The hundred accounts you cannot name
Try to list the online accounts you could name from memory right now. Email, the bank, the two or three you signed into this week, the handful you actually think about. You will get to perhaps a dozen. The real number, by the going estimates, is closer to a hundred: a forum from years ago, a shop you used once for a single order, a dating profile you let lapse, an app you installed for one trip and never opened again, a newsletter you joined to unlock a discount code. You did not delete any of those. You just stopped going back.
Stopping is not the same as leaving. Every one of those is still an account. The data you handed over to open it, your name, your email, a card, an address, whatever you typed in while you were using it, is sitting in that company's database tonight, exactly where you left it, doing exactly what the fine print always said it could.
Dormant is not closed
When you stop using a service, almost nothing changes on their side. Your record does not move to some quieter, safer shelf. It stays in the live database under the same retention schedule that holds everyone else, the one we took apart in the retention piece. It is shared with the same partners, swept into the same analytics, and sold onward through the same channels, if selling is what they do. An account you have not touched in five years is still a row that gets backed up, exported, and passed along. It is still a live feed into the profile other companies are assembling about you, the auction we described in the ad-tech piece. You went quiet. The data did not.
Read enough of these dormancy clauses and the pattern is consistent. Not one is written on the assumption you will come back. They are written on the assumption you won't, and that your data stays useful while you are gone. "We may retain your information after you stop using the Service" is not an oversight anyone forgot to remove. It is the design.
The company holding your data already calls it a danger
Here is the tell. The largest providers have started deleting dormant accounts themselves, and they have said plainly why. The company that runs the world's most-used inbox now erases personal accounts left untouched for two years, on the grounds that "forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised," and that "abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up." Once one is broken into, they warn, it becomes a route to identity theft or a source of spam.
Read that again, because it is a confession. The organisation holding your data is telling you that the account you forgot is the weakest door it owns: an old password, very likely reused somewhere else, with no second lock, attached to your real name. And it is the door you will never hear break. You do not use the service, so a breach of it reaches you last, if it reaches you at all.
None of this requires anyone to be a villain. A neglected account and an exploited one leave you in the same place. The small company that quietly folded, or got bought, and left your record on a server nobody patches anymore did not mean you any harm. The exposure is identical either way. Intent does not change what is sitting there with your name on it.
You cannot defend what you cannot remember
That is the deeper problem, and it is the one in the heading. Almost every piece of advice about protecting your data assumes you know where the data is. Forgotten accounts are, by definition, the part you have lost track of. You cannot object to processing you do not remember agreeing to. You cannot ask for deletion from a company whose name you could not produce if pressed. The exposure does not lift because you stopped thinking about it. It simply stops being something you can act on, and carries on being something that can act on you.
This is the one you can actually fix
Which is exactly where a forgotten account parts company with everything else we have written about. The copies already scattered across backups, brokers, and trained-in models, you cannot gather those back, and we were honest about that. But a dormant account is not a copy loose in the wild. It is your account. It has a delete button. It belongs to a company you have a direct line to and a legal right to tell to stop and to erase you. The data is reachable. The only thing between you and acting on it is that you forgot it was there.
So the work is not heroic. It is clerical, and it is winnable. For a service you have genuinely left, the clean move is to delete the account outright, close the door instead of leaving it ajar. For the ones you still half-use, object to the selling, the sharing, and the profiling, and keep the rest. Either way the leak that was running quietly in the background stops running. Tomorrow there is less of you in circulation than there was today, and one fewer unwatched door with your name on it.
Start the list
The honest obstacle here is memory, so that is where the help has to start. You cannot act on a hundred accounts you cannot name, but you do not have to summon them out of nothing. You search for a company you do remember, you add it, and the data it likely holds is worked out for you. One at a time, the vague dread of "I have no idea who has my information" turns into a list you can actually see: who holds what, and whether you have ever told them to stop.
From there it is the same loop as the rest of what we do. The request, to delete, or to halt the selling and sharing, is drafted for you, ready to send. You send it. We keep the list and log what each company writes back. We do not hold their reply, you do, because it lands in your own inbox, which is where the dated proof of "your account and its data have been deleted" belongs.
You will not remember every account you ever opened. Nobody can. But the ones you do surface, you can close for good, and the closing leaves a record. Start with the one you remembered while reading this. Start your record →