No one can fully erase a digital footprint. But 2025 and 2026 brought the most meaningful changes to what individuals can control since GDPR took effect in 2018. California launched DROP, a one-button deletion mechanism for data brokers, and twenty US states now have comprehensive privacy laws.
Google has processed over 3.2 million URL delisting requests under the EU's right to erasure since 2014. A new problem has appeared alongside these gains. Deleted data may live on inside the weights of AI models that trained on it.
Why permanent deletion is a technical impossibility
The internet is a distributed network of caches, replicas, backups, and mirrors built for redundancy. A deleted Instagram post persists in Google's cache, on the Wayback Machine, in CDN edge servers, and on the phones of anyone who screenshotted it. Content delivery networks and database replication keep the web fast. They also make permanent deletion functionally impossible.
Facebook tracks roughly 40% of browsing time for both users and non-users. This includes privacy-sensitive domains, according to a 2022 peer-reviewed study (arXiv 2202.04131). Even after account deletion, fragments of an identity remain, pulled from other people's synced contact lists, address books, and third-party integrations. A 2023 study from the University of Konstanz concluded that "individual solutions will not fully protect our privacy" because shadow profiles are a collective problem.
Meta began training AI models on user interactions with Meta AI by default in December 2025. Users in the EU can still object under GDPR, but US users have no toggle. All that remains globally is a form to report if personal information appears in a model's output.
End-to-end encrypted Messenger and WhatsApp conversations are not accessible to Meta for training. Deleting a post does not remove the patterns that an LLM extracted during training.
Deletion removes data from a database row. It does not perform "machine unlearning" from neural network weights. Connecticut became the first US state to require disclosure of AI training on personal data. The law takes effect July 1, 2026.
The realistic goal is not invisibility. It is digital sovereignty: knowing what data exists, who holds it, and which legal tools (GDPR, CCPA, DROP) can force deletion.
Conduct a self-audit
Start by looking at yourself through the eyes of an attacker. Search for your full name, then cross-reference with old nicknames, former phone numbers, and previous email addresses. Use both Google and DuckDuckGo because results differ due to personalization bubbles. Check Yandex if you have any presence in Russian-language spaces.
Upload your most common profile pictures to Google Images, Yandex Images, and TinEye. Your face may appear on sites where you never uploaded it, scraped from social media or indexed from cached pages.
Check breach exposure. Have I Been Pwned tracks over 17.5 billion compromised accounts across 965+ breaches. If your email appears in a breach, the associated password is compromised.
Use a strong password generator and a manager like Bitwarden or 1Password to replace every reused credential. One breach compromises every account that shares the same password.
Google's "Results about you" tool lets anyone request removal of search results with personal contact info. It works globally, not just in the EU. Phone numbers, email addresses, and home addresses qualify.
Mine your email archive in Gmail, Outlook, or Yahoo for old registration confirmations. Each "welcome to" or "verify your email" result is a dormant account that still holds your data.
Audit social media and OAuth permissions
Delete dormant accounts on Facebook, Twitter/X, Instagram, and other platforms. Do not just deactivate. Deactivation hides your profile but preserves the data on the backend.
Deletion initiates an actual removal process, though platforms enforce waiting periods. Facebook gives 30 days to cancel, then takes up to 90 days to purge data from servers and backups.
Review old posts on active profiles. On Facebook, use the Activity Log to bulk-delete old posts by year. On Twitter/X, tools like TweetDelete, Redact, or Circleboom automate removal. On Instagram, check "Your Activity" then "Recently Deleted" to verify items are actually removed, not just hidden.
Revoke OAuth permissions. On Google, visit myaccount.google.com/permissions. On Facebook, go to Settings, Apps and Websites. On Twitter/X, open Settings, Security and account access, Apps.
Check GitHub (Settings, Applications, Authorized OAuth Apps) and Apple (Settings, Sign-In and Security, Sign in with Apple). Each connection is a potential data leak path.
AI training withdrawal is now a separate audit category. Incogni's 2025 Social Media Privacy Ranking found that Meta's platforms and TikTok scored worst for privacy. Discord collected the least data.
Meta set AI training on user interactions to default in December 2025, with no US refusal mechanism. LinkedIn uses user data for AI training by default, with the toggle buried in Settings, Data privacy, Data for Generative AI Improvement. Reddit licenses user content for AI training with no individual refusal mechanism. Telegram, Twitch, and Discord indicate that user data will not reach AI models.
The platforms that collect the most data are also the ones that make refusal hardest. Meta trains on user interactions with Meta AI by default and offers no US toggle. LinkedIn buried the setting three menus deep. Reddit offers no individual mechanism at all. The only platforms where user data stays out of AI training pipelines are the ones with the smallest user bases: Discord, Telegram, and Twitch.
Search engine delisting
Deleting content from a website does not remove it from search results. Indexed pages persist in Google and Bing caches until the search engine re-crawls and discovers the deletion, which can take weeks. Active delisting accelerates the process.
EU, EEA, UK, and Swiss residents can invoke GDPR Article 17 (Right to Erasure). Google received delisting requests for over 3.2 million URLs in the first five years of the program. Roughly half were approved. The majority involved sensitive personal details, not attempts to hide criminal records.
Google evaluates each request individually using human reviewers. If approved, the link is removed from EU search results but not globally. The CJEU ruled in 2019 (Google v. CNIL) that delisting is mandatory only within EU territory.
The Italian Supreme Court reaffirmed this balancing in January 2026. Approval rates vary sharply by content type. Requests involving home addresses and contact details succeed far more often than those involving professional or political information.
American courts do not recognize a general right to be forgotten. Google's "Results about you" tool works globally for personal contact information removal. California's CCPA/CPRA gives residents the right to request actual data deletion from businesses, not just delisting.
Several US news organizations now offer programs to anonymize or remove older stories. The Boston Globe (since 2021), The Oregonian, The Plain Dealer, Bangor Daily News, The Atlanta Journal-Constitution, and NJ.com (since 2025) all participate.
Data brokers, the 2026 turning point
Spokeo, Radaris, and BeenVerified aggregate and sell personal dossiers. Addresses, phone numbers, property records, estimated income, known associates. They sell to marketers, background check services, and anyone willing to pay.
Until recently, removal required contacting each broker individually. 2025 and 2026 changed this.
California's Delete Act (SB 362) launched the Delete Request and Opt-Out Platform (DROP) on January 1, 2026. Starting August 1, 2026, a single verified request through DROP instructs every registered data broker in California to delete your personal information. Brokers must process these deletion lists every 45 days.
Non-registration costs $200 per day, with an annual registration fee of $6,000. The CPPA has already fined multiple brokers (Accurate Append, Jerico, Key Marketing Advantage, Background Alert) for failure to register.
California also expanded broker disclosure requirements through SB 361, effective January 1, 2026. Brokers must now state whether they sell data to AI developers, foreign actors, or government agencies. The law also covers biometric data and mobile advertising IDs.
At least 19 states have comprehensive privacy laws as of 2026. Some counts reach 20, depending on whether Florida's narrower law qualifies. Indiana, Kentucky, and Rhode Island came into effect on January 1, 2026. Montana SB 282 (May 2025) became the first state to ban law enforcement from purchasing personal data without a warrant.
Texas settled with Meta for $1.4 billion in July 2024 over biometric data collection without consent. The state also filed a separate lawsuit against Allstate and Arity in January 2025 for selling drivers' geolocation data. That case remains in litigation.
Maryland enacted one of the strictest state laws in October 2025. Nine states formed a Consortium of Privacy Regulators for coordinated enforcement: California, Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.
Global Privacy Control (GPC) is a browser-level refusal signal. California, Colorado, and Connecticut require websites to honor it. Firefox, Brave, and DuckDuckGo support GPC natively. Enable it in your browser settings.
GDPR Article 17 applies to EU data brokers too. Controllers must comply within 30 days unless a legal exemption applies. The practical challenge is identifying which brokers hold your data.
For brokers not covered by DROP, the manual process remains. Search your name on Spokeo, WhitePages, BeenVerified, Radaris, and PeopleFinder. Locate the "Do Not Sell My Info" link. Follow each broker's process.
Re-check after 30 to 60 days because data often reappears from other sources. Paid services (DeleteMe, Incogni, Kanary, Privacy Duck) automate this across dozens of brokers and monitor for re-listing.
AI training and data permanence
A data point deleted from a database is gone. A data point used to train GPT, Claude, LLaMA, or Gemini is not. Neural networks store statistical patterns, not individual records.
Removing your data from GPT or LLaMA would require retraining the model from scratch. "Machine unlearning" techniques exist in research but have no production-grade solutions.
Public posts and forum comments may have entered Common Crawl before you deleted them. Platforms that added AI training consent to their terms (Meta, LinkedIn, Reddit) may have processed your data before you withdrew.
Connecticut (effective July 2026) requires controllers to disclose AI training use of personal data. The European Data Protection Board issued a Joint Opinion in January 2026 on the AI Act and GDPR overlap. Individuals retain the right to object to AI training under GDPR Article 21. Withdraw consent where platforms allow it.
Assume every public post will enter the next Common Crawl snapshot.
The regulatory tools of 2026 address databases, not neural networks. California's DROP can force a data broker to delete your address from a PostgreSQL table. No law can force OpenAI or Meta to subtract your writing style from a model that learned it during training. Until machine unlearning becomes practical, the only defense against AI data permanence is reducing public exposure before the next training run.
Control over invisibility
California, the EU, and 19+ US states now offer legal tools to reduce a digital footprint. DROP, GDPR's right to erasure, and GPC browser signals are enforceable mechanisms, not suggestions.
Data brokers will not honor DROP requests out of goodwill. Search engines will not delist your information without a request. AI models will not unlearn your data unless regulations compel their operators to address it.
Start small. Delete one forgotten account. Submit one data broker removal request. Enable GPC in your browser.
Check Have I Been Pwned. Replace every reused password with a unique one from a password generator. Each step narrows the surface area that brokers, advertisers, and AI developers can exploit.
