass-market broker ecosystem that the service covers.
Typical cases where a subscription makes sense include professionals who have started to receive unwanted contact after media appearances, people in the US whose data appears across many domestic people-search sites, and individuals who tried DIY once but found it hard to maintain a schedule of re-checks and follow-up requests. In these situations, the service absorbs the repetitive work of submitting and chasing opt-outs to its broker list and repeating that on a schedule.
What these services usually do not provide is a complete picture of where your data lives. They rarely cover niche brokers outside their main market, and they do not usually tackle databases that require more involved legal correspondence or industry-specific arguments. They also work on their own discovery criteria, which may not match the reality of how your name appears after previous marriages, relocations or transliteration.
From a risk-management perspective, a subscription service is therefore a time-saving device for a specific slice of the broker ecosystem. It is not a substitute for a one-off or recurring OSINT-led investigation when stakes are high. If you are weighing which subscription to use, our comparison of European data broker removal services covers the main options and their coverage trade-offs.
When only a full OSINT-led investigation closes the gap
There is a point where neither DIY nor a subscription service provides enough assurance. That point usually arrives when the personal or organisational stakes of exposure become material: executives and board members, politically exposed persons, professionals in regulated sectors, or individuals already facing targeted harassment, fraud attempts or extortion.
For these profiles, broker data is one layer among many. OSINT work needs to correlate broker entries with breach and credential data, old domains, misconfigured cloud assets, historical corporate filings, and other signals. Data from brokers may feed risk scoring used by banks and insurers, which changes the legal and practical consequences of leaving those records untouched.
A full investigation brings several capabilities that automated services do not offer. It can identify and handle complex identity stories with multiple name variants and jurisdictions. It can prioritise interventions where a given broker's dataset intersects with specific threat scenarios. It can document evidence of non-compliance or re-listing patterns in a way that supports escalation to regulators or legal counsel if necessary.
The Eraser is one example of this category — a structured, human-led project that integrates data broker work into a wider exposure reduction plan rather than treating it as an isolated subscription. Comparable programmes from other specialist firms follow the same logic, even if they differ in scope and tooling.
Do data broker removal services actually work? A practitioner's verdict
Data broker removal services do work in the narrow sense that they send real erasure and opt-out requests, receive responses, and reduce visible exposure on many covered brokers. Law and enforcement trends since 2018 have strengthened the legal basis for such requests, especially in the EU under GDPR Article 17 and in California under CCPA and the Delete Act.
They work best for mainstream people-search and marketing brokers in the markets they cover, and for individuals whose primary concern is nuisance exposure and casual doxxing. They work less well for long-tail brokers, high-value scoring datasets, and complex cross-border identities. They also cannot stop fresh feeds from reintroducing your data, which is why recurring scans and re-requests are structurally necessary rather than a commercial upsell.
DIY removal is often sufficient for low to moderate risk profiles with time to invest. Subscription services are worth it when the same profiles want time savings and recurring sweeps. For higher-stakes cases, only a full OSINT-led investigation brings the combination of discovery depth, legal framing and evidence collection needed to approach "as removed as legally and practically possible" rather than "fewer entries on popular people-search sites".
If you want to know what a search like this returns about you, a Snapshot Scan will tell you. Talk to an analyst.
Frequently Asked Questions
What is a data broker removal service?
A data broker removal service acts as your agent to exercise privacy rights against companies that trade in your personal data. In the EU it usually sends GDPR Article 17 erasure requests, and in the US it uses rights under laws like the CCPA and the California Delete Act. The service identifies brokers that hold your data, sends deletion or opt-out requests following each broker's process, tracks responses, and repeats the cycle when your data reappears.
Do data broker removal services actually work?
They do, but within limits. When a broker clearly falls under GDPR or a state privacy law and has an established opt-out process, services can obtain removals and reduce exposure. They are particularly effective on mainstream people-search and marketing sites in their home markets. They are less effective for long-tail brokers, datasets that require more complex legal argument, and situations where your identity appears under multiple variants or across many jurisdictions. Their impact also decays over time if re-listing is not monitored.
Are data broker removal services worth it?
They are often worth it for individuals with moderate risk who lack the time or patience for DIY opt-outs. In those cases, the service automates repetitive work across a known broker list and runs periodic sweeps. They are less suitable for high-stakes situations involving executives, regulated professionals or targeted threats, where you need an OSINT-led investigation that goes beyond standard broker lists. For very low-risk individuals with a small number of exposures, a guided DIY approach may offer similar outcomes without a subscription.
How does data broker removal work under GDPR and CCPA?
Under GDPR, you can invoke Article 17 to request erasure when your data is no longer needed, when you withdraw consent, or when you object to processing such as direct marketing. Controllers must erase the data without undue delay and, where they have made it public, take reasonable steps to inform other controllers. Under CCPA and similar state laws, residents can request deletion of personal information collected from them and opt out of sale or sharing. The California Delete Act adds a central mechanism that registered data brokers in California must check at least every 45 days from August 2026 onward.
When is DIY data broker removal enough?
DIY removal is usually enough when your exposure is limited to a manageable number of well-known people-search and marketing sites, you have a simple identity history, and you can devote time to the process. You can use GDPR Article 17 requests in the EU or relevant state-law rights in the US and follow each broker's published opt-out procedure. Public guides from regulators and specialist firms, including our EU-focused data broker opt-out guide, provide broker lists, URLs and template wording to support this approach.
When do I need a full OSINT data broker investigation?
You need a full OSINT-led investigation when the stakes of exposure are high and your footprint is complex. That includes executives, board members, politically exposed persons, and individuals who have already experienced targeted fraud, harassment or extortion. In those cases, broker data intertwines with breach data, historical domains and other sources. An investigation maps this wider surface, prioritises interventions where they matter most, and documents evidence that can support escalation to regulators or legal counsel if necessary.