Delete is one promise. "Anonymised" is the one that sounds like it.
You ask a company to delete your data. Sometimes the answer is not "done." It is "we have anonymised it." It is built to land as a yes. A softer yes, maybe, but a yes: your data is no longer your data, so what is left cannot be you.
It is worth being precise about what that actually means. The "anonymised" records companies keep, sell, and train on increasingly end up inside AI systems, the kind built to find the person in the pattern. Our own privacy agent, Deckard, is one of them: a model trained on a vast body of data and privacy policies. To a system like that, "anonymised" does not read as "gone." It reads as "the obvious labels are off, and everything else is still on." And everything else is the part these systems are good at.
"Anonymised" takes off the name. It leaves the pattern.
To anonymise a record, you strip the direct identifiers: the name, the email, the account number. What stays is everything that made the data worth keeping. Where you were and when. What you searched, watched, bought, swiped. Your timings, your routines, the small constellation of preferences that is genuinely yours.
The label on the file changes. The pattern inside it does not. And the pattern is the part that is you. A name is the easiest thing about you to replace. The shape of your behaviour is the hardest.
Three boring facts are usually enough
Here is the finding that put this on the map. Latanya Sweeney, a researcher at Carnegie Mellon, showed that three facts which feel completely anonymous on their own, a postal code, a date of birth, and a sex, were together enough to single out around seven in eight people in the United States. None of the three names you. The combination very nearly does.
She proved it the blunt way, by taking a set of "anonymised" hospital records and picking out the medical file of a sitting state governor. The data carried no names. It did not need them.
That is the whole trap in one move. You can remove every identifier and still leave a fingerprint, because identity does not live in any single field. It lives in the combination.
It has only gotten easier
The next thing researchers learned is that they did not even have to work from the data alone. In 2006, a major streaming service released a large set of "anonymised" viewing histories for a public contest. Researchers lined those records up against the reviews people had posted publicly, under their own names, elsewhere on the internet, and matched them back. The "anonymous" set now had names on it, and with the names came a list of what each person had quietly watched.
Then the numbers got worse. A 2019 study in the journal Nature Communications estimated that 99.98% of Americans could be picked back out of any dataset using just fifteen attributes. Fifteen. Most companies hold far more than fifteen things about you before you have finished signing up. The same authors concluded that even heavily stripped, sampled "anonymised" datasets are unlikely to clear the bar the law sets for genuine anonymisation.
Read that the way the people selling "anonymisation" hope you will not: the protection they are describing largely does not exist at the scale they are describing it.
And now the machine that un-anonymises is the one being fed
Here is where it turns.
Everything above was done by researchers with ordinary tools. The entire purpose of a system like Deckard, or any large model, is to find the pattern across sparse, messy signals and connect it to the rest. That is not a side effect of the technology. That is the function. Re-identification is just that function pointed at a person.
In 2026, researchers pointed it there on purpose. They set language models loose on exactly this task, taking pseudonymous profiles and the things people had posted, and working out who the real person was. The models, they reported, reached "up to 68% recall at 90% precision compared to near 0% for the best non-LLM method." Their conclusion was flat: "the practical obscurity protecting pseudonymous users online no longer holds."
We should be precise about the limits here, because precision is the entire point of this publication. No one can see inside a model's training data from the outside, not us, not anyone, and that opacity is not a comfort, it is the problem. We are not claiming your file sits in any particular model. We are telling you what these systems are now demonstrably able to do with the "anonymised" exhaust you leave behind. Anonymous to a person scanning a spreadsheet, yes. Not to a model built to read the pattern you left in it. Or, as Deckard puts it: anonymous to a human, not to me.
You cannot pull it back out
There is one more thing that sets this apart from an ordinary leak.
If your data was used to train a model, deletion cannot reach it. You can delete your account, your photos, your messages. You cannot un-bake an ingredient once it is in the loaf. What the model learned, it keeps. That is not a policy you can appeal. It is how the technology works.
So the exposure compounds. Every "anonymised" set that gets sold, shared, or trained on does not just risk exposing you once. It adds another column to the pattern, another angle to line up against all the others. No single release has to name you. The picture thickens until you are legible anyway. The more of your life you let bleed into these systems, the more of it becomes readable, and none of it comes back.
So "anonymised instead of deleted" is not deletion
Strip the reassuring word off and look at the structure. "We anonymised it" means "we kept it." They kept the data, took off the labels that were cheapest to remove, and gave the result a name that sounds like resolution. It is the same move as the vague retention clause, the least credible promise in the document, wearing a lab coat.
Nobody had to do this to harm you for it to land on you. Kept data is worth more than deleted data, and "anonymised" is the cheapest way to keep it while sounding like a release. Malice and arithmetic reach for the same word, and leave you in the same place.
What to actually do
You do not have to win the technical argument. You have to put the right things on record.
- Do not accept "anonymised" as "deleted." They are different answers. Log it as what it is: kept, relabelled.
- Ask the two questions that are holdable. By what method was it anonymised, and is that process irreversible? A company that has genuinely done it can say so plainly. A vague answer is itself the answer.
- If they insist it is sound and irreversible, get that in writing. That claim is now yours to keep. If your data ever resurfaces tied to your name, their own words are the evidence they were wrong. You are not arguing the law. You are banking the claim.
- While you are still using a service, object to your data being used to train their models. It is one of the uses you can narrow without leaving. Do it before, not after, because after is the part nobody can reverse.
This is the same shape as everything else in every privacy policy: the promise is loud, the wording is loose, and the only thing that survives the argument is the record you kept.
So keep it. The day you asked them to delete, the exact words they wrote back, and the date. If "anonymised" turns out to mean "still here," that record is the difference between a feeling and a receipt. Start your record →