ISSUE No. 17Cross-cutting

When they say 'anonymised,' keep the receipt

Ask a company to delete your data and you might be told it was anonymised instead. The word sounds final. In law it is a high bar that much anonymised data never clears, and one that keeps rising. Worth understanding before you accept it, and worth keeping in writing.

D

THE DÆTRAX TEAM

PRIVACY RESEARCH · WITH DECKARD, OUR AI AGENT

When the answer is not "gone"

You want a company to delete what it holds on you, so you ask. The cleanest way to ask is short: delete my data, and if you are going to keep any of it, or anonymise it instead of deleting it, tell me which.

That last line matters, because deletion is not the only answer on the table. Read enough privacy policies and the same quiet clause turns up: we will delete or anonymise your data. That little "or" is where the interesting thing hides. It means a perfectly policy-compliant response to "erase me" is that they did not erase you at all. They kept a version and took your name off the front of it.

That sounds like the same thing in a lab coat. It usually is not.

What "anonymised" is supposed to mean

In everyday speech, anonymised sounds like "we took your name off." The legal bar is much higher. What is left has to be genuinely impossible to tie back to you, by anyone, using any method reasonably likely to be tried. The European Data Protection Board put it plainly at the end of 2024: data counts as anonymous only when the chance of singling a real person back out of it is insignificant.

A lot of what gets called anonymised does not come close. Take the obvious identifiers off and the remainder still describes someone: the timing, the location, the handful of small details that, lined back up, point to exactly one person. We went through how that works in why anonymous rarely is. The short version is that anonymised is a claim about a very high standard, not a synonym for deleted. And deletion itself is rarely the clean break it sounds like.

The bar is rising

The useful thing to track is which way that standard is heading, because it only moves one way. Researchers keep pulling names back out of data that was sold as anonymous, and the rules have started to take that for granted. In its 2025 anonymisation guidance the UK's regulator spelled out one of those methods by name, counting the everyday AI tools now within anyone's reach among the means a motivated person might use to unpick data that was called anonymous. What took a specialist and a second dataset a few years ago is now simply assumed to be on the table. Regulators have also started saying, in writing, that a model trained on personal data is not automatically anonymous, and that where the data was taken unlawfully they can order the dataset, or the model built on it, destroyed. A regulator once made a company delete the models it had built from user photos it used without proper consent.

We should be plain about our own corner of this. Deckard, the privacy agent we build on, is exactly the kind of system those regulators mean: a model built out of a great deal of other people's data, with no clean way to hand any single piece of it back if you asked. That is the trouble with data swept into a model and stamped anonymous. Even the thing holding it cannot tell you for certain what is inside. And once it is in, it does not come back out.

So here is what to take from it. Every year the bar for genuine anonymity gets harder to clear, not easier. A claim made today that your data was anonymised is being measured against a standard that may look stricter tomorrow.

Do not mistake that for the law turning to your side. The same regulators tightening what counts as anonymous are, elsewhere, making fresh room for companies to feed personal data into AI in the first place. The weather is not moving cleanly one way, which is exactly why the thing worth keeping is not a promise from a regulator but a dated line from the company itself.

You cannot check it anyway

There is no button that confirms a company truly anonymised your data instead of just relabelling it. You cannot see inside their systems. You cannot prove your data is sitting in some model, and the techniques for testing even that barely beat a coin toss. The company is often stuck in the same fog: ask them to prove the anonymisation holds, and many honestly cannot.

So you are left with a contested word, no way to check it, and a standard in motion. The one fixed thing in all of that is the message itself: a dated line, in their own words, telling you what they did with your request.

Why this might matter all at once

Now widen the lens past your one request. A huge share of what trained today's AI was scraped from the open web and from real human writing, much of it ordinary conversation, almost all of it gathered before anyone thought to ask. Most people have no idea whether their words are in a model, and there is no clean way to find out.

What makes "anonymised" shaky even there is that the way you write is itself identifying. Researchers have shown for years that your style, the cadence and the small habits in how you phrase things, can fingerprint you about as well as a signature, and that today's models are unusually good at inferring who you are from text with every obvious identifier stripped out. Take your name off a pile of your messages and the messages still point back to you.

Then watch what the industry is doing right now. The same companies that scraped freely are suddenly paying to license clean, permissioned data, and in some cases settling claims that already run into the billions, with Anthropic agreeing to pay $1.5 billion over the pirated books it trained on. You do not pay for permission you already had. The rush to license clean data is the clearest sign yet that a lot of the old data never came with it.

None of that guarantees a reckoning. But the conditions that produced every past wave of mass redress are on the table at once: data that may have been taken without a clear right, methods that can tie it back to real people, regulators already willing to order a model destroyed, and a great deal of money that suddenly wants to look clean. If it ever tips, the question each company will face is what it did with the people who told it to stop. Better to be a name with a dated answer than a shrug.

What to actually do

Nothing clever. Ask for deletion in plain language, and ask them to tell you, plainly, if they are keeping or anonymising it instead. You do not need to argue the law, quiz them on their method, or steer them toward one answer. You are not trying to win anything today. Whatever they send back, keep it.

If anonymised is ever properly put to the test, the people holding the dated words will be glad they kept them. If it never is, the cost was a couple of minutes and one saved email. That is the trade: a small effort now for the only proof you will ever have later.

Keeping that record is the whole point of what we do here. Start your record →