Your Digital Rights

Own your data

Many organizations collect and sell your personal data, often without your consent. This website makes it easy to get organizations to erase your data by automating the process of sending GDPR and CCPA erasure (right to be forgotten) requests.

Don't know where to start? Opt out of these Data Brokers.

How it works

Search.

Search for an organization using the search box above. If the organization you are looking for is not on the list, you can still send it a request by providing a contact email.

Fill in.

Fill in your name and any additional information which may help the organization to identify you in their information systems (we do not keep this information).

Send.

Click the Send button to create an Erasure Request email addressed to the relevant person at the organization you selected. The email will open up in your email application where you can review, and then send it.

It's your data, own it!

The General Data Protection Regulations (GDPR) and the California Consumer Privacy Act (CCPA) require organizations to erase personal data upon request. Organizations have a short time period to comply, otherwise they can face steep fines.

Why Your Digital Rights?

We created this free service because we believe that privacy matters, and that exercising your right to privacy should be easy. We do not collect or sell personal data.

Frequently Asked Questions

The GDPR applies to:

Organizations established within the EU who collect or process personal data (even of people located outside the EU)
Organizations established outside the EU collecting or processing personal information while providing goods or services (paid or for free) to people located within the EU
Organizations established outside the EU collecting or processing personal information while engaged in the monitoring of the behavior of people while they are in the EU

The GDPR does not apply to certain activities including law enforcement, national security, and purely for personal / household activities.

Find out more

The CCPA applies to organizations that collect consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)
Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
Derives 50 percent or more of its annual revenues from selling consumers’ personal information

Under the GDPR:

Any information relating to a person which can be directly or indirectly used to identify them. A person can be identified in a wide range of ways including name, identification number, location data or other online identifiers.

Find out more

Under the CCPA:

Personal information is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Read the definition

Under the GDPR:

The right to erasure is not absolute, and concerns data processing where consent is the legal basis for the processing. For example, data needed due to a contract, or data which is in the public interest does not fall under this definition. More specifically, the right only applies in the following circumstances:

The organization no longer needs your data. Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.
You initially consented to the use of your data, but have now withdrawn your consent. Example: you agreed to take part in a market-research study and now no longer wish to do so.
You have objected to the use of your data, and your interests outweigh those of the organization using it.
The organization has collected or used your data unlawfully. Example: it hasn’t complied with the rules on data protection.
The organization has a legal obligation to erase your data.
The data was collected from you as a child for an online service. Example: social media or a gaming app. The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organizations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.

Find out more

There are certain circumstances where an organization is legally permitted to refuse to erase your data.

Under the GDPR:

When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
When the organization is legally obliged to keep hold of your data.
When keeping hold of your data is necessary for reasons of public health.
When keeping your data is necessary for establishing, exercising or defending legal claims.
When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
If, having considered your request, the organization decides it does not need to erase your data, it must still respond to you. It should explain to you why it believes it does not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.

The organization can also refuse your request if it is, as the law states, “manifestly unfounded or excessive”.

Find out more

Under the CCPA:

Free speech or another right provided by law.
Processing for research purposes, if the deletion of personal information would render impossible or seriously impair the achievement of such research.
Processing of that personal information is necessary to protect against illegal activity or prosecute those responsible for the activity.
For complying with a legal obligation.
To perform a contract between the business and the consumer.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Find out more

Under the GDPR:

An organization has one month to comply with a request. The deadline can be extended to 2 additional months taking into account the complexity and number of requests. In any case, the organization must inform you of such extension within one month from the receipt of the request.

Under the CCPA:

The deadline to respond to a request is 45 days from the receipt of the consumer’s request. The deadline can be extended an additional 45 days when reasonably necessary, if the consumer is informed within the first 45 days.

Under the GDPR:

If you are unhappy with how the organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you can make a complaint to the local Data Protection Authorities (DPA). You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first. You can download a list of DPAs here (PDF).

Under the CCPA:

If you are unhappy with how an organization has handled your request, you should first complain to it. Having done so, if you remain dissatisfied you have two options. Complain to the Attorney General or take private action.

Under the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or 20 Million Euro.

Find out more.

Under the CCPA:

The penalty for an intentional violation of the CCPA is $7,500 per incident, and for an unintentional violation $2,500 per incident. Consumers are entitled to between $100-$750 in compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach of sensitive personal information.

Find out more.

Opt out directly from your browser

Do you want better control over who has access to your personal data? Our browser extension allows you to opt out of the websites you visit with a click of a button.

Download it for Chrome Download it for Firefox

If you find this service useful, please spread the word

Donate

Your Digital Rights was created because we believe that privacy matters, and that exercising your right to privacy should be easy. That’s why we’ve made it free. Donations allow us to spend more time improving this service.

Donate Bitcoin

make a wish on our roadmap

Mission

Disclaimer: This service is provided as is, without warranty of any kind. Use of this service is entirely at your own risk. We cannot take responsibility for any direct or indirect damages resulting from the use of this service. The information provided by this service along with the content on our website related to legal matters is provided for your private use and does not constitute legal advice. If you need legal advice for a specific problem, you should consult with a licensed attorney.