Search results for your name, an address you no longer live at, a phone number you stopped using two years ago, your spouse’s employer next to your work history. The question that sends people to articles like this one is simple: how do I make this stop?
The honest answer is that it is four problems, not one. Each layer of personal data on the internet (the publicly indexed surface, the corporate records sold between businesses, the secondary aggregators that re-acquire what you removed, and the opaque controllers who never surface to public lookup) has its own legal mechanic, its own time cost, and its own definition of what “deleted” actually means.
Where the data actually lives is a different question, answered separately. This article picks up where that one ends: once you know what is there, how do you make it go away.
Most guides on this topic skip directly to a list of opt-out forms. That works for one layer. The other three are why the data comes back.
The vocabulary problem — delete, forget, object, suppress
Before any opt-out form, the choice of which legal right to invoke matters more than most people realise. There are three commonly conflated rights, and one widely misunderstood mechanic.
Right to erasure — Article 17 of the GDPR. Your data is removed from the controller’s records. Subject to specific exceptions (legal obligations, public interest, freedom of expression). This is what most people mean by “delete.” It is the strongest right in writing and the slowest in practice.
Right to be forgotten — colloquially used as a synonym for Article 17, but in case law it refers to the search-engine de-indexing path established by Google Spain v AEPD (C-131/12, 13 May 2014). De-indexing means the data still exists at the source. Google simply will not surface it when someone searches your name. The page on the original site is unchanged, and the next aggregator that crawls that page can still find you.
Right to object — Article 21 of the GDPR. You object to the processing on the basis of legitimate interest. The controller must stop processing your data unless it can prove compelling overriding grounds. For direct marketing specifically, Article 21(2) is absolute: no balancing test, no counter-claim. The controller stops processing on request.
The mechanic this last right creates is what most guides skip. When you exercise Article 21 against a data broker, or when a broker complies with Article 17 erasure, they typically retain a one-way hash of your record marked as suppressed. The broker is permitted to do this under Article 17(3)(b) (compliance with legal obligation): they need to remember that you opted out so they do not accidentally re-list you the next time they ingest a public-record refresh. This is the suppression record: your data is gone from the active processing layer, but a stub remains specifically to keep you off it.
In practice, this is what you want. A broker that simply deleted everything would have no way to remember you objected, and the next data refresh would re-create the record from upstream sources. The suppression record is the difference between “deleted today” and “stays deleted.”
In US law the same mechanic exists under different names. CCPA’s “Do Not Sell or Share My Personal Information” creates an opt-out preference the controller must honour going forward. The California Delete Act (SB 362), in effect since January 2026, builds a centralised registry where a single submission propagates to every registered data broker. Each one keeps a suppression entry for that registry hash.
The practitioner point: knowing which right to invoke saves cycles. An Article 17 erasure of marketing data lands faster framed as Article 21(2) objection. A blanket Article 17 against a controller with legitimate-interest non-marketing processing usually triggers a balancing-test refusal that takes a month to resolve. Choosing the right that fits the controller’s category is the single highest-impact move in DIY removal. It is also the part the listicle guides do not cover.
We unpack the EU GDPR mechanics in detail in our analysis of whether broker removal is legal in Europe.
Layer 1 — People-search platforms
People-search platforms are the visible top of the iceberg. Spokeo, Whitepages, BeenVerified, Intelius, MyLife, Radaris in the US; 192.com in the UK; the local equivalents elsewhere. Their records are publicly indexed. Anyone can search your name and read what they hold.
Removing yourself from this layer is the most DIY-feasible part of the process. Each platform offers an opt-out path, usually involving a request form, a verification email, and a confirmation step. A determined person can clear the major US people-search platforms in eight to fifteen hours of work spread over a week.
What matters at this layer is method. Use a single dedicated email address for the opt-outs (you will receive verification mail you do not want at your primary address). Document every submission with timestamps. Keep screenshots of confirmation pages. The platforms re-list cleared records when they refresh from upstream sources, and the only way to tell whether the re-list is a new ingest or a failed opt-out is your own audit trail.
Our data broker opt-out guide lists the major platforms with current opt-out URLs and verification quirks. The URLs change frequently and many of the published guides on this query lead to dead links.
Layer 2 — B2B data brokers
The middle layer is invisible to the public web. B2B data brokers (Acxiom, LexisNexis Risk Solutions, Experian Marketing Solutions, Oracle Data Cloud, TransUnion marketing) sell to other organisations: marketing companies, identity-verification services, insurance underwriters, employment-screening firms. Their records do not surface to consumer search.
The Layer 2 problem is not only compliance. It is discovery. A consumer search engine will tell you Spokeo holds your name. A B2B broker like Acxiom will not. You cannot opt out of what you cannot identify, and building a target list is the prerequisite. There is no single place to do it.
In the United States, two registries help. Vermont’s data broker registry, public since 2018, lists every broker doing business with Vermont residents, well over a hundred entries, updated annually. The California Delete Act registry, in effect since January 2026, is the broader of the two: California requires every data broker selling personal information to register with the California Privacy Protection Agency, and the registry is publicly searchable. A Delete Act submission propagates across every registered broker, but the registry itself is also useful as a pure discovery instrument. Even if you live outside California, brokers selling Californian data are typically the same ones selling yours.
In the EU and UK, there is no equivalent registry. The ICO has resisted maintaining one, and EU law does not require brokers to publicly self-identify as such. The practical discovery routes are: trade-association member directories (DMA in the UK, FEDMA at EU level, equivalents at national level); chained Article 15 access (one broker’s response often names the downstream recipients of your data, and each named recipient is itself a broker, so the chain maps the network); sector adjacency (credit-bureau marketing arms, insurance-data vendors, identity-verification firms, and employment-screening services all overlap with the broker definition under most regulators’ interpretation); and breach disclosures, which occasionally name brokers as victims and seed further research.
Two concrete examples illustrate why this discovery work matters. CACI Limited in the UK builds the Acorn household classification: every UK postcode segmented into demographic and behavioural categories using combined consumer data. Most marketing decisions made about UK residents have been filtered through Acorn at some point; most UK residents have never heard the name. AZ Direct, the Bertelsmann-owned direct-marketing subsidiary in Germany, maintains direct-marketing files across the EU. The Bertelsmann parent is a household media name; the AZ Direct subsidiary is invisible to consumers. Both publish DSAR portals; both honour Article 21(2) marketing objections under GDPR. Neither will surface if you search for “UK data brokers” or “EU data brokers.” That is the discovery problem in concrete form.
The work is iterative and jurisdiction-specific. Trade names diverge from corporate registrations, mergers and rebrands shift the map, and a list assembled even a year ago is partly stale (RELX owns LexisNexis Risk Solutions; the marketing arm of TransUnion sits separately from its credit-reporting arm; the data-broker entity behind a privacy policy is often named differently from its consumer-facing brand).
This is the part of removal where expertise compounds most. A maintained list of forty to sixty European-relevant brokers, kept current across mergers and rebrands, is the asset that makes Layer 2 tractable. Building it from scratch takes weeks of research before a single Article 15 request goes out. This is one of two places (the other being Layer 4 escalation) where analyst-led services genuinely compound over DIY effort: not because the work is unique, but because the cost of doing it once is high and the cost of keeping it current is permanent.
The mechanic itself is GDPR Article 15 (right of access) followed by Article 17 (erasure) or Article 21 (objection). The two-step matters because most B2B brokers will not disclose what they hold without an access request, and you cannot meaningfully demand erasure of records you cannot see. The right-of-access request is what triggers the legal clock.
For pure direct-marketing purposes, skip directly to Article 21(2). It is absolute, the controller has one month under Article 12(3), and there is no balancing test. The marketing arm of a data broker that ignores an Article 21(2) objection has violated the GDPR straightforwardly, and the supervisory authority complaint that follows tends to land within weeks.
For non-marketing processing (credit-relevant scoring, insurance datasets, identity verification), the controller can claim compelling legitimate grounds. Most do not, when pressed in writing with the article references. The British case is instructive: the ICO’s appeal against Experian’s data-broker arm was dismissed by the Upper Tribunal in April 2024, narrowing what the regulator can pursue at scale, but individual rights under Article 17 and Article 21 remained intact. We covered the practitioner consequences in our UK data broker rights guide.
Time cost at this layer: roughly one to three hours per broker, mostly spent waiting for the statutory one-month response. Across the dozen-or-so B2B brokers most likely to hold records on a given individual, you are looking at twenty to forty hours over three months.
Across forty brokers, three jurisdictions, and a quarterly re-scrub cycle, the documentation discipline is the work that compounds. The Eraser handles layer-2 and layer-3 mechanics for €3,800 fixed.
Talk to an AnalystLayer 3 — The secondary aggregator layer
The third layer is where most DIY removal projects fail. Brokers do not store data in a vacuum. They re-acquire it from upstream sources: public-record refreshes (court filings, voter rolls, property records, business registries), marketing-list resellers, scraped data from forums and review sites, breached datasets that propagate through grey markets.
The reason a broker re-lists you sixty to ninety days after you opt out is not, usually, that they ignored your request. It is that their next ingest from an upstream source re-creates the record. This is what the suppression record is for: a properly maintained broker recognises the new ingest matches a suppressed record and drops it. A poorly maintained broker re-creates the record because the suppression flag was scoped only to the active processing layer.
Knowing this changes how you think about removal. Each layer-2 opt-out is a perpetual claim, not a one-off. The 90-day re-scrub pattern that exists on the Eraser engagement is the practical accommodation: a second pass three months after the first catches the re-ingests that slipped through the suppression layer.
Two practitioner moves help here. First: when you submit an Article 17 erasure to a broker, explicitly request retention of a suppression record under Article 17(3)(b). Most brokers maintain one anyway, but the written request shifts the burden: if a re-list appears, your erasure becomes a tracked compliance failure rather than an ambiguous re-acquisition. Second: identify the specific upstream sources that feed a given broker. Many EU brokers disclose this in their privacy policies under the GDPR’s transparency requirements. Removing yourself at the upstream source, where possible, is more durable than playing whack-a-mole at the consumer-facing layer.
Some upstream sources cannot be opted out of. Court filings are public record by statutory design. Voter registration is mandatory in some jurisdictions. Company directors are visible by company-law transparency. Knowing which sources are immovable is part of setting realistic expectations for what “delete from the internet” can mean.
Layer 4 — The opaque controllers
The fourth layer is the hardest. Controllers who do not respond to access requests, who issue template denials that fail to address the request, who hide behind legitimate-interest claims they will not document, who cite jurisdictional ambiguity to delay.
The remedy is supervisory-authority complaint. Article 77 GDPR gives every data subject the right to lodge a complaint with the DPA in their member state of residence. The DPA opens a procedure, contacts the controller, and issues corrective orders or fines under Articles 58 and 83. This is not theoretical: the Dutch Autoriteit Persoonsgegevens fined Clearview AI €30.5 million in May 2024; the French CNIL issued €20 million against the same company in October 2022.
Across jurisdictions the path differs. In the UK, the ICO. In Germany, one of seventeen federal-state DPAs depending on the data subject’s residence. In the US, no equivalent unified mechanism. California’s Privacy Protection Agency is the closest, with state-by-state coverage gaps elsewhere. Cross-border cases involving controllers based outside the EU often rely on the One-Stop-Shop mechanism under Article 56, with a lead supervisory authority coordinating across affected member states.
This is where DIY removal hits its ceiling. Drafting a complaint that an under-resourced DPA will pick up, sustaining the case across the months it takes to resolve, knowing which precedent to cite for which jurisdiction: these are not hours-of-work problems. They are knowledge problems. They are the reason removal services exist as a category.
What it actually takes — the realistic budget
A complete DIY pass across the four layers, for an individual with average exposure, runs roughly forty to eighty hours of work over three to six months. Layer 1 is front-loaded; Layer 2 is mostly waiting; Layer 3 means a follow-up cycle every quarter; Layer 4 is occasional but high-effort when it triggers.
Repeated quarterly (which is what staying deleted actually requires), that is sixteen to thirty hours per quarter indefinitely. Most people who start the project do not finish Layer 2. The brokers that re-list within ninety days, the templates that say “we have processed your request” without documenting what was actually deleted, the supervisory-authority paths that require knowing which article to cite for which kind of refusal: these accumulate into a documentation tax that exceeds the patience budget.
This is the gap that services exist to fill. The honest framing is that the value is execution discipline plus jurisdictional knowledge plus a tracked re-scrub cycle, not access to a list of brokers (the brokers are findable). For readers comparing options, our analysis of whether removal services actually work sets out what the better services do, what the worse ones bot-spam, and where DIY beats either.
What “deleted from the internet” can mean in 2026
Across all four layers, “deleted” in 2026 means something specific: the active processing of your data has stopped, suppression records prevent re-ingestion from upstream sources, search-engine surfacing has been de-indexed where the path exists, and a documented audit trail records what was removed and what was retained under exemption.
It does not mean the data ceases to exist anywhere. Public records remain public. Court filings remain searchable. The Wayback Machine remembers. The right to be forgotten in case law has always been about the visibility layer, not about erasing the past.
For most reasonable threat models, the difference is invisible. The records that remain are slow, jurisdiction-specific, and effort-gated. That is what privacy at scale actually means.
For higher-risk threat models, the difference matters. If you are litigating, being targeted, or under active surveillance, layer-by-layer removal is necessary but not sufficient. Active monitoring (the kind built into the Shield engagement) and deeper investigation (the kind that maps where records exist before erasure begins, on the Mirror) are the supplementary mechanics.
But for the searcher who arrived at this article wanting their data off the internet: start with Layer 1. Document everything. Choose Article 21(2) over Article 17 for marketing purposes. Request a suppression record explicitly. Plan for the 90-day re-scrub. And know in advance which layer you will not be able to handle alone.
That last decision, when DIY stops being the right answer, is the one most guides do not let you make honestly.
Sources
- GDPR primary text: Regulation (EU) 2016/679 — full text on EUR-Lex
- Case law: Google Spain SL v AEPD (C-131/12, 13 May 2014)
- UK Tribunal: ICO v Experian Limited (UKUT 105 AAC, April 2024)
- US legislation: California Senate Bill 362 — Delete Act (2023)
- Enforcement reference: Dutch DPA Clearview AI €30.5M fine (May 2024)