How to Erase Your Digital Footprint With AI Coding Agents

⬅️ Back to Projects

Overview

Last week, I spent hours with an AI coding agent wiping my digital footprint.

The results: 47 data broker listings removed, 12 dead accounts deleted, 3 search results suppressed.

This is the exact step-by-step process I followed. You can do it with Claude Code, Codex, OpenCode, or any capable AI coding agent, even a powerful local model. The agent handles the research, drafts the legal requests, prioritises the breaches, and strategises the content, you just execute.

Step 1: Know What’s Visible

Before you can clean anything, you need an inventory.

Search your name, email address, and phone number on Google. Take screenshots of everything that comes up.

Then prompt your agent:

“Look at these results [paste screenshots or URLs]. Categorise them as data brokers, social media, old accounts, or articles. Arrange them by removal difficulty.”

This gives you a ranked list to work through. Data brokers are the easiest (legally required to comply), old articles are the hardest (may need content suppression instead of deletion).

Step 2: Hit Data Brokers First (Easiest Wins)

Sites like Spokeo, BeenVerified, WhitePages, and MyLife are legally required to delete your data under CCPA (California) or GDPR (Europe). You just need to send the right request.

CCPA prompt (for US-based brokers):

“Write a CCPA opt-out request to this data broker [name]. My info: [name, email, address]. Add legal references, professional tone.”

GDPR prompt (for EU-based brokers):

“Write an Article 17 GDPR erasure request to [data broker name]. Include my right to object to direct marketing under Article 21(2); which is absolute and requires immediate compliance. My info: [name, email, address].”

Copy the output, paste into their portal or email it to their privacy address. Most respond within 30 days. Of the 47 listings I removed, the vast majority complied without pushback.

If a broker doesn’t respond within 30 days, escalate with a complaint to the relevant data protection authority. For EU brokers, use the lead supervisory authority in the country where the broker is based.

Step 3: Kill Dead Accounts

Every forum you signed up for once, every old tool you tried, every abandoned account is still holding your data. Most services make deletion intentionally harder than deactivation.

Go to justdeleteme.xyz, pick the worst offenders from your inventory.

Agent prompt:

“I want to delete my [service name] account. What are the full deletion processes, not just deactivation? How can I make sure the data is completely erased?”

The agent will walk you through the exact steps per platform. Some require emails to support, others have dark-pattern menus designed to hide the delete button. Let the agent find the path.

Step 4: Send Legal Removal Requests

Your legal basis depends on where you are:

  • California → CCPA (California Consumer Privacy Act): right to delete and right to opt out of sale
  • Europe → GDPR Article 17 (Right to Erasure / Right to be Forgotten): free, no justification needed
  • Germany → GDPR Article 17 + BDSG (Bundesdatenschutzgesetz): Germany supplements EU law with stricter local enforcement

General prompt:

“Write a GDPR Article 17 erasure request to [company name]. Include identity verification language (full name, email, address), reference Article 17(1), state that the data is no longer necessary for its original purpose, and specify a 30-day response period under Article 12(3).”

Most companies don’t contest these requests. Legal risk is real and they take it seriously, especially in Germany, where fines can reach €20M or 4% of global revenue.

Germany-Specific: What Makes It Different

Germany is Europe’s strictest privacy jurisdiction. If you’re dealing with German data brokers or companies, here’s what you need to know:

BDSG (Bundesdatenschutzgesetz): The federal data protection act supplements the GDPR. It doesn’t replace it but adds Germany-specific rules, particularly around data processing by public bodies and special categories of personal data.

DSK (Datenschutzkonferenz): The collective of Germany’s 16 state data protection authorities issues joint guidance that often goes beyond the minimum GDPR requirements. Their interpretations carry significant weight even though they aren’t legally binding.

Enforcement structure: Germany has one federal authority (BfDI, Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) plus 16 independent Landesbehörden (state data protection authorities). If a company doesn’t comply with your deletion request, you file a complaint with the Landesdatenschutzbehörde of the state where the company is headquartered.

Landesbehörden by state (key ones):

StateAuthority
BayernBayLDA (Bayerisches Landesamt für Datenschutzaufsicht)
BerlinBerliner Beauftragte für Datenschutz und Informationsfreiheit
NRWLDI NRW (Landesbeauftragte für Datenschutz und Informationsfreiheit NRW)
HessenHessischer Beauftragter für Datenschutz und Informationsfreiheit
Baden-WürttembergLfDI Baden-Württemberg

Schufa: Germany’s dominant credit agency is a special case. Unlike US data brokers, Schufa has a legal basis under BDSG to hold certain data for credit scoring purposes. You can still request your data under Article 15 GDPR (right of access) and request deletion of any data they hold beyond what’s legally required. Schufa must respond within 30 days.

Prompt for Schufa specifically:

“Write a GDPR Article 15 access request to Schufa. Request all data held about me including scoring criteria and data sources. Follow up with an Article 17 deletion request for any data that is not legally required for credit scoring under BDSG.”

Template letters: German consumer protection agencies (Verbraucherzentrale) provide free Musterbriefe (template letters) for deletion requests under Article 17 DSGVO. The Berlin data protection authority (Berliner Beauftragte für Datenschutz) also offers free templates. Ask your agent to incorporate the German legal format:

“Write a formal Löschungsverlangen (deletion request) according to Art. 17 DSGVO in German. Include ‘hiermit beantrage ich die unverzügliche Löschung aller bei Ihnen über mich gespeicherten personenbezogenen Daten gemäß Artikel 17 DSGVO.’ Address it to: [company]. My info: [name, address, email].”

Werbesperrdatei: If a German company claims it cannot delete your data due to legal retention requirements, ask for a Werbesperrdatei (advertising block file) entry instead. This flags your record for suppression from marketing use while keeping only the minimum data required by law.

Step 5: If It Can’t Be Deleted, Bury It

Some content (old news articles, forum posts mirrored on archive sites) simply cannot be removed. The next best option is search result suppression.

Agent prompt:

“Using my name and profession, come up with 5 different content angles. Select the same keywords as [URL of the bad result]. Optimise it so Google ranks the new content higher.”

Publish the new content on LinkedIn, Medium, a personal site, or any platform Google trusts. It takes 2-3 months for the new pages to rank, but it works. The old result doesn’t disappear, it just falls off page one.

Step 6: Clean Up Data Leaks

Go to haveibeenpwned.com and paste your email. You’ll likely see a list of breaches you’re in.

Agent prompt:

“Look at this list of breaches [paste]. Priority order: password change, 2FA setup, or account deletion? Rank according to current risk.”

The agent cross-references the breaches with their severity and recommends an order of operations. Most people skip this step; 20 minutes of work, 10 years of protection.

Step 7: Automate Recurring Cleanup

Data brokers re-add you. Accounts you thought were deleted resurface. New breaches happen. The cleanup is never one-and-done.

auto-identity-remove is an open-source tool that automates monthly opt-out requests to 30+ data brokers via Puppeteer. Configure your info once, schedule it with cron, and it keeps your removals current without manual effort each month.

Set it and forget it. Your future self will thank you.

Summary

StepActionTime
1Inventory your digital footprint30 min
2Send data broker opt-out requests (CCPA / GDPR)1 hour
3Delete dead accounts2 hours
4Send legal removal requests (CCPA / GDPR / BDSG)1 hour
5Create suppression content1 hour
6Clean up data breaches20 min

The key insight: the AI agent doesn’t do the deletions for you. You still need to click send, fill forms, and verify. But it eliminates the research and writing overhead that makes privacy cleanup feel insurmountable. Any capable agent like Claude Code, Codex, OpenCode, or even a powerful local model, turns a weekend project into a focused afternoon.

Crepi il lupo! 🐺