If you have been online in the last decade, your words, images, and creative work have almost certainly been used to train AI models. That is not speculation — it is the documented reality of how most large language models and image generators were built. The question now is not whether it happened, but what you can do going forward to limit further exposure and reclaim some degree of control over your digital presence.
This is not a guide for extreme privacy enthusiasts who want to disappear from the internet entirely. It is a practical set of steps for ordinary people who want to make informed choices about their data and put reasonable protections in place.
Step 1: Audit Where Your Data Currently Lives
Start with a clear picture of your current exposure. Most people do not realize how widely their public posts, profile information, and published content have spread across the web. Tools like PrivacyImpact and similar data-audit services can show you which of your public social media posts and online content have been indexed and in some cases indicate whether they appear in AI training datasets.
This audit is also valuable for a simpler reason: it forces you to inventory your own digital footprint. Many people discover accounts they forgot about, old blog posts they did not realize were still indexed, or profile information that is more detailed than they intended to make public. Start here before you change any settings or install any tools.
Step 2: Enable Global Privacy Control in Your Browser
Global Privacy Control, or GPC, is a technical standard that sends a signal to websites indicating that you do not want your data sold or shared for advertising or AI training purposes. Under regulations like GDPR in Europe and the CCPA in California, websites that receive this signal are legally required to honor it — though enforcement varies and compliance is not universal.
Enabling GPC is straightforward. Browsers like Firefox support it natively in privacy settings. For Chrome, extensions like Privacy Badger can send the signal automatically. This does not stop all data collection, but it establishes a clear legal record of your preference and does prevent compliant companies from processing your data in ways you have not authorized.
Step 3: Move Sensitive Data to Local-First Applications
Cloud storage is convenient, but it means your data lives on someone else’s servers under their terms of service. For notes, documents, and photos that contain sensitive or personal information, consider switching to local-first applications — software that stores data on your own device by default rather than syncing it to a remote server.
Obsidian, for example, stores all notes as plain text files on your local drive. Anytype offers a similar approach with optional sync that uses zero-knowledge encryption — meaning the sync provider cannot read your content even if it is stored on their infrastructure. For photos, consider keeping personal images in a local folder rather than auto-uploading everything to a cloud service.
You do not need to move everything at once. Start with your most sensitive content — personal journals, financial notes, private communications — and migrate that first.
Step 4: For Creators, Use AI Poisoning Tools
If you are an artist, writer, or photographer who publishes work online, there are now tools specifically designed to make your work harder for AI scrapers to learn from effectively. Nightshade, developed by researchers, adds imperceptible modifications to images that cause AI models trained on them to generate distorted or incorrect outputs. It is a form of technical self-defense that does not change how your images look to human viewers.
For writers, similar approaches are emerging that embed statistical noise into text to degrade the quality of AI training on that content. These tools are not perfect and the AI industry is constantly developing countermeasures, but they represent a meaningful option for creators who want to actively protect their work rather than simply opt out of platforms.
Step 5: File Right to Be Forgotten Requests
Under GDPR in Europe and increasingly under state privacy laws in the United States, you have the right to request that companies delete your personal data. Applying this specifically to AI training is newer legal territory, but several companies now have explicit processes for handling these requests.
When filing a request, be specific. State that you want your data removed from AI training datasets and model weights, not just from publicly visible databases. Document every request you send and keep records of responses. If a company does not respond within the legally required timeframe — typically 30 days under GDPR — you have grounds to escalate to a data protection authority.
This process is time-consuming and success is not guaranteed, but it puts your preference on record and in many cases does result in data removal.
Step 6: Be Intentional About What You Publish Going Forward
The most effective long-term protection is reducing the amount of sensitive information you publish publicly in the first place. This does not mean going silent online — it means being deliberate. Before you post something, consider whether you would be comfortable with it appearing in an AI training dataset, because the realistic answer is that it might.
For professional content you want to share publicly, that trade-off may be acceptable. For personal details, private communications, or creative work you want to control, the safer approach is to keep it out of public channels entirely or share it through platforms with strong access controls and clear data policies.
