A deletion request, when it arrives in a broker's inbox, is a piece of legal correspondence dressed as an email. It cites a statute, identifies a person, and starts a clock. The clock is the part brokers respect; the rest they often do not.

Below is the actual template we send under Article 17 of the UK GDPR, lightly redacted. After it, the four responses we see in roughly nine out of ten cases, and what we do with each.

The request we send

The letter goes from a Nox Æterna address on your behalf, with you in CC where you want to be. It is short on purpose. Brokers process thousands of these; the ones their privacy team can action in under a minute get actioned first.

Subject: Article 17 UK GDPR — erasure request — [Surname], [Initial] To the Data Protection Officer, I am writing on behalf of [Full Name], DOB [YYYY-MM-DD], formerly resident at [Address line 1, Postcode], to request the erasure of all personal data your organisation holds concerning the data subject, pursuant to Article 17 of the UK General Data Protection Regulation and section 47 of the Data Protection Act 2018. Identity has been verified by Veriff (UK eIDAS-equivalent, reference VRF-XXXXXXXX). A signed authority is attached. Please confirm the verification reference is sufficient or specify, within seven days, any additional document you require. The erasure should cover, without limitation: - all profile records, derived attributes, and inferred audiences; - all marketing lists, lookup tables and shared identifiers; - any data shared with onward recipients, who must be notified of the erasure under Article 19. The statutory deadline for your response is one calendar month from receipt (Article 12(3)). Please confirm in writing once erasure is complete, including the categories of data erased and the recipients notified. Yours faithfully, Nox Æterna Ltd. — acting under written authority ico.org.uk registration ZA871402

That is the whole thing. No threats, no rhetoric, no attempt to be friendly. The letter does three jobs: it names the law, it names the person, and it removes any excuse to delay on identity grounds. Veriff has already done the eIDAS-equivalent check before we ever press send.

The clock is the part brokers respect; the rest they often do not.

Response 1: immediate compliance (about sixty per cent)

The most common reply is the dullest one. The broker's privacy desk routes the request into their existing opt-out form, runs the erasure, and emails back a confirmation within fourteen days. We get a line like "Your record has been removed from our consumer database and from our partner feeds. Reference DEL-948213."

About sixty per cent of UK-facing brokers behave this way, in our experience across the first cohort of orders. The serious data-broker industry has been through enough ICO action since 2018 that the larger names — Experian Marketing Services, CACI, Equifax — generally treat a clean Article 17 letter as a paperwork exercise. We log the reference, attach it to your evidence pack, and move on.

Response 2: partial compliance (about twenty per cent)

The second pattern is more interesting. The broker removes you from any public-facing product — the people-search page, the marketing list, the third-party feed — but quietly retains an internal dossier. The phrase to watch for is some variant of "retained for fraud-prevention purposes" or "required for our legitimate interest in maintaining accurate identity data."

Sometimes this is legitimate. The credit-reference agencies, for example, have statutory bases under the Consumer Credit Act for keeping certain records for six years. Sometimes it is not, and the broker is hoping you will not press the point. We press the point: we ask, in writing, for the specific Article 6 lawful basis, the specific recipients, and the specific retention schedule. Usually one of those questions cannot be answered, and the dossier disappears with the next reply.

Response 3: the stall (about ten per cent)

The third pattern is the most cynical. The broker asks for additional identity verification — a notarised affidavit, a utility bill from the past thirty days, a copy of your passport sent by recorded post. Each request restarts an unofficial clock in their internal queue, and each one is designed to make you give up.

Article 12(6) does let a controller ask for further information where there is reasonable doubt about identity. The key word is reasonable. A Veriff-verified eIDAS check, plus a signed authority on Nox Æterna letterhead, has already cleared that bar. We reply once, citing 12(6) and pointing out that the statutory month is not paused by unreasonable demands, and we set a fortnightly automated follow-up until the broker either complies or refuses on the record.

Response 4: outright refusal (about ten per cent)

A small minority refuse, almost always citing the carve-outs in Article 17(3): freedom of expression, legal claims, public-interest journalism, or a public-interest task. Most of these citations are weak. A people-search broker is not a journalist. A marketing-list compiler is not exercising a public-interest task. A lead-generation firm does not have a legal claim against you simply because it once sold your address.

Occasionally the refusal is legitimate — a regulated credit file, a fraud-prevention database with statutory backing, a litigation hold. In those cases we explain the position to you and stop pushing, because pushing further would be theatre. In every other case we escalate.

How we escalate

Three tools, in order of friction. First, the fortnightly follow-up, which is automated and unflinching and resolves more stalls than anything else we do. Second, a written demand letter from us, on letterhead, summarising the timeline and naming the statutory breach — Article 12 deadline missed, Article 17 ignored, Article 19 onward-notification not actioned. Third, a complaint to the Information Commissioner's Office at ico.org.uk/make-a-complaint, attaching the full correspondence trail and the broker's reference numbers.

The ICO does not fine a broker because you asked nicely. It fines them because you built a paper trail.

The ICO does not act on every complaint, and it does not act quickly when it does. But brokers know the regulator's posture, and a clean complaint file from a credible sender changes the calculation on their side. Most refusals we have escalated have been quietly reversed within sixty days, without the ICO ever needing to open a case.

What you actually receive

At the end of the process you get a PDF evidence pack with every letter sent, every reply received, every reference number issued, and a one-page summary of which brokers complied, which retained partial records under what basis, and which are still in escalation. It is dry reading, but it is the document you produce if anyone — a future employer, a divorce solicitor, an insurer — ever asks how thoroughly your record was scrubbed.

If you would rather not draft the letters, chase the replies, and read the carve-out citations yourself, Nox Æterna handles all 150+ brokers under one £89 payment. One letter format, four response patterns, one evidence pack at the end.