This guide explains exactly what data is out there, where it comes from, how to find what is online about you specifically, and how to go through the removal process systematically — both manually and with automated tools. It also covers what the law currently says about your rights, what the realistic limits of removal are, and how to reduce the amount of new data you generate going forward.
1. What Data Is Already Online About You
Most people dramatically underestimate the scope of what is available. It is not just your name and phone number. The categories of personal data that data brokers typically hold and sell include your full legal name and all known aliases or former names, every address you have lived at going back years, all phone numbers associated with your name, all email addresses, your date of birth, your Social Security Number in many cases, your relatives' names and their contact information, your neighbors' information, your employment history, your educational background, your estimated income and net worth, your property ownership records, your vehicle registration details, your voter registration status and party affiliation, your criminal and court records if any exist, your bankruptcy filings, your marriage and divorce records, your social media profiles and usernames, your browsing and purchasing behavior patterns, your health-related search history, your political and religious leanings as inferred from data, and the names and ages of your children.
That is not a hypothetical list. Those are documented categories from the Federal Trade Commission's own 2014 Data Broker Report, and the scope has only expanded in the decade since. Data brokers collect anything and everything they can — personal information, financial information including creditworthiness, bankruptcy data, and mortgage details, online behavior data including favorite websites and recently viewed ads, health information including medication purchases and symptom searches, habits and interests, political and religious beliefs, and social connections including family members, coworkers, and friends.
2. Where It Comes From — The Data Collection Pipeline
Understanding where this data originates is important because it tells you both how to reduce new collection and why complete removal is difficult. There are several distinct channels through which your information enters the data broker ecosystem.
Public records are the largest single source. Government agencies create and publish enormous amounts of personal information as a matter of course — voter registration rolls contain your name, address, date of birth, and party affiliation. Property records list your name and home address when you purchase real estate. Court records document civil disputes, criminal proceedings, divorces, and bankruptcies. Business license filings list owners' names and addresses. Obituaries record family relationships. Birth and death certificates, marriage licenses — all public record in most U.S. states and many other jurisdictions. Data brokers have automated the process of scraping, parsing, and ingesting all of these sources continuously.
Commercial data purchases are the second major channel. When you use a loyalty card at a grocery store, purchase something online, fill out a warranty card, enter a contest, sign up for a coupon service, or subscribe to almost any free service, your transaction data is typically sold to data brokers as a standard business practice. Your purchasing patterns — what you buy, how often, from where — are extraordinarily valuable for building behavioral profiles.
Social media and web activity feeds into profiles through tracking pixels, third-party cookies, and data-sharing partnerships. The interests you express on Facebook, the searches you run on Google, the topics you engage with on Twitter/X — all of this is packaged and sold through advertising data markets that data brokers tap into. Even when you use a pseudonymous account, cross-device tracking and behavioral pattern matching can link your anonymous activity to your real identity profile with surprising accuracy.
Data breaches are an increasingly significant source. When a company that holds your data suffers a breach, that data typically ends up on underground forums and then gradually migrates into data broker databases. Data breaches are more frequent than ever — your info does not get leaked once, it gets leaked again and again because brokers constantly resell it. Your data from a breach that happened five years ago may still be circulating and being refreshed into new broker databases today.
Data broker-to-data broker sales mean that once your data enters one broker's database, it rapidly proliferates across hundreds of others through the resale market. Removing yourself from one broker does not remove you from the brokers who already purchased your profile from them.
3. Who Buys and Uses Your Data
The buyers of data broker profiles are more diverse than most people realize. The obvious category is marketers — advertisers who want to target specific demographics with ads, direct mail campaigns, and telemarketing calls. But the buyer list extends much further.
Insurance companies purchase data to assess risk profiles before setting premiums. Health insurers, auto insurers, and life insurers all use data broker profiles to infer lifestyle habits and risk factors. Employers and background check companies use data broker information during hiring processes. Landlords use them to screen tenants. Banks and lenders use them to supplement credit assessments. Private investigators use them to locate people. Law enforcement agencies in some jurisdictions purchase data to avoid the legal process required to obtain the same information through subpoenas. Political campaigns use voter file data combined with consumer profiles to micro-target messaging. And fraudsters, scammers, and stalkers use people-search sites — which are the consumer-facing layer of the data broker industry — to find targets and their personal details.
4. How to Find Your Own Data Online
Before you can remove anything, you need to know what is out there. This is the reconnaissance phase, and it is worth doing systematically rather than randomly.
Start with a Google search of yourself. Search your full name in quotation marks — "FirstName LastName". Then search with your city — "FirstName LastName" "YourCity". Then search with your phone number in quotation marks, your email address, and your home address. Look at the first three pages of results for each search. Note every site that displays your personal information. This gives you the most visible layer of exposure — the sites that rank well in search and therefore represent your highest-risk exposure points.
Search the major people-search sites directly. Go to each of the following and search your own name. Sites to check include Whitepages, Spokeo, BeenVerified, Intelius, Radaris, PeopleFinder, TruthFinder, Instant Checkmate, MyLife, ZabaSearch, PeekYou, Pipl, FastPeopleSearch, and USSearch. Most of these will show you a partial preview of your profile for free before trying to sell a full report. The preview is often enough to confirm that they hold a record on you.
Use a free data broker scanner. Several services offer a free scan that checks multiple brokers simultaneously. DeleteMe and Incogni both offer free scans that show you how many databases hold your information. Privacy Bee offers a free exposure report. These tools give you a quick overview of the scope of the problem before committing to a paid removal service.
Check breach exposure. Go to haveibeenpwned.com and enter your email addresses. This service, run by security researcher Troy Hunt, maintains a database of known data breaches and will tell you which breaches your email appeared in, what categories of data were exposed, and when the breach occurred. This tells you which of your accounts have been compromised and whether passwords, phone numbers, or other data associated with those accounts are circulating.
Search for images of yourself. Use Google's reverse image search or TinEye to upload photos of yourself and find where they appear online. This is particularly relevant if photos of your home, vehicle, or family members are visible on real estate listing sites, social media, or news archives.
5. The Data Broker Ecosystem — Major Players to Know
The data broker industry is not monolithic — it is composed of distinct categories of company, each with different data holdings, different customers, and different removal processes.
People-search sites are the consumer-facing layer — sites like Whitepages, Spokeo, Radaris, and FastPeopleSearch that publish your profile directly on the web for anyone to find. These are the highest priority for removal because they are what comes up in a Google search of your name and are directly accessible to stalkers, scammers, and anyone researching you.
Background check companies like BeenVerified, Intelius, TruthFinder, and Instant Checkmate sell detailed reports to consumers and businesses. They typically hold more extensive data than people-search sites, including criminal records, financial history, and employment records.
Marketing data brokers like Acxiom, Experian Marketing Services, Oracle Data Cloud, and Nielsen hold enormous behavioral and demographic profiles used to target advertising. These are harder to find because they are not consumer-facing, but they are the databases that feed much of the downstream industry.
Risk and financial data brokers like CoreLogic, LexisNexis Risk Solutions, and TransUnion sell data to insurance companies, banks, and employers. LexisNexis in particular holds an exceptionally comprehensive data profile on most American adults through its Accurint product, and it is worth submitting a removal request directly to them.
Aggregator data brokers buy from all of the above and resell. Companies like Datalogix (now part of Oracle), Epsilon, and Equifax's marketing division sit at the top of the data resale chain. Removing yourself from aggregators is particularly valuable because their databases feed downstream brokers.
6. Manual Removal: The Step-by-Step Process
Manual removal is free and gives you direct control, but it is genuinely time-consuming. According to Incogni's research team, it would take the average internet user over 304 hours to remove their data just once across all major brokers. The process for each broker follows the same general pattern, with site-specific variations.
Step 1 — Create a dedicated email address for removal requests. Use a new email address that is not linked to your real identity for all opt-out communications. This serves two purposes: it keeps removal correspondence organized, and it prevents data brokers from adding your primary email address to their records through the verification process.
Step 2 — Create a removal request template. Write a standard email that includes your full name, all known aliases, all current and previous addresses, your date of birth, and a clear request for deletion citing applicable law. Reference applicable laws in your request — CCPA for California residents, GDPR for EU residents, UK-GDPR for UK residents. Even if you do not live in one of these regions, referencing CCPA or GDPR means some providers will honor the request without verifying whether the law directly applies to you.
Step 3 — Find the opt-out page. For each data broker, locate the page for submitting a request, which might be named "Opt Out," "Do Not Sell," "Privacy Request," "Right to Delete," or "Right to Be Forgotten." Your best bet is to start by looking for small-print links in the footer of the web page. Some brokers deliberately bury these pages. Some brokers hide their opt-out pages behind dozens of clicks. Others require you to fax forms, upload IDs, or repeat the request every 30 to 90 days because they reactivate your profile without warning.
Step 4 — Submit the request and document it. Keep a spreadsheet tracking every broker you have contacted, the date of the request, the method used (web form, email, phone), the expected processing time, and when to follow up. This documentation is essential because removal is not permanent and you will need to repeat the process.
Step 5 — Verify removal. After the stated processing time (typically 24 hours to 2 weeks depending on the broker), return to the site and search for yourself again to confirm your profile has been removed. If it has not, follow up with a second request referencing your original submission date and citing the applicable law's required response timeframe.
Step 6 — Repeat every 3 months. Data brokers refresh their databases continuously from public records, commercial purchases, and other brokers. Your work does not end with one removal. Data brokers refresh their databases regularly, and unless they use a suppression list that prevents them from collecting your data again, your personal information will reappear in time. Treat removal as an ongoing maintenance task, not a one-time fix.
7. Priority Removal List — Start Here
Given the scale of the problem, prioritize the sites that represent the greatest risk and the highest search engine visibility. Removing yourself from the top ten most-visited people-search sites eliminates roughly 80% of your direct online exposure. Start with these in order:
Whitepages — whitepages.com/suppression_requests. One of the highest-traffic people-search sites. Removal typically takes 24 to 72 hours.
Spokeo — spokeo.com/optout. Requires submitting the specific URL of your profile. Takes 2 to 5 days.
BeenVerified — beenverified.com/opt-out. Web form submission, 24-hour processing.
Intelius — intelius.com/opt-out. Takes 3 to 7 days. Intelius also owns PeopleLookup, USSearch, and Classmates — a removal from Intelius should cover these affiliated sites.
Radaris — radaris.com/page/privacy. Takes 1 to 2 weeks and sometimes requires email follow-up.
MyLife — mylife.com/ccpa/index.pubview. One of the most aggressive people-search sites — it aggregates data from many sources and its profiles can be extremely detailed. Removal requires email to privacy@mylife.com.
TruthFinder — truthfinder.com/opt-out. Same parent company as Instant Checkmate — a removal from one should cover both.
FastPeopleSearch — fastpeoplesearch.com/removal. Quick removal process, 24 to 48 hours.
LexisNexis — lexisnexis.com/privacy/for-consumers/opt-out-of-lexisnexis.page. This is the most important non-consumer-facing removal to make. LexisNexis holds comprehensive profiles used by insurers, employers, and law enforcement. Removal requires submitting a form with identity verification.
Acxiom — acxiom.com/optout. Acxiom is one of the largest marketing data brokers in the world. Removing yourself from Acxiom removes a major upstream data source that feeds many downstream brokers.
8. Automated Removal Services — Honest Comparison
If the manual process is not realistic for your situation, paid removal services handle the submissions, follow-ups, and repeat requests on your behalf. Here is an honest breakdown of the major services in 2026.
Incogni (by Surfshark) is currently one of the most comprehensive services. Incogni's data removal practices have been independently assessed by Deloitte, confirming verified removals from 420 or more brokers, recurring protection, and over 245 million removal requests processed. It costs around $7 to $13 per month depending on the plan and handles the repeat request cycle automatically. It provides a dashboard showing which brokers have been contacted and which have complied.
DeleteMe (by Abine) is one of the oldest services in the space, covering over 750 sites and providing quarterly privacy reports showing what was found and removed. It costs around $129 per year for an individual. DeleteMe also publishes free opt-out guides for over 200 brokers at joindeleteme.com that anyone can use without subscribing.
OneRep covers over 200 data broker sites and offers both individual and family plans. It is particularly strong on people-search site removal and provides real-time scanning and automated re-removal when profiles reappear.
Privacy Bee covers the broadest range of broker types including marketing databases, financial data brokers, and HR data sources that most other services do not address. It also includes a browser extension that actively blocks tracking.
All of these services have legitimate uses and genuine value, but none of them are permanent solutions on their own. Removing your information once is not always a permanent solution — repeat the process at least once every three months. A paid service automates that repetition, which is its primary value.
9. Your Legal Rights by Region
The legal landscape for data removal has improved significantly in recent years, though it remains fragmented and inconsistent.
California (USA) has the strongest framework in the United States. The California Consumer Privacy Act (CCPA) and its expanded version the CPRA give California residents the right to know what data is collected about them, the right to request deletion, and the right to opt out of the sale of their data. More significantly, the California DELETE Act of 2023 created a centralized system called DROP (Delete Request and Opt-Out Platform). DROP lets you send a single request to over 500 registered data brokers. Starting August 1, 2026, data brokers must delete your data within 90 days. This is a landmark development — a single free government platform that reaches hundreds of brokers simultaneously, with legal teeth requiring compliance.
European Union residents have the strongest global data rights under the General Data Protection Regulation (GDPR). The GDPR's "right to erasure" (Article 17) requires that data processors delete your personal data upon request when you withdraw consent, when the data is no longer necessary for the purpose it was collected, or when the data has been processed unlawfully. Data brokers operating in the EU must comply with these requests within 30 days. GDPR also has enforcement teeth — fines of up to 4% of global annual turnover for non-compliance have actually been levied against companies.
United Kingdom residents retain UK-GDPR rights post-Brexit, administered by the Information Commissioner's Office (ICO). Rights are substantially similar to EU GDPR.
Other US states with comprehensive privacy laws include Colorado, Connecticut, Virginia, Texas, Utah, Florida, and Oregon — each with varying degrees of deletion rights. The remaining US states have minimal or no formal data broker regulation, meaning removal in those states relies entirely on voluntary opt-out processes.
India passed the Digital Personal Data Protection Act in 2023, which includes a right to erasure, though implementation regulations are still being developed as of 2026.
Brazil's LGPD provides deletion rights similar to GDPR, and citing it in removal requests to Brazilian data brokers should produce compliance.
10. Google, Bing and Search Engine Removal
Removing your data from data broker databases does not automatically remove it from search engine results — search engines cache pages and may continue to show outdated results for weeks or months after the source page has been updated. You need to address search engines separately.
Google provides a dedicated tool at myaccount.google.com/data-and-privacy and a specific removal request form for personal information. Google will remove search results that display your home address, phone number, email address, login credentials, financial account information, national ID numbers, medical records, and explicit images if submitted without consent. The form is at support.google.com/websearch — search for "Remove personal information from Google." Google's policy was expanded in 2022 to make it significantly easier to request removal of contact information appearing in search results.
For content that has already been removed from the source website but still appears in Google's cache, use Google's URL Removal Tool in Google Search Console. Note that you do not need to own the website to request removal of outdated cached content — there is a specific "Outdated content" removal request option that handles this case.
Microsoft Bing has a similar removal request tool at bing.com/webmaster/tools/contentremoval. Bing tends to cache content for longer periods than Google, so it is worth submitting removal requests to both engines separately after the source page has been updated or removed.
Once the links to your profiles on the most popular sites are out of search results, Google will pull up links to less popular ones, keeping your personal info as exposed as before. To properly eliminate your information from Google, it is crucial to opt out of all people-search sites — not just the top ones.
11. Social Media Data You Do Not Realize You Are Sharing
Social media platforms are a significant but often overlooked source of personal data exposure — not through data brokers purchasing platform data directly, but through the public information you and your connections have posted over years. Before addressing data brokers, it is worth auditing your social media exposure.
Your Facebook profile almost certainly contains your date of birth, employer, hometown, current city, relationship status, family members' names (through the family relationships feature), political views, religious views, and years of location-tagged photos. Go to Settings → Privacy → Privacy Checkup and set your profile information, posts, and friends list to Friends Only or Only Me. Review your tagged photos and remove location data from older posts. Check what apps have access to your Facebook account and revoke everything you do not actively use.
LinkedIn is a professional directory by design, but it is also a primary source for data brokers building employment and contact databases. Consider removing your exact current address, personal phone number, and personal email from your profile — your work contact details are sufficient for professional networking. Review who can see your connections list, as your network graph is genuinely valuable data.
Instagram's location tagging feature creates a detailed record of your physical movements over time. Audit your post history and remove location tags from photos taken at your home address, your children's school, or any other sensitive location. Set your account to private if your audience is personal rather than professional.
Old accounts on defunct or rarely used platforms are a significant risk. Accounts on MySpace, old forums, dating sites, or any platform you no longer use continue to hold your data and can be breached. Use justdeleteme.xyz to find deletion instructions for hundreds of services and methodically close accounts you no longer need.
12. Preventing Future Data Collection
Use a virtual phone number for any sign-up that requires a phone number but does not genuinely need your real number. Google Voice provides a free US number. MySudo provides disposable numbers with privacy-focused design. Never give your real mobile number to loyalty programs, contest entries, coupon services, or any commercial sign-up.
Use masked email addresses for commercial sign-ups. Apple's iCloud+ Hide My Email feature and services like SimpleLogin and AnonAddy generate random forwarding addresses that deliver to your real inbox. When a masked address starts receiving spam, you know exactly which company sold your data, and you can delete that address without affecting your real email.
Opt out of data sharing with financial institutions. Under the Gramm-Leach-Bliley Act in the US, banks and financial institutions are required to allow you to opt out of sharing your data with non-affiliated third parties. Every financial institution you have an account with should have a privacy notice with opt-out instructions — exercise this right.
Opt out of pre-screened credit offers. The major credit bureaus sell your information to financial institutions for pre-screened credit card and loan offer mailings. Opt out permanently at optoutprescreen.com, which is the official opt-out mechanism operated by the major credit bureaus under the Fair Credit Reporting Act.
Use a PO Box or mail forwarding service instead of your real home address for any commercial purpose. Your home address is the most sensitive piece of data in your profile — it enables physical harm. Using a commercial mail address for all non-essential purposes limits how widely your home address propagates through commercial databases.
Review app permissions aggressively. Location data from your smartphone is one of the most valuable data points in the commercial surveillance ecosystem, and it is harvested continuously by apps that have no legitimate reason to need it. On both iOS and Android, go through every installed app and set location permission to "While Using" or "Never" — the default "Always" permission granted to many apps during installation is a continuous data stream to advertising networks.
13. The Realistic Truth About Permanent Removal
The honest answer is that complete, permanent removal from the internet is not achievable for most people, and it is worth being clear about why. Public records — court documents, property records, voter registrations — are generated by government agencies and are public by design in most jurisdictions. Data brokers can re-ingest this information every time they scrape public records, regardless of how many removal requests you have submitted to them previously. Until the law changes to require suppression lists (where a broker permanently flags your identifier as opted out rather than simply deleting your current record), the removal process is inherently cyclical.
What removal does accomplish is meaningful even if imperfect. It reduces your direct search engine visibility dramatically. It eliminates you from the databases that casual searchers, scammers operating at scale, and most bad actors actually use. It reduces the volume of spam calls, junk mail, and targeted marketing you receive. And it reduces the depth and accuracy of the profiles that remain — even if a broker re-adds a partial record from public data, the comprehensive aggregated profile built from commercial purchases and behavioral data is gone.
Think of it like locking your car. A determined thief can still break in. But locking it eliminates the opportunistic threat — the person who tries door handles in a parking lot. Most threats to your personal data are opportunistic rather than targeted. Systematic removal, combined with ongoing data minimization habits, raises the effort required to profile you to a level that most adversaries will not bother with. That is a realistic and worthwhile goal.
){kind=link}