[HN Gopher] We caught companies making it harder to delete your ...
___________________________________________________________________
We caught companies making it harder to delete your personal data
online
Author : amarcheschi
Score : 251 points
Date : 2025-08-13 13:50 UTC (9 hours ago)
(HTM) web link (themarkup.org)
(TXT) w3m dump (themarkup.org)
| fnord77 wrote:
| Is there any downside to requesting data brokers delete your
| personal data?
| amanaplanacanal wrote:
| The biggest downside is that it's probably a waste of your
| time.
| anon_e-moose wrote:
| If you reach out to them you're risking validating that the
| data they already have is somewhat accurate, plus they might
| demand more information from you.
|
| What do you get back from giving that?
| SilverElfin wrote:
| my worry is that the request to delete data requires that you
| give them data about who you are. And who knows what they will
| do with that
| droolboy wrote:
| Try trying to delete your open ai data. Even if you live
| somewhere with the right to forget or some protection they refuse
| the request unless you upload a copy of your ID. But then they
| have that data.
| amarcheschi wrote:
| if you live in a eu, a gdpr request can be followed by a
| request to your id only if there is reasonable doubt that
| you're faking an identity. Groupon did this and had to stop:
| https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Groupon_I...
| olddustytrail wrote:
| I don't think there is a mechanism to do that. I think that
| puts all AI models in breach of the GDPR by default.
|
| I might be wrong but if I'm not that's a serious problem for AI
| companies.
| datadrivenangel wrote:
| "After reviewing the websites of all 499 data brokers registered
| with the state, we found 35 had code to stop certain pages from
| showing up in searches."
|
| That's not as bad as I would have expected
| stevekemp wrote:
| Of course you did. I've been submitting GDPR subject information
| requests to companies that spam me - and most of them ignore me.
|
| The ones that do take the time to reply usually say "We've
| deleted your personal data now", which is not at all what I want.
| I want to know what details they have about me, where they
| obtained it, and why they think spamming me is acceptable.
|
| I've got a folder where I keep printouts of the recent offenders,
| and once I get a few weeks of holiday I'll start filing small-
| claims cases against them.
| graemep wrote:
| > I've got a folder where I keep printouts of the recent
| offenders, and once I get a few weeks of holiday I'll start
| filing small-claims cases against them.
|
| A rare case of doing God's work at a profit!
| Reubachi wrote:
| Er, you're going to file multiple small claims in the US
| against (suspected) firms outside the US?
|
| Be prepared to be disappointed. There is 0 evidence/elements of
| damage in the eyes of the archaic courts in this case, as you
| have no evidence of being damaged. You may be annoyed, but
| you're not at psychical or monetary risk due to the actions of
| another.
|
| I disagree^ with the above, we live in the future where comm-
| spam is an inherent risk. However, I lost a small claims case
| where documented over 5 years Mazda put the wrong oil in my
| car. I found out after pouring through paperwork and seeing the
| line items/overcharging (22 instances of this.)
|
| Judge dismissed it due to no "damage." 3rd cylinder died a week
| later.
| hendo3000 wrote:
| Does deleting your data even matter if it's already been sold to
| a data broker?
| ChrisMarshallNY wrote:
| What mugshot extortionists do, is charge you to delete your
| mugshot, then move it to another domain that they own.
| nemomarx wrote:
| "will pay to delete info" is one of the more valuable pieces
| of data about you after all
| BolexNOLA wrote:
| There's still value in turning the faucet off if you ask me.
| Especially if you've hardened security/privacy practices to
| better protect yourself moving forward.
|
| I only got really serious about consistently using VPN's,
| firewalls, adblockers, and more privacy centered browsers a few
| years ago. I would say over the last 8 to 12 months I finally
| started to see it pay off. I still don't see a lot of ads if
| ever, and they are wildly off target when I do see them. Using
| email aliases that I regularly purge has also made a huge
| difference when it comes to password/info leaks in particular.
|
| Now if I could only get my damn phone number under control...
| so tired of the endless spam texts
| jboggan wrote:
| If you are a California resident you can request a deletion via
| the state's new DROP platform which is launching next year.
| That will send the deletion request to every registered data
| broker in the state who will then have 45 days to comply. Part
| of that compliance is sending deletion notifications to
| everyone downstream that they have shared or sold your data to
| in the past. The penalty for not responding to a DROP request
| is going to be $200 a day, per request.
|
| Starting in 2028 CA registered data brokers will have to
| undergo audits to ensure that they have been complying with
| deletion requests to the fullest extent of the law. Now, maybe
| only 20% of actual data brokers are registered in California
| like they are supposed to be, but it's a start.
|
| Shameless plug: I'm building a platform to help the data
| brokers actually delete the data they are supposed to, provide
| full auditing and accounting for that process, and automate
| privacy request handling: forgetmenaut.com
| amarcheschi wrote:
| btw, in europe, UK, turkey you should be able to use the official
| european digital advertisement alliance website to opt out from
| profiling from a bunch of ad providers:
| https://www.youronlinechoices.com/
| jFriedensreich wrote:
| And as important: making it impossible or very hard and annoying
| to export and own your data.
| cnst wrote:
| Some companies somehow blatantly get away with not allowing any
| export at all.
|
| For example, Amazon eero, the overpriced WiFi router that
| doesn't even work (without phoning back home and having an app
| installed on your phone). They had an outage like a year ago,
| and during said outage, all your existing ad blocking stopped
| working, too, even if you never rebooted during the outage, and
| even though said blocking is supposed to be performed locally.
| I think you can't even get the ad blocking unless you or your
| ISP pays for the special subscription, either. (I imagine the
| thing could have removed all local ad blocking settings and
| lists during the time it couldn't confirm you're still a paying
| customer because their cloud was down?)
|
| Does anyone know how exactly does Amazon get away with not
| providing data export for their eero product? I haven't seen a
| Blink or Ring exports, either. The main Amazon dot com does
| have the export, which has some extensive data you may not
| think they do collect, but it doesn't cover eero, Blink or
| Ring.
| Someone wrote:
| > Does anyone know how exactly does Amazon get away with not
| providing data export for their eero product?
|
| I checked eero.com. It seems info about the product other
| than "it's a secure WiFi router that doesn't require users to
| manage it" is in the videos, if it is on that site at all,
| but I couldn't get the videos to play, so I may be wrong, but
| why would a WiFi router have personal data on the device?
|
| It will have the username and password at your internet
| provider, but what else does it store?
| williamscales wrote:
| I'm guessing Amazon could have info on their side about
| your eero. Without knowing more about the router's cloud
| functionality it's hard to say what exactly they would
| have.
| cnst wrote:
| It collects WiFi Radio Analytics (2.4GHz / 5GHz-Low / 5GHz-
| High frequency utilisation), Activity History (data usage
| by device, as well as "scan" and ad blocks by device).
|
| For ad blocking and network control, it also has "Block &
| Allow Sites" with the blacklisted and whitelisted domain
| names, which you may have to use to block ads and also
| unblock some domains that stop working as a result of bogus
| entries in the ad block.
|
| All of this information is stored in the cloud, but I found
| no way to export it in any way. I've actually contacted
| eero, asking for the export, and they've basically admitted
| that it's not supported.
| const_cast wrote:
| If you share data locally that's almost certainly over
| HTTP. Also DNS is usually over HTTP.
|
| So that's all your websites you visit, plus any data
| transmitted from your phone to computer or google TV or
| whatever the fuck.
| anonzzzies wrote:
| Yes, I am happy I can export my data with google but boy it is
| annoying to do.
| yard2010 wrote:
| Those pricks throttled the download to 30 kbps. When I tried
| to download with aria, after a few failed attempts (not
| straight forward ofc) I got a message saying I can only
| download it 6 times, and that I should send a new request.
|
| This is evil.
| dkiebd wrote:
| I have downloaded my data with google takeout dozens of
| times without a single issue. Speed was very high (maximum
| possible for my connection) and never had a download error.
| I'm talking about multi-gigabyte exports of my email and my
| drive.
| anonzzzies wrote:
| I have 900gb in my account and on my 500mbps connection
| it took forever to download, not because of my speed but
| because of theirs and it just 'connection failed' at 80%
| many many many times and asking to relogin. It should be
| illegal. Not supporting just wget -c (you can use it with
| a lot of trouble/hacks and it's not reliable which
| defeats the point) is just clearly done to annoy you into
| not doing it.
| barbazoo wrote:
| Different experience for me, ~500Gb so about 10 chunks of
| 50Gb (largest chunk size) that had to be downloaded by
| hand because of their auth. When the download got
| interrupted I had maybe 4 more tries, might have been
| more, but after trying to many times the entire takeout
| expired. Automating the process, and using smaller chunks
| didn't work at the time because of their opaque API and
| its auth.
|
| I feel like this has been made a shitty experience
| intentionally.
| jeffbee wrote:
| Yes, I am sure this is a mustache-twirling power move by
| Google, and not a bug in your obscure 20-year-old HTTP
| utility.
| behringer wrote:
| considering google is evil, yes I would expect this is
| google's fault
| msgodel wrote:
| I tried to for a number of years after they added it and my
| download always expired before I was able to complete it
| since it didn't support restarting. Eventually I got locked
| out of my account so I just lost all the data.
|
| These days I think of every account as ephemeral, anything I
| don't have in git on my local machine will disappear one day.
| legohead wrote:
| We didn't set out to hide our GDPR requests, we put them behind
| our Support/Legal button. But we got sued anyway, and we lost.
|
| Now we have to have the "delete my data" and "request my data"
| as part of our main settings list. Result: flooded with
| requests. People are clicking the buttons just because they are
| there. For me it's not a big deal, I automate all the requests.
| But, I still feel like this went too far.
| Slow_Hand wrote:
| I don't know what business you work for, but what makes you
| sure users aren't clicking the buttons because it's what they
| want AND it's convenient?
| const_cast wrote:
| Users have basic bare bones functionality that all
| applications should support is "too far"?
|
| If the user can create and account, they should be able to
| delete one. One is not harder or further than the other.
|
| We just don't view it that way because we're all parasites
| who feed off the current status quo.
| inetknght wrote:
| > _People are clicking the buttons just because they are
| there._
|
| I think this isn't a very charitable opinion of why people
| click buttons.
|
| > _But, I still feel like this went too far._
|
| Why?
| user_7832 wrote:
| Yeah, as long as there's eg a confirmation to prevent
| misclicks "Are you sure you want to delete", I don't really
| see what's the problem.
| matheusmoreira wrote:
| > People are clicking the buttons just because they are
| there.
|
| The reasons why they click the buttons are utterly irrelevant
| to anyone except them.
|
| Let them click the buttons. It's their right.
|
| > But, I still feel like this went too far.
|
| Not far enough. I think data should be a massive liability.
| It should actively cost you lots of money to know any fact at
| all about any person anywhere on the planet.
|
| In other words, in an ideal world _you_ would be scrambling
| to press that button on their behalf the second your business
| with them was concluded. "Can we please forget everything we
| know about you please?" and only their explicit affirmative
| consent would allow you to _not_ delete their data.
| mnw21cam wrote:
| At the moment, holding data about someone is not a
| significant recurrent cost, but it _is_ a liability in the
| form of a risk that could get you in serious trouble if you
| get something wrong. However, that particular business risk
| doesn 't tend to be recognised by many many organisations.
| It should be.
| dns_snek wrote:
| Can we get the full story? I don't believe that's what
| happened because GDPR does not prescribe any specific avenue
| of requesting data. You're not required to have a button on
| your website at all, it's completely valid to accept and
| respond to requests by mail, but it's obviously much cheaper
| to offer automated data export.
| jFriedensreich wrote:
| Its our human right to have realtime machine readable data
| copies of everything we do, its no companies business to
| question or interfere. Unless it crashes your servers because
| trolls are trying to DOS, it is really hard to not be angry
| at a statement as "this is going too far".
| benjiro wrote:
| Here is another offender "VanceAI" ...
|
| Try deleting your account with the delete button. Nothing
| happens. Everything on the site perfect, just that Delete button
| is broken (and the request times out).
|
| But wait, you can send a ticket. Get response days later that it
| is marked as resolved.
|
| You go back to the site ... O, i am still logged in with my old
| session.
|
| Then you see your email: deleted_2544642405_blabla@gmail.com
|
| So fake "delete" by simply putting a deleted and some timestamp
| before your email address, while keeping your other data.
|
| O and the Delete button is also not fixed ;)
|
| Companies really only seem to learn with some hefty GDPR fines.
| tracker1 wrote:
| Has anyone used deleteme or a similar service? What was your
| experience, and do you feel it was worth it?
|
| It feels like such a cat and mouse game, that should be easy to
| automate, that said, I'm not sure it'll be effective.
| temp0826 wrote:
| I have (optery, not deleteme) and I think it's good to use at
| least once to clear out a buildup of your info out there. I
| couldn't justify paying for it monthly but if I was a semi-
| important person it might be worth it, or at least 1 or 2
| months out of the year. Many brokers aren't responsive and it
| takes forever or never actually happens, and stuff definitely
| creeps back, but from what I can tell there is a heck of a lot
| less of me out there.
| neon_electro wrote:
| I have used Incogni for a few years now, I was a little worried
| after the first year things wouldn't be worth the price, but
| I'm noticing that there are data brokers who will happily
| remove you but not put you on a block-list, meaning that they
| will happily ingest your information again if it comes to them,
| and another request from Incogni will be needed to remove it
| again.
|
| I'm on the fence about whether that's real value delivered from
| Incogni, but I do think overall it's working to limit some of
| the spread of my data.
| buzer wrote:
| > but not put you on a block-list, meaning that they will
| happily ingest your information again if it comes to them
|
| So since you don't know if they information or not, you
| should start sending them delete request every second? You
| know, just in case they got new data since the last request
| and we know it takes a while to actually process those
| requests.
| 725686 wrote:
| Deleting your personal data is just an illusion. Companies just
| mark your data as "deleted", but keep the data anyway, in the
| best of cases just for auditing purposes. You will never, ever,
| be able to delete your data. Stop dreaming.
| johnisgood wrote:
| Exactly, that is what I have been saying for ages.
|
| People think they can delete their messages on say, Discord. I
| tell them it is not deleted, just marked deleted. The data is
| still there.
| JoshTriplett wrote:
| Don't stop dreaming. Keep fighting.
| martin-t wrote:
| Here's how the law should work.
|
| You own the data you produce, both intentionally (writing, making
| videos) and unintentionally ("metadata", logs). You have to
| explicitly give others permission to use that data for any
| purpose where money exchanges hands (and many where it does not).
| You can limit or revoke the permission at any time.
| matheusmoreira wrote:
| > You have to explicitly give others permission to use that
| data for any purpose
|
| This is already the case. All the contracts and terms of
| service documents already contain these permission clauses.
| People don't even read such things.
|
| The funniest contracts are the ones that say "by using this
| site, you agree to [surveillance capitalism]". People have to
| navigate the site in order to even read the contract so it's
| logically equivalent to writing "by reading this contract, you
| accept it".
|
| People need to start making laws that invalidate these silly
| documents.
| martin-t wrote:
| Yep, just like it's illegal to sell your organs or sell
| yourself into slavery, society needs to recognize that even
| through the severity of exploiting personal data is much
| lower, the principle is the same - the power differential
| between the two parties is so large that the weaker one has
| no choice but to agree.
|
| It's the illusion of choice that gives is the veneer of
| legitimacy.
| Reubachi wrote:
| This is the case.
|
| In every aspect of life in which personal data is
| indexed/transmitted, the point of origin at least is some place
| you've explicitly indicated approval of this process. IF you
| walk into walmart, you are granting them the ability to sell
| your facial data and card metadata to whoever.
|
| No third party is calling your mobile provider to ask them to
| leak info. They are PAYING the mobile provider to leak them
| info that we provided express written consent for them to do
| so. TO avoid these ToS and binding agreements, you would need
| to live a disconnected agrarian lifestyle. Literally, can't
| walk into any corporate store.
|
| yay!
| martin-t wrote:
| And this is exactly the problem.
|
| It used to be the case that you exchanged money for a good or
| service. It was a transaction of 1 thing for 1 thing.
|
| Now you're exchanging your money AND personal information for
| goods or services (sometimes both mixed in a way that is
| optimized to get as much money out of you as possible). And
| because those providing goods or services all have the same
| incentives, you don't have a free choice to pay a competitor
| who doesn't use these business practices.
|
| Freedom absolutists (such as ancaps) will claim you can
| always start a competitor. But that's just not true, these
| business practices are so advantageous that you either use
| them too or go out of business.
|
| The real solution is for people to unite and demand change
| together. And that's what governments are for.
| mnw21cam wrote:
| This is kind of the case. Under GDPR, the data can only be used
| for the specific purpose for which is was collected, unless
| explicit consent is obtained. Terms buried in contracts do not
| count as consent - a contract has to be clear about the purpose
| for collecting the data and why it is necessary to fulfil the
| contract, and using the data for any other purposes is illegal.
| martin-t wrote:
| Yes, despite all the hate GDPR gets from people who have to
| implement it and from companies whose business model is
| parasitic, it does seem to go in the right direction.
|
| However, I doubt it can be extended to training statistical
| models. LLMs and other models by their nature strip
| attribution which ironically happens to be the trick they are
| trying to use to break pretty much all open source licenses.
| Vinnl wrote:
| > Telesign, a company that advertises fraud-prevention services
| for businesses, offers a simple form for "Data Deletion" and "Opt
| Out / Do Not Sell". But that form is hidden from search engines
| and other automated systems, and isn't linked on its homepage. >
| > Instead, consumers must search about 7,000 words into a privacy
| policy filled with legalese to find a link to the page.
|
| In fact, while they do have a robots.txt [1], their form [2]
| isn't actually listed there. Instead, the page itself has a meta
| tag: <meta name="robots" content="noindex,
| nofollow">
|
| The reason is probably something mundane like this being easiest
| to do via the Wordpress UI, but putting on my conspiratorial hat,
| they just want to make it even hard to find out that they did
| this.
|
| (Disclosure: I work on Mozilla Monitor, where we try to help
| people send these data deletion requests.)
|
| [1] https://www.telesign.com/robots.txt
|
| [2] https://www.telesign.com/privacy-requests
| vanillax wrote:
| is there no tool or app or ai agent that cant just automatically
| request your data to be deleted?
| freeAgent wrote:
| AI tools tend to ignore noindex, etc. when scraping training
| data, so finding data removal request forms may be a great use
| case for AI!
| nothrowaways wrote:
| My kids are having a hard time deleting their Snapchat account.
| dpoloncsak wrote:
| I'm not in support of the practice laid out in the article, but
| we're talking about robots.txt, right?
|
| I guess it was written for a less technical audience, but it
| makes it seem like they have JS or 'code' was specifically
| written to hide these from web crawlers.
|
| It makes more sense, in context, that companies _could_ be
| unaware. Sure, a 'noindex' doesn't just show up, but how many
| were old configs disallowing *, and only allowing indexing on a
| few sites
|
| Edit: I didn't see the screenshot section. Most (of the few I
| spot-checked) are, in fact, noindex. I stand corrected
___________________________________________________________________
(page generated 2025-08-13 23:01 UTC)