Personal data removal laws: Do they protect you?

Signing up for Amazon Prime, managing online banking, using PayPal—everyday tasks lead you to hand over personal details more often than you realize. Even if you’re simply browsing social media, the amount of information you share can be staggering. Just Google your name. You might find your phone number, address, or pictures posted on sites like People Finder, Whitepages, or other background-checking services. You may even discover imposter accounts pretending to be you on Facebook or other platforms.

According to some surveys, one-third of internet users aren’t even sure what personal information of theirs is available online, who holds it, or even how it got there. The endless flow of data between websites, data brokers, and social channels has also created new legal questions around privacy. 

In response, several governments have introduced laws requiring websites to erase your details in certain circumstances, giving you more say in how your information is used. 

But here’s the question: Do these laws fully protect you, or are there still loopholes and gaps? Let’s explore where the laws work well, where they might fall short, and the practical steps you can take to protect yourself and reclaim more of your digital privacy. 

Jump to…
Why your personal data ends up everywhere
Laws mandating personal data deletion
Limitations of laws surrounding personal data removal
Risks of exposed personal information online
Why it’s so hard to remove your data from the internet
How to remove your data from the internet
Automated services for data removal
The dark web: Why data removal laws don’t apply
A balanced approach: laws + self-initiative

Why your personal data ends up everywhere

Before you can take full advantage of data-deletion laws and remove your information from the internet, you should understand how that data got online to begin with. Let’s look at the most common ways. 

• Account signups and purchases: Each new account or profile you open and all those “Accept” buttons you click on various platforms allow them to retain your name, email, phone number, address, and other details.
• Overactive social media: Posting photos with the location tagged, check-ins, or personal announcements can give away location data. It can also reveal information like your daily routine or travel plans.
• Data brokers: These companies gather personal details from all over—public records, online trackers, social media, app usage. They then analyze and sell it to advertisers, businesses, or even individuals willing to pay. 
• People-finder platforms: Sites like TruthFinder, Whitepages, and PeopleLooker scrape public data to build profiles that often include phone numbers, addresses, family connections, or past legal entanglements.
• Public records: Court filings, real estate listings, voter rolls, and more can legally be made public and then appear online.
• Web analytics: Browser cookies, device IDs, and tracking pixels help build an overarching profile of your browsing habits.

Identifying who collects your data is the first step toward limiting how they use it. Once you know who has it and where it’s stored or shared, you can figure out how to remove it. 

Fortunately, several laws now mandate that businesses and data brokers comply with data-deletion requests, giving you more control over your digital footprint.

Laws mandating personal data deletion

General Data Protection Regulation (GDPR)—European Union

• Right to erasure: Also called the “right to be forgotten,” it requires companies to delete personal data within 30 days of the individual’s request if it meets the criteria for removal.
• Broad scope: It can reach companies located outside the EU if they serve EU residents.
• Not absolute: Some exceptions apply, like public interest or legal requirements.

California Consumer Privacy Act and the California Privacy Rights Act (CCPA and CPRA)—U.S.

• Right to delete: Under the CCPA, you have the right to request the deletion of personal information collected by businesses. The CPRA bolsters this right by requiring businesses to notify third parties about deletion requests, ensuring broader compliance.
• Exceptions: Both these laws include exceptions where businesses can retain your data for legal obligations such as for fraud detection or if deletion would impair research capabilities. This lets companies sidestep deletion requests under certain conditions.

California Delete Act—U.S.

• Data broker registration: Under this Act, data brokers are required to register and disclose what personal information they collect, which improves transparency and accountability in data handling practices.
• Expanded rights: With the Delete Act you can issue a one-time deletion request to all registered data brokers. This law attempts to address gaps in the previous laws by letting consumers delete data collected indirectly or aggregated from various sources.

State and global expansions

Other U.S. states, like Colorado and Virginia, have adopted similar privacy laws, each with its own nuances. Additionally, in April 2024, Congress introduced the American Privacy Rights Act (APRA) that aims to provide comprehensive federal data privacy protections similar to the EU’s GDPR. APRA seeks to unify state laws, giving all U.S. consumers greater control over their personal data while simplifying compliance for businesses. 

Outside the U.S., Brazil has the GDPR-inspired Lei Geral de Proteção de Dados, and Canada incorporates similar rights with the Personal Information Protection and Electronic Documents Act.

Limitations of laws surrounding personal data removal

These laws offer tools, but they aren’t cure-alls. Trying to remove your data from the internet can still present several hurdles. Companies can still refuse to delete your data under certain circumstances. And there’s limited to no enforcement if a site operates from another country or on the dark web. Other challenges include:

Complex processes to request deletion

Submitting deletion requests often involves navigating complicated processes. For example, the CCPA offers multiple ways to request data removal, but figuring out which option is right for your situation can be overwhelming and time-consuming, especially if you’re new to digital privacy rights.

Lack of enforcement mechanisms

Some laws, like Virginia’s Consumer Data Protection Act, don’t allow you to sue companies directly for non-compliance. Enforcement is handled only by state attorneys general and this can discourage consumers from pursuing their rights if they believe companies might ignore their requests without facing consequences.

Exceptions and ambiguities

Many privacy laws include exceptions that can be really confusing. Businesses can argue that  they need to keep certain data for legal or operational reasons and before you know, you’re in the middles of a dispute over what even is seen as a valid reason to retain your information.

Inconsistent compliance across states

With different states implementing varying privacy laws, understanding your rights can be tricky depending on where you live. This inconsistency makes it harder to ensure your data is fully removed across different regions.

Operational challenges for businesses

Companies also struggle to handle deletion requests efficiently. If they don’t have strong systems to track and manage data, fulfilling these requests can be time-consuming and prone to errors, resulting in frustration if your data isn’t deleted as promised.

Risks of exposed personal information online

Lack of privacy can leave you vulnerable to various threats.

Identity theft

Criminals might use your name, address, and Social Security number to open new accounts, file false claims, and pass background checks. Leaked medical details can lead to fraudulent insurance claims or false worker’s comp filings.

Harassment, stalking, doxxing

An ex-husband, ex-boyfriend, or a disgruntled acquaintance may track your address, workplace, or day-to-day movements if they find detailed info. Pictures or phone numbers can be weaponized for online harassment. Strangers could also threaten you via doxxing, where someone’s private details are published to harass you.

Fake social profiles

Stolen photos or personal facts can be repurposed into accounts that impersonate you, possibly damaging your reputation or luring your friends into scams.

Future ramifications

Employers often research potential hires. Old arrests, negative news, or even inaccurate data can tank your career if it remains easily searchable. Personal relationships may sour if misguided rumors or outdated records linger on the internet.

It might feel alarming, but remember that you have more control than you think—the key is learning how to exercise it.

Why it’s so hard to remove your data from the internet

Data frequently circulates among multiple platforms or gets republished once a site updates its databases. Deleting yourself from one broker’s site doesn’t always mean it’s gone everywhere. Also, most data brokers don’t make it easy to opt out. You might need to email them, fill out forms, or even send faxes with proof of identity. It’s not just time-consuming; it can feel daunting (and a bit ironic) to share a copy of your ID to remove your details.

Even under GDPR or CCPA, businesses can argue they have a legitimate reason to keep your details—be it fraud prevention, legal obligations, or free speech. That said, some websites push these exceptions further than intended. 

Then there’s the dark web. Once your data has been hacked or leaked your info may end up on hidden marketplaces. The big problem with this is that there’s no practical way to force criminals to remove your data from the dark web.

The best approach is to tackle the big offenders like major people-finder sites first. Start there, and you’ll reduce your exposure significantly. 

Read more: So your information is on the dark web. What now?

How to remove your data from the internet

There are methods to attempt to remove yourself from the internet. 

1. Identify and audit

• Search yourself: Google your full name, nicknames, and usernames. Repeat for phone numbers or addresses to see where they appear.
• List data broker sites: Check major ones like Whitepages, Spokeo, PeopleFinders, and TruthFinder. Note any that list you.

2. Submit removal requests

• Use site-specific opt-outs: Most people-finder sites have removal instructions—though some are buried deep in their terms of service or privacy policy. 
• Invoke your rights: If a site operates under GDPR or CCPA rules, reference the relevant law in your request.
• Document everything: Save screenshots of your profiles before removal, copies of emails, and any reference numbers.

3. Shut down outdated accounts

• Delete old social profiles: That decades-old profile you forgot might still host images or personal facts.
• Remove personal info: If you can’t delete an account, clear your address, phone number, or financial details, and change the username to something non-identifiable.

4. Clean up your social media

• Review privacy settings: Facebook, Instagram, TikTok, etc. often default to open or semi-public sharing. Restrict who can see your posts and personal data.
• Scrub older posts: If you overshared in the past, remove those posts or make them private.
• Close accounts no longer in use: If there’s an old account or profile gathering dust, there’s no reason to leave it on a distant server. Delete these idle profiles for good so the data they once held—like your messages or personal details—disappears from company servers permanently.

5. Ask Google to remove outdated info

• Outdated content removal: Google offers a form to request removal of links that show personal or identifying info.
• Blur images on Maps: If your home or license plate is visible on Street View, report it to have it blurred.

Automated services for data removal

You can handle everything manually, or you can opt for a dedicated removal service. Tools like ExpressVPN’s Data Removal (available in the U.S.) scan numerous data-broker and people-search sites at once, sending out removal requests for you—and then rechecking in case that info comes back.

How Data Removal compares with DIY:

The dark web: Why data removal laws don’t apply

First, laws such as GDPR and CCPA simply do not apply to hidden marketplaces run by cybercriminals. Second, removing your data from the dark web is extremely difficult, if not impossible, for these reasons:

• Decentralization: The dark web is not a single entity but a network of hidden sites with no central authority. There’s no one you can contact to request data removal.  
• Anonymity and encryption: The dark web prioritizes anonymity and uses strong encryption. This makes it very hard to trace who is responsible for leaking or selling data.  
• Data replication: Once your data is on the dark web, it’s likely copied and shared multiple times. Even if you could find one source and have it removed, countless copies likely exist elsewhere.

A balanced approach: laws + self-initiative

Privacy laws like GDPR and CCPA are big steps toward giving you more control over how websites handle your data. They provide a legal framework to request deletion and require companies to be transparent about their data handling practices. Still, these regulations won’t handle everything for you. Some platforms might claim exemptions or simply operate under the radar. And, of course, the dark web remains untouched by legal mandates.

You’re not powerless. By combining your legal rights, practical strategies to remove your data from the internet, and a strong set of privacy tools, you can reclaim control over your online identity—even if total invisibility isn’t realistic.