Skip to content

Digital-Footprint Literacy

The Digital Footprint of Someone Who Has Died

When a person dies, their accounts, photos, and scattered records do not simply switch off. This is a calm guide to what remains, who can act on it, and where data-protection law does and does not reach.

In short

When someone dies, their digital footprint stays online: email and social accounts, photos, subscriptions, and entries held by other companies. Under UK GDPR, personal data normally protects living people, so a relative often relies on each platform's own memorialisation, deletion, and next-of-kin policies rather than a standard data-rights request.

What stays online after a person dies

A digital footprint does not end the moment a life does. Email inboxes keep receiving messages, social profiles stay visible, cloud storage keeps the photos, and subscriptions can keep renewing until a card is cancelled. Alongside the accounts a person opened themselves sits a quieter layer: records held by other companies, including some data brokers, that may continue to list an old address, phone number, or relatives long after the person has gone.

For the people left behind, this can feel jarring. A birthday reminder arrives. A 'people you may know' suggestion surfaces a face. Understanding what actually remains is the first calm step, because each type of footprint is handled differently and by a different organisation.

It helps to separate the footprint into three rough groups, because the route to act on each one is not the same.

  • Accounts the person controlled: email, social media, cloud photos, banking and shopping logins.
  • Content others hold about them: tagged photos, comments, mentions, and entries in third-party databases.
  • Automated or commercial records: marketing lists, broker profiles, and renewing subscriptions that run on their own.

How the law treats the data of the deceased

UK GDPR and the Data Protection Act 2018 define personal data as information relating to a living individual. That single word, living, is the reason the data of someone who has died generally falls outside the core UK GDPR rights such as access and erasure. The Information Commissioner's Office (ICO) confirms that these rights belong to living people, so a relative usually cannot simply send a standard data-rights request on a deceased person's behalf and expect it to be honoured the same way.

This is not a dead end, only a different door. Several other paths can still apply: a platform's own memorialisation or account-closure policy, the terms a person agreed to in life, confidentiality and professional duties that survive death (for example around health records), and, in some cases, the separate personal data of the living relative that becomes entangled with the deceased person's records. Rules also vary by country, so the EU's GDPR member states, Turkey's KVKK, California's CCPA and others may each set their own approach to post-death data.

This article is general information, not legal advice. Bereavement administration can be legally and emotionally complex, and an estate solicitor or the relevant national regulator can give guidance for a specific situation.

  • Core UK GDPR access and erasure rights apply to living individuals, per ICO guidance.
  • A living relative's own personal data is still protected, even when it appears beside a deceased person's records.
  • Other jurisdictions may treat the deceased differently, so check the law and regulator that actually governs the account.

Practical, calm steps families can take

The most reliable route is usually the platform itself. Major services have published processes for a death: memorialising a profile so it stops appearing in active prompts, closing an account entirely, or in limited cases passing certain content to a nominated person. These typically ask for a death certificate and proof that you are entitled to act, and they sit outside the standard data-rights framework.

Reducing the commercial echo is a separate task. Subscriptions can be cancelled through the provider or the bank, and marketing contact can often be stopped by asking to be removed from a mailing list. Where a third-party company is genuinely holding records, you can ask it to stop, though you may be relying on its goodwill and its own policy rather than an enforceable erasure right, since the law here is unsettled.

Throughout, gentleness with yourself matters as much as the admin. There is no obligation to clear everything at once, and many families choose to keep a memorialised account precisely because it is a place to remember. OSINTA is a self-only tool that helps a living person see and understand their own footprint and route their own requests; it does not act for others, remove data, or monitor anyone, so for a deceased person the platforms above are the proper starting point.

  • Locate the death certificate and any proof of your authority before contacting a platform.
  • Use each service's official memorialisation or closure form rather than guessing at a generic request.
  • Cancel renewing subscriptions and ask mailing lists to stop, then revisit anything outstanding when you are ready.

Frequently asked questions

Can I send a data-erasure request for someone who has died?

Usually not in the standard way. UK GDPR rights such as erasure apply to living individuals, so the ICO's framework does not generally cover the deceased. Instead, families use each platform's own account-closure or memorialisation process, which typically requires a death certificate and proof you are entitled to act.

What is a memorialised account?

It is an account setting offered by some social platforms that keeps a profile as a place of remembrance while stopping it from appearing in active prompts like birthday reminders or friend suggestions. The exact options and eligibility depend entirely on the individual platform's policy.

Why do I still receive marketing addressed to a relative who died?

Marketing often runs from automated lists held by companies the person never directly contacted, including some data brokers. You can ask each sender or list to stop. Because the deceased's data sits outside core UK GDPR rights, this usually relies on the company's own policy rather than an enforceable demand.

Does OSINTA close accounts or remove data for someone who has died?

No. OSINTA is a self-only tool that helps a living person see and understand their own digital footprint and route their own requests. It does not act on behalf of others, remove data, or monitor anyone, so for a deceased person the relevant platforms and an estate adviser are the right route.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

Understand your own footprint first

Knowing how your own data is spread makes it easier to plan ahead and to support others. Start with the basics of routing a request.

See the DSAR guideJoin the waitlist