In 2025, 425.7 million accounts were breached globally – roughly 14 every second, around the clock. The average cost of a data breach in the US reached $10.22 million. And 85% of adults worldwide say they want to do more to protect their online privacy.

The gap between “want to” and “actually did” is where most people live. Not because protecting your privacy is technically difficult, but because the defaults are engineered against you. Every major platform, every ad network, and every data broker makes money from the data you passively generate. Their defaults are set to maximum collection. Your job is to push back.

Here’s how, step by step.

Step 1: Audit and Update Your Privacy Settings Everywhere

Time required: 30–60 minutes. Do it once, review annually.

Privacy settings on major platforms shift constantly. Features get quietly added, new data collection options appear, and old permissions you granted years ago remain active long after you’ve forgotten them.

Start with these:

Google Account: Go to myaccount.google.com → Data & Privacy. Review:

  • Search history (consider pausing or deleting regularly)
  • Location history – Google stores a surprisingly granular record of where you’ve been
  • YouTube watch history
  • Ad personalization – you can turn this off, though you’ll still see ads

Facebook/Instagram/Meta: Settings → Privacy Checkup. Pay attention to:

  • “Off-Facebook activity” – this is the data Meta collects about you from other websites using the Facebook Pixel tracker. You can clear this history and disconnect future tracking.
  • Who can see your posts, friend list, and biographical information
  • Connected apps – third-party apps you’ve authorized often retain access indefinitely

Twitter/X: Settings → Privacy and Safety. Review:

  • Personalization and data settings
  • Location information
  • Data sharing with advertising partners

LinkedIn: Settings → Data privacy. Check what data LinkedIn shares with third parties, and review whether your profile is publicly searchable.

One overlooked setting across all platforms: Disable “Allow apps to request your contacts” or review which apps have been granted contact list access. Your address book contains information about people who never agreed to share their data with these platforms.

Step 2: Break the Linked-Account Chain

Why this matters: one breach becomes many

Using “Sign in with Google” or “Sign in with Facebook” is convenient. It’s also a single point of failure. If that primary account is compromised – through a phishing attack, a data breach at Google’s or Meta’s infrastructure, or a forgotten linked device – every service you’ve connected to it is simultaneously accessible to the attacker.

What to do:

  • Audit which third-party apps and services are connected to your Google account: myaccount.google.com → Security → Third-party apps with account access. Revoke anything you don’t actively use.
  • Same for Facebook: Settings → Apps and Websites
  • For important accounts – banking, email, password manager, work systems – create a dedicated login with its own email and strong unique password. Never use OAuth for these.

The tradeoff is convenience. Accepting it is worth it for accounts that matter.

Step 3: Take Control of Cookies and Tracking

The scale of the problem

Third-party cookies are the backbone of the cross-site tracking industry. When you visit a news site that has Facebook’s Pixel embedded, Facebook knows you were there – even if you never clicked anything, have no Facebook account, or specifically avoided Facebook. The tracker fires on page load.

As of 2026, the third-party cookie is technically dying – Google has been in the process of deprecating them in Chrome for years, and Firefox and Safari have blocked them by default for some time. But the advertising industry has responded with alternative tracking methods: first-party data partnerships, fingerprinting, and Google’s Privacy Sandbox APIs.

Practical steps:

Switch to a privacy-respecting browser: Firefox with uBlock Origin installed blocks the vast majority of tracking scripts at the network level – before they even load. Safari’s Intelligent Tracking Prevention is strong by default. Brave is built on Chromium with aggressive blocking built in.

Manage cookie consent banners properly: When you see a cookie consent banner, “Accept All” and “Reject All” are very different choices. Most browsers now allow you to set a global preference. The Global Privacy Control (GPC) signal – supported in Firefox and Brave – automatically broadcasts your opt-out preference to sites that respect it.

Use a browser extension: uBlock Origin remains the gold standard for content and tracker blocking. It’s free, open source, and actively maintained. On mobile, Firefox for Android supports extensions; Safari on iOS has content blockers available in the App Store.

A realistic tradeoff: Some websites actively break when tracking scripts are blocked – particularly media sites with complex advertising stacks. You may need to allowlist sites you trust and want to support. That’s fine. The goal is to be deliberate, not to block everything.

Step 4: Use a Password Manager and Stop Reusing Passwords

The single highest-impact action most people haven’t taken

Password reuse is the root cause of a remarkable proportion of account compromises. When a service you use suffers a data breach and your email+password combination leaks, attackers don’t just try to log into that service. They run “credential stuffing” attacks – automatically testing that same combination against hundreds of other sites. Email providers, banking apps, e-commerce accounts.

The fix is simple but the implementation requires a tool: a password manager.

A password manager generates, stores, and autofills unique, randomly-generated passwords for every site. You only need to remember one strong master password. The security benefit is dramatic.

Good options in 2026:

  • Bitwarden – open source, independently audited, free tier covers most users
  • 1Password – polished UI, strong security model, subscription-based
  • Proton Pass – from the Proton privacy ecosystem, good for privacy-focused users
  • KeePassXC – fully local, no cloud sync, for users who prefer to keep everything on-device

Password composition guidance (updated): Modern NIST guidance (NIST SP 800-63) has moved away from the old “8 characters with symbols” rule. The current recommendation:

  • Length over complexity – a 16-character phrase is stronger than an 8-character string of random symbols
  • No forced regular changes – changing passwords constantly encourages weaker passwords, not stronger ones
  • Check against known breach databases – good password managers do this automatically (Have I Been Pwned integration)

Step 5: Enable Two-Factor Authentication (2FA) on Critical Accounts

What it does and why it matters

Two-factor authentication means that even if your password is compromised, an attacker still can’t log in without the second factor – typically a time-based code from an app on your phone.

Priority accounts for 2FA:

  1. Your primary email account – this is the master key to everything else, since password resets go to email
  2. Your password manager itself
  3. Banking and financial accounts
  4. Any account with payment methods stored
  5. Your phone carrier account – because SIM swapping attacks can intercept SMS codes

2FA method hierarchy (most to least secure):

  1. Hardware security key (YubiKey, Google Titan) – physically present during login, immune to phishing
  2. TOTP authenticator app (Aegis on Android, Raivo on iOS, Authy) – time-based codes generated offline
  3. SMS codes – better than nothing, but vulnerable to SIM swapping attacks; avoid for high-value accounts if alternatives exist

Enable 2FA everywhere you can. The 30 extra seconds per login is not a meaningful inconvenience compared to the alternative.

Step 6: Use a VPN on Untrusted Networks

The specific threat VPNs actually address

VPNs have been over-marketed as a general privacy solution. They are specifically excellent at one thing: preventing your network operator from seeing your traffic.

This matters in three concrete situations:

  1. Public Wi-Fi – coffee shops, airports, hotels. The Wi-Fi operator, and anyone with network access to it, can potentially see unencrypted traffic. A VPN prevents this.
  2. Your ISP – your internet service provider can see every domain you visit even when content is encrypted (via DNS queries). In many jurisdictions, ISPs can sell this data to advertisers. A VPN routes your DNS through its own servers, preventing this.
  3. Geo-restricted content – as covered in our GDPR bypass guide, VPNs allow you to appear to connect from a different location.

What a VPN does not do:

  • Prevent websites from tracking you via cookies once you’re connected
  • Protect against browser fingerprinting
  • Make you fully anonymous (your VPN provider still knows your real IP – which is why their logging policy matters)

Recommendation: Use a paid VPN from a provider with an independently audited no-logs policy. Free VPNs typically monetize by selling your data.

Step 7: Reduce What You Volunteer

The data you share by choice matters as much as the data collected without it

Privacy tools address passive data collection. But a significant portion of the most sensitive data companies hold about you was provided voluntarily: your phone number, your home address, your date of birth, your real name tied to an email account.

Practical reduction strategies:

  • Use aliases for non-critical signups. Services like SimpleLogin or Apple’s “Hide My Email” generate disposable email aliases that forward to your real inbox. You can receive confirmation emails and responses without exposing your real address.
  • Use a separate phone number for signups. Google Voice (US), Hushed, or similar services provide secondary numbers. This prevents your real number from being sold or used for targeted advertising.
  • Be skeptical of “optional” profile fields. A birthday field that’s optional for the service but valuable for advertisers. A profile photo attached to your real name. Fill in only what is actually required.
  • Check data broker listings. Sites like Spokeo, Whitepages, and hundreds of similar services aggregate and sell personal information. Services like DeleteMe or Kanary can automate opt-out requests to dozens of data brokers at once.

The 20-Minute Starting Point

If you do nothing else from this list, do these three things in the next 20 minutes:

  1. Install a password manager and create a new, unique password for your email account. This single action protects the master key to everything.
  2. Enable 2FA on your email account. Go to settings right now and turn it on. Use an authenticator app, not SMS.
  3. Check if your accounts have been breached. Go to haveibeenpwned.com, enter your email address, and see which services have leaked your data. The results are often surprising.

The rest of the steps add layers. Start with those three. The compounding effect of basic hygiene is substantial.

A Note on Realistic Threat Modeling

You don’t need to protect yourself like a dissident or a journalist unless you are one. The goal for most people is to reduce exposure to the most common and commercially motivated forms of tracking and data collection – advertising surveillance, credential stuffing attacks, and data broker aggregation.

The tools described above address exactly those threats. They require modest effort, modest cost, and they work.

Further reading: