I did my first proper digital privacy audit after a friend had their email hacked. Not a sophisticated attack. Someone found a reused password from an old breach, tried it on Gmail, and got in. The fix would have taken 10 minutes years earlier. The cleanup took weeks. I went through my own setup that weekend, found several things I was not comfortable with, and fixed them. This is the checklist I use, written plainly for people who are not security professionals but would like to stop being careless.
Why 2026 Is a Good Time to Do This
AI has changed what attackers can do at scale. Phishing emails used to be easy to spot because they were generic and badly written. They are not anymore. AI-assisted attacks are personalised, grammatically correct, and convincingly written in the tone of whoever they are impersonating. The other shift is that data brokers now aggregate and sell personal information at a level of detail that was not economically viable five years ago. Your phone number, home address, family members’ names, employer, and daily routine are all available for purchase. That is not paranoia. It is just true.
The goal here is not perfect anonymity. That is not realistic for most people and honestly not necessary. The goal is reducing your exposure to the most common attacks without making your digital life inconvenient enough that you quietly abandon everything you improved within a month.
The Digital Privacy Audit Checklist
Passwords and account access
- Every account has a unique password. Reusing passwords is the single highest-risk habit in digital security. One breach exposes every account that shares that password.
- You are using a password manager. Bitwarden is free, open-source, and well-audited. 1Password is the paid option most security professionals recommend. LastPass has had enough incidents that I would not use it personally.
- Two-factor authentication is enabled on your email, banking, and anything that holds financial or personal data. Use an authenticator app rather than SMS codes where possible. SMS can be intercepted via SIM-swapping, which is more common than most people realise.
- You have checked haveibeenpwned.com for your email addresses within the last six months. If any of your passwords appear in a breach, change them immediately, not when you get around to it.
- You know what your email provider does with your data. Gmail scans email content for advertising personalisation by default. If this bothers you, Proton Mail and Fastmail are the most commonly used alternatives. If it does not bother you, at least know it is happening.
- You use email aliasing for sign-ups to services you do not fully trust. SimpleLogin (free tier available) and Apple’s Hide My Email generate unique forwarding addresses so your real email is never exposed. This also lets you see exactly which service leaked your address when you start getting spam.
- You actively unsubscribe from or filter email lists. An inbox full of marketing email is both a productivity problem and a security problem. Phishing often hides inside expected-looking marketing, and the more lists you are on, the more your address is sold between data brokers.
Browser and search
- You understand what your browser sends to its maker by default. Chrome sends significant telemetry to Google. Firefox with uBlock Origin is the most commonly recommended alternative for people who want reasonable defaults without giving up too much convenience. Brave is another option if you want privacy-first defaults out of the box.
- Your default search engine is not building a profile of your queries. DuckDuckGo and Brave Search do not store personal search histories. Startpage proxies Google results without the tracking if you want Google quality without Google surveillance.
- You have uBlock Origin or an equivalent content blocker installed. It eliminates tracking scripts, reduces page load times, and blocks a category of malware delivery that operates through advertising networks.
Devices
- Full-disk encryption is enabled on your main devices. On modern iPhones and Android phones this is on by default. On Windows, check that BitLocker is active. On Mac, check FileVault in System Preferences. On a laptop that gets stolen or lost, encryption is what keeps your data private.
- You have audited app permissions on your phone recently. Location, microphone, camera, and contacts access should be reviewed and revoked where the app does not genuinely need them. Most apps request more than they need and you granted it without reading during installation.
- Automatic updates are on for your operating system and apps. The majority of successful attacks exploit known vulnerabilities that already have patches available. Staying updated closes most of these windows. There is no good reason to delay this.
Social media and public information
- You have reviewed privacy settings on your social accounts in the last year. Default settings on most platforms are designed for maximum data collection. A platform update can reset settings you changed previously.
- You have Googled yourself recently. This tells you what a social engineer, a potential employer, or a data broker sees about you. It is occasionally surprising.
- Phone numbers, home addresses, and family member names are not publicly visible on your profiles. These are the inputs for targeted phishing and social engineering.
AI tools and data sharing
- You know which AI tools use your conversations for training and have opted out where possible. OpenAI lets you turn this off in account settings. Google’s Gemini and other tools have similar options, usually buried several levels into preferences.
- You are not pasting sensitive data into cloud AI tools without thinking about it. Financial records, client information, passwords, personal health information. If you would not email this to a stranger, do not put it in a cloud AI chat window.
- For genuinely sensitive work, consider a local AI model. Tools like Ollama let you run capable models entirely on your own hardware. Nothing leaves your machine. If you want to know more about setting that up, I wrote about it in the home AI agent setup guide.
Where to Start If You Have Not Done Any of This
Do the password manager and 2FA first. These two things address the majority of account takeover risk, which is the most common and consequential threat most people actually face. Everything else in this list adds meaningful protection, but if you only do two things, do those two.
The items that need recurring attention, data broker opt-outs and social media privacy reviews, are worth scheduling once or twice a year rather than doing once and forgetting. Data brokers re-add information regularly, and platform settings change with product updates. Treating privacy as a recurring maintenance task rather than a one-time fix is the more realistic approach.
Common Questions
What is a digital privacy audit?
A systematic review of your accounts, devices, apps, and habits to identify where your personal data is exposed or at risk. It covers passwords, 2FA, device encryption, browser settings, social media exposure, and data broker listings. Something most people have never done and would benefit from doing once.
How often should I do a digital privacy audit?
Once a year for a full review, with a shorter quarterly check covering password alerts, app permissions, and any accounts you have opened or closed. After a breach affecting a service you use, check and change credentials immediately regardless of schedule.
Do I actually need a VPN?
Probably not for most situations. A VPN hides your traffic from your internet provider and masks your IP address from the sites you visit. It does not protect against phishing, weak passwords, or malware, which are the things most people are actually at risk from. Where a VPN is genuinely useful: untrusted public networks (hotels, coffee shops) and situations where you do not want your ISP logging your browsing. If you do use one, Mullvad and ProtonVPN are the two most consistently recommended by people who take this seriously. The ones advertising heavily on YouTube are not always the ones with the best track record.