Rob's Notes 37: Data Deletion Has an ID Problem
We might even pay for it, but agentic privacy needs help
While I personally love the idea of a web-based agent going around and cleaning up my digital PII data footprint, there are still a lot of problems with agent-based data deletion.The best known companies in this category are DeleteMe, Incogni and Optery but there are quite a few others. Part of the reason why it is still quite manual or ineffective is data brokers claiming not to be able to properly confirm the identity of the requester and/or the authorization provided on their behalf. Some data brokers lean on this as a primary reason to ignore deletion requests and in turn, some deletion agents don’t even try to submit to certain problematic brokers. It’s not ideal.
So while 86% of people say they are open to subscribing to such a service for $9.99 per month, per an October 2025 survey, that amount of money might not be enough for those vendors to actually do a good job providing this service. I also discount survey data like this, but even if half of those surveyed would actually pay that would be very significant. [a]
The Identity Ambiguity Issue
While laws like CCPA explicitly allow authorized agents, they don’t mandate standardized requirements for proof of identity. Data brokers exploit this gap by:
Demanding excessive verification (notarized documents, power of attorney, wet signatures)
Claiming the authorization form “isn’t sufficient” without specifying why
Requiring direct consumer verification even when an agent is authorized
Setting their own arbitrary standards that exceed legal requirements
Unlike financial services (which often have standardized authorization protocols), there’s no unified framework for privacy request authentication. Each broker can invent their own requirements: email verification, phone calls, physical mail, or they just reject everything from agents regardless. There’s limited regulatory enforcement, (these are largely based on state laws in the US) and penalties for non-compliance are often minimal compared to the value of keeping the data. Individual consumers lack the resources to fight back legally, and the data removal services can’t afford to litigate every refused request. Brokers know this and use it to their advantage.
By framing obstruction as “protecting consumer privacy” or “preventing fraud,” brokers can appear to be acting responsibly while actually violating the spirit (and sometimes letter) of privacy laws.
Source: Gemini 3 (Nano Banana Pro)
Here are some of the other issues with this agent-based data deletion product category:
Multiple services face criticism for overstating their capabilities or the number of sites they actually cover automatically versus requiring manual customer action.
No data removal service covers all thousands of U.S. data brokers, and brokers regularly re-add information and ignore opt-out requests
Data deletion intuitively seems to consumers like it should be a “one and done” but it’s not:
According to DeleteMe co-founder and CEO Rob Shavell, 42% of DeleteMe’s customers found their information was back on data broker sites within six months. “The reason we are an annual subscription service is that we go back to work when your information is found again,” Shavell said. “The broker bought it again or they scraped it from a different place.” [b]
Data breaches have exposed sensitive data of hundreds of millions of Americans, which ends up on the Dark Web where it can be bought and sold by hackers and scammers in an endless loop- something that may or may not intersect with “legitimate” data brokers!
The Public Data Problem
And of course some of this data (repeatedly) also comes from public sources or (mostly legitimate) credit bureaus. There’s thus a fundamental layer of data that can’t be deleted and continuously feeds the data broker ecosystem.
This includes things like property ownership records, voter registrations, court documents, marriage and birth certificates, professional licenses and tax liens and assessments.
Public records reform is a critical but often overlooked aspect of privacy protection. Meaningful public records reform faces an uphill battle against entrenched interests and constitutional traditions. The most progress is happening at state levels with targeted protections rather than comprehensive federal reform.
For example, the California Delete Act (2023) creates a state-run portal where residents can delete their personal information from 500+ data brokers with a single request, rather than contacting each company individually. Data brokers must register with the state, pay fees that fund the system, and honor both current and future deletion requests - meaning once you opt out, they can’t just re-add you later. While it doesn’t touch the underlying public records that feed the data economy, it effectively disrupts the commercial exploitation of that data by making mass opt-out simple and free for consumers while forcing the data broker industry to bear the costs and compliance burden.
Expanding California’s Delete Act model to other states - which doesn’t change public records but limits their commercial exploitation via data brokers - may be the most politically feasible path forward in the near term.
I hate to end with this, but getting a handle on your personal data is only going to become more crucial to lower the chances of getting spear-phished or deepfake-scammed in the future.
Notes:
[a] CollectiveMetrics recently surveyed 1,000 US users (October 2025) about a variety of online safety and privacy topics. Three of the questions (results never before shared until now) were about data brokers and asked:
A “data broker” is defined as ‘a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’ For example, if a person signs up for a dating app, a data broker may buy all recent sign ups of that dating app from the app developer and sell the information to a gym that is looking to target potential new customers. Are you familiar with the concept or term ‘data broker’?
[b] CNBC - Are data removal services worth it? (11/6/2025)