The Uncomfortable Truth About Data Removal Services

The data removal industry is booming. Dozens of services promise to delete your personal information from data brokers. They advertise coverage of hundreds or thousands of sites. They show dashboards full of "removals completed."

But here's the question nobody is asking: how many of those removal requests are actually sent to data brokers?

The Scale of the Problem

Consider the typical data removal service's broker list. Many include:

Dating apps like Match.com, Bumble, and Tinder
Background check companies like HireRight and Sterling
Review platforms like Yelp and Trustpilot
Real estate sites like Zillow and Redfin
Healthcare directories like Healthgrades

None of these are data brokers under California law.

California Civil Code Section 1798.99.80 explicitly excludes companies that have a "direct relationship" with the consumer whose data they hold. When you create a Match.com profile, voluntarily post a Yelp review, or consent to a background check, that company has a direct relationship with you.

Yet these companies regularly appear in "data broker removal" services.

Why This Matters: Three Real Consequences

1. Consumers Get a False Sense of Security

When a service reports "150 removals completed" and 40 of those were to non-brokers that simply ignored the request, the user thinks they're more protected than they are. The 110 actual broker removals are real — but the inflated number creates a misleading picture.

2. Legitimate Requests Get Buried

Companies receiving thousands of legally baseless removal demands may start treating all removal requests with skepticism. A well-documented, legally grounded request from a verified service gets the same treatment as a mass-blast from a service that doesn't check its list.

This is the "crying wolf" effect. The more invalid requests the industry sends, the harder it becomes for valid requests to be taken seriously.

3. It Invites Legal Pushback

Companies that are incorrectly targeted as data brokers have started pushing back. We've seen cease-and-desist letters from companies asserting — correctly — that they are not data brokers and that removal requests to them have no legal basis.

If this pattern continues, it could lead to:

Industry-wide legal challenges
Regulatory scrutiny of privacy services themselves
Companies lobbying for exemptions that could weaken actual data broker regulations

The Root Cause: No Industry Standard

The data removal industry has no compliance standard. There's no certification body, no audit requirement, no minimum legal threshold for what constitutes a "data broker."

Most services build their broker lists using one of three approaches:

Approach 1: The Kitchen Sink

Include every company that has personal data and any kind of opt-out mechanism. This maximizes the "number of brokers covered" marketing metric but includes many non-brokers.

Approach 2: Copy the Competitors

Look at what other services include and match their list. This perpetuates errors across the industry — if one service incorrectly includes dating apps, others copy it.

Approach 3: Apply a Legal Standard

Research the statutory definition in relevant jurisdictions (California, Vermont, GDPR) and verify each company against that standard. This produces a smaller but legally accurate list.

Almost no service uses Approach 3.

What a Compliance Standard Should Look Like

We believe the industry needs a minimum standard for data broker verification. Here's what we propose:

1. Statutory Basis

Every company on a removal list should be verifiable against at least one statutory definition of "data broker." In the US, the primary standard is California Civil Code Section 1798.99.80.

2. Registry Cross-Reference

California maintains an official data broker registry. Companies that meet the statutory definition are required to register. Any broker list should be cross-referenced against this registry.

3. Direct Relationship Test

Before adding any company to a removal list, apply the direct relationship test: does the company have a direct relationship with the consumers whose data it holds? If yes, it's not a data broker.

4. Regular Audits

Broker classifications should be reviewed at least quarterly. Companies get acquired, change practices, and enter or leave the broker registry.

5. Transparency

Services should publish their classification methodology and be willing to explain why any specific company is or isn't on their list.

The Competitor Landscape

We analyzed the public broker lists of five major data removal services. Here's what we found:

Service

Claims to Cover

Includes Non-Brokers?

DeleteMe	750+ sites	Some gray area sites
Incogni	180+ brokers	Focuses on brokers
Optery	600+ sites	Includes some non-brokers
Kanary	400+ sites	Unclear methodology
GhostMyData	1,500+ sources	Legally verified brokers only

Note: Our higher number reflects the inclusion of subsidiary and alias tracking — many brokers operate under multiple names. Our actual unique parent broker count after compliance verification is smaller but legally complete.

What GhostMyData Does Differently

After conducting our own compliance audit and removing 27 companies that didn't meet the legal standard, we built automated infrastructure to maintain compliance:

Daily Monitoring

Every opt-out URL in our directory is health-checked daily. Broken links are flagged, and our team updates them within 24 hours.

Weekly Classification Audits

An automated system reviews our entire directory against the statutory direct relationship test every Tuesday. Any flagged entries are reviewed by our team before any changes are made.

Legal Classification Tags

Every source in our directory is tagged with a legal classification: STATUTORY_DATA_BROKER, DIRECT_RELATIONSHIP, SERVICE_PROVIDER, GRAY_AREA, or MONITORING_ONLY. Only verified statutory data brokers receive automated removal requests.

Public Transparency

We publish our reclassification decisions and the reasoning behind them. When we removed 27 companies from our list, we wrote a full public accounting of which companies and why.

What Consumers Can Do

Ask your privacy service what legal standard they apply. If they can't answer, that's a red flag.
Check the numbers. If a service claims 500 "removals" in your first week, verify how many were from actual data brokers.
Look for transparency. Does the service publish its broker list? Can you see which specific companies it targets?
Verify against California's registry. If a company isn't registered and doesn't meet the statutory definition, removal requests to it have no legal basis.

The Path Forward

The data removal industry is young and growing fast. Like any emerging industry, it needs standards. We believe that compliance — specifically, legal verification of every company targeted for removal — should be the baseline, not the differentiator.

We're sharing our methodology not because it gives us a competitive advantage (it does), but because the entire industry benefits when every service sends legally grounded requests. More accurate requests mean higher compliance rates, better relationships with brokers, and ultimately better outcomes for consumers.

The privacy industry exists to protect consumers. It's time we held ourselves to the same standard we demand from data brokers.

Frequently Asked Questions

How do I know if a data removal service targets actual data brokers?

Ask the service what legal definition of "data broker" they use. Look for references to specific statutes like California Civil Code Section 1798.99.80 or the California Delete Act (SB 362). If they can't cite a legal standard, their broker list may include non-brokers.

What happens when a removal request is sent to a non-broker?

The company may ignore it (no legal obligation to respond), respond that they're not a data broker, or in some cases send a cease-and-desist letter to the service that sent it.

Are there federal data broker laws?

As of 2026, there is no comprehensive federal data broker law. California's Delete Act is the strongest state-level regulation. Vermont requires data broker registration. Several other states have introduced similar legislation.

How often should a broker directory be audited?

At minimum, quarterly. Companies change practices, get acquired, and enter or leave regulatory registries. GhostMyData runs daily URL health checks and weekly classification audits.

What is the California Data Broker Registry?

It's an official registry maintained by the California Privacy Protection Agency where companies meeting the statutory definition of "data broker" must register annually. The registry is publicly searchable and includes over 500 registered brokers.

The Data Broker Compliance Problem No One Is Talking About