Your data is being collected, sold, and breached constantly. Here are the free tools and simple habits that actually protect your privacy online — no tech degree needed.
Last month I searched for a pair of running shoes. Not on any social media platform — in a private browser tab, on a search engine I thought was reasonably private. Within 24 hours, I was seeing shoe ads on my phone, in my email sidebar, and embedded in articles I was reading about completely unrelated topics. A search I made in "private" mode followed me across devices, platforms, and contexts for days.
That experience crystallized something I'd been thinking about for a long time: online privacy in 2026 is not something you have by default. It's something you have to actively build, maintain, and defend. Every single day.
The good news? You don't need a computer science degree, a premium VPN subscription, or some paranoid off-the-grid lifestyle to meaningfully protect your privacy. You need knowledge, the right free tools, and about 30 minutes to do an initial privacy audit. This guide gives you all three.
Let's start with the uncomfortable reality. Your personal data is a commodity. It's collected, packaged, bought, sold, and traded at a scale that would have seemed dystopian twenty years ago. And most of it happens without your meaningful consent or awareness.
There are currently over 4,000 data broker companies operating globally. These aren't underground operations — they're legitimate businesses, many publicly traded, that collect and sell personal information about billions of people. They aggregate data from public records, purchase histories, social media activity, app usage, location data, and hundreds of other sources to build remarkably detailed profiles.
A typical data broker profile might include your full name, all known addresses, phone numbers, email addresses, estimated income, political affiliation, health conditions, purchasing habits, travel patterns, and social connections. Some brokers maintain profiles with over 1,500 data points per person.
The kicker? You probably agreed to all of this. Buried in terms of service agreements that would take an estimated 76 work days per year to actually read.
The tracking landscape has evolved far beyond simple cookies. In 2026, companies use browser fingerprinting (identifying you by your unique combination of browser settings, installed fonts, screen resolution, and dozens of other parameters), cross-device tracking (linking your phone, laptop, tablet, and smart TV activity into a single profile), ultrasonic beacons (inaudible sounds embedded in TV ads that your phone's apps can detect), and email tracking pixels (invisible images in emails that report when, where, and on what device you opened a message).
Most of this tracking is invisible. You don't see it happening. There's no notification. There's no cookie banner. It just happens.
As of early 2026, over 12 billion account records have been exposed in confirmed data breaches. If you've had an email address for more than a few years, the odds of your data appearing in at least one breach are extremely high.
And the breaches keep accelerating. In 2025 alone, there were over 3,200 confirmed data breaches affecting hundreds of millions of people. Healthcare data, financial records, social security numbers, biometric data — nothing is off limits.
The consequences are real. Identity theft affected over 15 million Americans in 2025 alone, costing victims an average of 200 hours and significant money to resolve. Credential stuffing attacks — where hackers use leaked username/password combinations to break into other accounts — succeed at alarming rates because people reuse passwords.
I hear this question a lot. "I have nothing to hide." Here's my response: privacy isn't about hiding. It's about control. Control over who knows what about you, how that information is used, and who profits from it.
Your data has been used to manipulate elections, deny insurance claims, reject job applications, adjust prices (yes, some companies charge different prices based on your profile), enable stalking and harassment, and facilitate identity theft.
Privacy is a fundamental right. The fact that it requires effort to maintain doesn't make it less important — it makes it more urgent.
Before you can protect your privacy going forward, you need to understand what's already out there. This is your starting point.
The first thing I recommend to anyone starting their privacy journey is checking whether their email addresses and personal information have appeared in known data breaches. This tells you exactly what's been exposed and which accounts need immediate attention.
I use the data breach checker on akousa.net for this — it searches across over 1,000 known breaches and tells you which ones include your email. It runs entirely in your browser, which means your email address isn't stored or logged anywhere. That's an important distinction. Some breach-checking services require you to create an account, sign up for email alerts, or hand over additional personal information just to tell you whether your existing information was compromised. That's counterproductive.
When you run a breach check, you'll likely see results. Don't panic. Almost everyone appears in at least a few breaches, especially if they've been online since before 2020. What matters is what you do next.
For each breach that shows up, note what type of data was exposed. Different breach types require different responses:
Email and password exposed: Change the password immediately on that service. If you used the same password anywhere else (be honest with yourself), change it everywhere. This is the most common and most dangerous type of breach because of credential stuffing.
Personal information exposed (name, address, phone): This data can be used for phishing. Be extra vigilant about unexpected calls, texts, and emails. Consider freezing your credit if financial data was also exposed.
Financial data exposed: Contact your bank or credit card company immediately. Place a fraud alert on your credit reports. Monitor your accounts closely for the next several months.
Social Security or government ID exposed: This is the most serious. Place a credit freeze with all three credit bureaus. File an identity theft report with the FTC. Consider an identity theft protection service (not a privacy recommendation I make lightly, but the risk justifies it).
This sounds narcissistic. It's actually a critical privacy exercise. Search for your full name, your name plus your city, your email address, your phone number, and your username(s). You'll likely find information you didn't know was publicly available. Old forum posts, data broker listings, public records, social media profiles you forgot about.
Make a list of everything you find. You'll use this as a cleanup checklist.
I know. Everyone talks about passwords. It's boring advice. But it remains the single most impactful thing you can do for your online security, and most people still aren't doing it right.
Studies consistently show that over 60% of people reuse passwords across multiple accounts. The average person has over 100 online accounts. If even one of those accounts gets breached — and statistically, several already have — every account sharing that password is compromised.
People reuse passwords because creating and remembering unique passwords for 100+ accounts is genuinely difficult. This isn't a moral failing. It's a design problem. And there's a straightforward solution.
A password manager generates, stores, and fills unique, strong passwords for every account you have. You remember one master password. The manager handles everything else.
There are excellent free options. Bitwarden is open source and widely trusted. KeePass stores everything locally if you don't want cloud sync. Most browsers now have built-in password managers that are increasingly capable.
The transition takes effort — maybe an hour or two to set up and a few weeks to gradually update accounts as you log into them — but it's the single highest-impact security improvement you can make.
When you need to create a password — for your master password, for accounts where you can't use a manager, for Wi-Fi networks — it needs to be genuinely strong. Not "strong" by the outdated standards of "at least 8 characters with a number and special character." Actually strong.
I use the password generator on akousa.net when I need a quick, strong password. It runs locally in your browser, generates passwords with the entropy you specify, and doesn't transmit anything. For your master password specifically, consider a passphrase — four or five random words strung together — which is both stronger and easier to remember than a complex string of characters.
A good password in 2026:
"What's your mother's maiden name?" This information is publicly available for most people. Same with your first pet's name, the street you grew up on, your high school mascot, and your birthday.
If a service requires security questions, treat them as secondary passwords. Give random answers and store them in your password manager. Your mother's maiden name can be "correct horse battery staple" as far as the login system is concerned.
Your browser is the primary window through which tracking happens. Configuring it properly eliminates a massive percentage of surveillance.
Not all browsers are created equal when it comes to privacy.
Firefox remains the gold standard for privacy-conscious browsing. It's open source, developed by a nonprofit, and has robust tracking protection built in. With a few configuration tweaks, it's excellent.
Brave blocks ads and trackers by default and includes built-in fingerprinting protection. It's based on Chromium, so it's compatible with Chrome extensions, but it's configured for privacy out of the box.
Safari has made genuine privacy improvements in recent years, including Intelligent Tracking Prevention. If you're in the Apple ecosystem, it's a solid choice.
Chrome is the most popular browser in the world and also made by the world's largest advertising company. You can harden it with extensions, but you're starting from a disadvantaged position.
Regardless of which browser you use, configure these settings:
Block third-party cookies. This is the single most impactful browser setting change. Third-party cookies are the primary mechanism for cross-site tracking. Every major browser now has an option to block them. Turn it on. Some sites may break slightly — that's a sign they were tracking you heavily.
Enable "Do Not Track." This is largely an honor system and many companies ignore it, but it costs you nothing and some reputable sites respect it.
Disable location sharing by default. Set your browser to ask every time a site wants your location, rather than allowing it automatically.
Clear cookies and site data regularly. Set your browser to clear cookies when you close it, or do a manual clearing weekly. This breaks persistent tracking.
Review and limit extensions. Every browser extension can see your browsing activity. Remove any you don't actively use. Check permissions on the ones you keep.
A few extensions dramatically improve your browser privacy:
uBlock Origin is a free, open-source ad and tracker blocker. It's the most efficient and effective option available. It blocks ads, trackers, malware domains, and more, while using minimal system resources.
Privacy Badger (from the EFF) learns to block invisible trackers automatically. It's a set-and-forget tool that gets smarter over time.
HTTPS Everywhere (now built into most browsers, but still useful in some cases) ensures you connect to the encrypted version of websites whenever possible.
Cookie AutoDelete automatically removes cookies from sites you've closed, preventing long-term tracking while keeping cookies for sites you actively use.
Browser fingerprinting is more insidious than cookies because you can't clear it. Your fingerprint is based on your browser version, installed plugins, screen resolution, timezone, language settings, installed fonts, hardware characteristics, and dozens of other parameters. Combined, these create a nearly unique identifier.
To reduce fingerprinting effectiveness:
Beyond your browser settings, there are additional steps to reduce tracking across your digital life.
Most marketing emails contain tracking pixels — tiny invisible images that load from a remote server when you open the email. They tell the sender when you opened the email, what device you used, your approximate location, and how many times you read it.
To block email tracking:
Your DNS (Domain Name System) queries reveal every website you visit. By default, these go to your internet service provider, who can log, sell, or share this data.
Switch to a privacy-respecting DNS provider:
Changing your DNS takes about two minutes and applies to all devices on your network if you change it at the router level. It's one of the highest-impact, lowest-effort privacy improvements available.
For more comprehensive protection, consider a network-level blocker like Pi-hole (runs on a Raspberry Pi or any Linux machine) or AdGuard Home. These block tracking requests from all devices on your network — including smart TVs, IoT devices, and apps that ignore browser-level blocking.
This is a more advanced step, but the setup guides are well-documented and the privacy benefits are substantial. Your smart TV alone may be making thousands of tracking requests per day.
VPNs are heavily marketed as the ultimate privacy tool. The reality is more nuanced.
A VPN (Virtual Private Network) encrypts your internet traffic and routes it through a server in a location you choose. This means your ISP can't see what sites you visit (they see only that you're connected to a VPN), websites see the VPN server's IP address instead of yours, and your traffic is encrypted even on public Wi-Fi.
A VPN does not make you anonymous. If you log into Google through a VPN, Google still knows it's you. A VPN doesn't prevent browser fingerprinting, cookie tracking, or any tracking that uses your login identity. A VPN doesn't protect you from malware, phishing, or bad security practices.
Think of a VPN as one layer of privacy, not a complete solution.
If you decide a VPN is right for you:
VPNs are most valuable on public Wi-Fi networks (airports, cafes, hotels), when you want to prevent your ISP from logging your browsing history, when accessing content while traveling, and when you want an additional layer of separation between your identity and your browsing.
For everyday home browsing, a VPN adds latency and may not be necessary if you've implemented the other steps in this guide. Make an informed choice based on your threat model.
The messages you send are some of the most personal data you generate. Who you talk to, what you say, when you say it — this is intimate information that deserves strong protection.
Standard SMS messages are not encrypted. Your carrier can read them, law enforcement can access them with a court order (and sometimes without one), and they can be intercepted by anyone with the right equipment. Same goes for most standard email.
End-to-end encryption means only you and the recipient can read the message. The service provider can't. Government agencies can't. Hackers who breach the server can't. The math ensures it.
Signal is the gold standard. It's open source, funded by a nonprofit, collects virtually no metadata, and the encryption protocol is the same one used by WhatsApp and others. If you can get your contacts to use Signal, do it.
WhatsApp uses the Signal protocol for end-to-end encryption of message content, but it collects significant metadata (who you talk to, when, how often) and shares it with Meta. Better than SMS; not as good as Signal.
iMessage is end-to-end encrypted between Apple devices. If both parties have iPhones, it's a solid option. If one party has Android, it falls back to unencrypted SMS.
Telegram is not end-to-end encrypted by default. Only "Secret Chats" are encrypted. Regular chats, including all group chats, are stored on Telegram's servers. This is widely misunderstood.
Standard email was designed in the 1970s without encryption. Adding encryption after the fact is possible but awkward.
ProtonMail provides end-to-end encrypted email when both parties use ProtonMail, and encrypted-at-rest storage for all email. The free tier is generous.
Tutanota (now Tuta) is another encrypted email provider with a free option.
For existing email accounts, you can use PGP encryption, but it requires your contacts to also set it up. In practice, most people find this too friction-heavy for regular use.
Social media platforms are the largest voluntary surveillance systems ever created. We post our locations, relationships, opinions, photos, and daily activities for companies whose business model is selling our attention and data to advertisers.
I'm not going to tell you to delete all social media. That's impractical for most people. Instead, let's lock it down.
Go to Settings > Privacy and review every single option. Key changes:
That last one is crucial. Off-Facebook Activity shows you exactly which companies are sending Facebook data about your activity on their websites and apps. The list is usually shocking.
Google processes over 8.5 billion searches per day. Each one is logged, associated with your profile, and used to build an advertising profile that follows you across the internet. Your search history is one of the most intimate datasets that exists about you.
DuckDuckGo doesn't track you, doesn't build a profile, and doesn't show personalized results. The search quality has improved significantly and is now adequate for most queries.
Brave Search builds its own index (rather than relying on Bing or Google) and doesn't track users. It's newer but improving rapidly.
Startpage provides Google results without the Google tracking. If you want Google-quality results with privacy, this is a good compromise.
Searx/SearXNG is an open-source metasearch engine you can self-host. It queries multiple search engines and returns results without tracking.
Set your preferred private search engine as the default in your browser. The adjustment period is about a week. You'll occasionally need to prefix a search with "!g" (DuckDuckGo's bang syntax for Google) for specific queries, but this becomes rare as you adjust.
Your search history is nobody's business but yours.
Cookies are small files websites store on your computer. Some are essential (keeping you logged in, remembering your cart). Many are surveillance tools that track you across the web.
First-party cookies come from the site you're visiting. These are usually functional — login sessions, preferences, shopping carts. Most are harmless and necessary.
Third-party cookies come from domains other than the site you're visiting. These are almost exclusively used for tracking. When you visit a news site and a cookie from Facebook, Google, or an ad network is set — that's a third-party cookie tracking your browsing across the web.
Those GDPR cookie consent banners are supposed to give you control. In practice, most are designed to make "Accept All" the easiest option and "Reject" as difficult as possible. This is a dark pattern, and it's been challenged in court multiple times.
Despite the frustration, these banners exist because regulations like GDPR and CCPA give you legal rights over your data. Exercise them. The 10 seconds it takes to reject non-essential cookies is 10 seconds well spent.
Passwords alone are not enough. Two-factor authentication adds a second verification step that makes your accounts dramatically harder to compromise, even if your password is leaked.
SMS codes: A code sent to your phone via text message. This is the weakest form of 2FA because SMS messages can be intercepted through SIM swapping (where an attacker convinces your carrier to transfer your number to their SIM). It's still better than no 2FA, but avoid it for critical accounts.
Authenticator apps: Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes on your device. These are significantly more secure than SMS because the codes never travel over the network.
Hardware security keys: Physical devices like YubiKeys that must be present to log in. This is the most secure form of 2FA available. Major services including Google, Microsoft, and GitHub support them.
Passkeys: The newest option, passkeys use your device's biometric authentication (fingerprint or face) to verify your identity. They're phishing-resistant and increasingly supported across the web.
At minimum, enable 2FA on your email accounts (this is your identity — if someone controls your email, they can reset every other password), financial accounts (banking, investment, payment apps), social media accounts, cloud storage (Google Drive, Dropbox, iCloud), and your password manager.
A service like akousa.net's privacy tools can help you audit your security setup and generate the strong backup codes you should store separately.
When you enable 2FA, most services provide backup codes for situations where you can't access your second factor (lost phone, hardware key failure). Print these out and store them in a physically secure location. Do not store them in an unencrypted digital file. If you lose access to your 2FA method and don't have backup codes, recovering your account ranges from difficult to impossible.
If you have children, their privacy needs are even more critical because the data collected during childhood can follow them for their entire lives.
Children are increasingly targeted by data collection. Social media platforms, educational apps, gaming platforms, and even toys with internet connectivity collect data about children. This data can shape the advertising they're exposed to, influence their self-image, and create digital footprints they never consented to.
The Children's Online Privacy Protection Act (COPPA) in the US and similar laws globally provide some protection, but enforcement is inconsistent and many platforms find workarounds.
Privacy laws have expanded significantly in recent years. Understanding your rights gives you concrete tools to control your data.
If you're in the EU, or if a company processes EU residents' data, the General Data Protection Regulation gives you the right to access all data a company holds about you, request deletion of your data ("right to be forgotten"), port your data to another service, object to automated decision-making, and withdraw consent at any time.
Companies must respond to these requests within 30 days. They cannot charge a fee in most cases. If they fail to comply, you can file a complaint with your national data protection authority.
California residents have similar rights under the California Consumer Privacy Act and its successor, the California Privacy Rights Act. You can opt out of the sale of your personal information, request deletion of your data, know what categories of data are collected, and not face discrimination for exercising privacy rights.
Many other jurisdictions have enacted or are developing privacy legislation. Brazil's LGPD, Canada's PIPEDA, and Australia's Privacy Act all provide varying levels of protection. India's Digital Personal Data Protection Act, enacted in 2023, covers over a billion people.
Your email address is the skeleton key to your digital identity. It's how you log into services, receive password resets, and verify your identity. Protecting it deserves dedicated attention.
Instead of giving your real email address to every service, website, and newsletter, use aliases that forward to your primary inbox. This way, if a service gets breached or sells your data, only the alias is exposed. You can disable the alias without affecting your real email.
SimpleLogin (now part of Proton) and AnonAddy both offer free tiers that are more than adequate for most people.
At minimum, maintain separate email addresses for critical accounts (banking, government services), general online accounts (social media, shopping), newsletters and sign-ups (anything likely to be spammed), and throwaway purposes (one-time downloads, trial accounts).
This compartmentalization limits the damage from any single breach or data leak.
Data breaches happen continuously. Check your email addresses against breach databases periodically — at least quarterly. Tools like the data breach checker on akousa.net make this a 30-second process. If your email appears in a new breach, you'll know exactly which account was compromised and can take targeted action.
Your phone and computer settings have a significant impact on your privacy.
Your phone is probably the biggest privacy liability you own. It knows where you are at all times, which apps you use, who you talk to, and what you do online.
For iPhone users:
For Android users:
You've read the guide. Now let's turn it into action. Here's a checklist you can complete in about 30 minutes. Do it today. Not tomorrow. Today.
That's your baseline. Thirty minutes, and you've dramatically improved your privacy posture. Is it perfect? No. But you've closed the biggest gaps, and you can build from here.
Long-term privacy is about habits, not one-time fixes. Here are the practices that make the biggest difference over time.
Before posting anything online — a photo, a check-in, an opinion — ask yourself: "Am I comfortable with this being public forever?" Because even on "private" accounts, content can be screenshotted, shared, or exposed in a breach.
Searching for medical information, legal questions, financial problems, or anything personally sensitive? Use a private browser window with a privacy-respecting search engine. Your health concerns are not ad targeting data.
When an app asks for access to your contacts, microphone, camera, or location — ask why. A flashlight app doesn't need your contacts. A calculator doesn't need your location. Deny permissions by default and grant them only when there's a clear, legitimate need.
Set a quarterly reminder to review your online accounts. Delete accounts you no longer use. Update passwords on critical accounts. Check for new breaches. Review privacy settings that may have changed in platform updates.
When a product is free and the company behind it is a for-profit business, your data is likely the product. This doesn't mean you should never use free services — but understand the trade-off and make conscious decisions.
Consider using one browser for personal logged-in activity (social media, email, banking) and a different browser for general browsing, research, and shopping. This simple separation prevents cross-context tracking.
If you've completed everything above and want to go further, here are additional steps for those with higher privacy needs.
The Tor Browser routes your traffic through multiple encrypted layers, making it extremely difficult to trace. It's slower than regular browsing, but it provides a level of anonymity that no VPN can match. Use it for genuinely sensitive browsing.
Standard cloud storage providers (Google Drive, Dropbox, iCloud) can access your files. For sensitive documents, consider Tresorit, SpiderOak, or encrypt files locally before uploading them to any cloud service.
Linux (particularly distributions like Tails or Qubes OS) offers more privacy control than Windows or macOS. Tails runs from a USB drive and routes all traffic through Tor. Qubes OS isolates different activities in separate virtual machines.
These are not necessary for most people. But if your threat model includes sophisticated adversaries, they're worth investigating.
Cash is private. Digital payments are not. Credit card transactions create detailed records of where you go and what you buy. If payment privacy is important to you, use cash where possible and consider prepaid cards for online purchases.
Privacy is not a destination. It's an ongoing practice. The technologies used to track you will continue to evolve, and your defenses need to evolve with them.
But here's what I want you to take away from this guide: you are not powerless. The tools exist. The knowledge is available. The legal frameworks, while imperfect, are improving. And every step you take — from checking for breaches to blocking third-party cookies to using a password manager — meaningfully reduces your exposure.
You don't have to do everything at once. Start with the 30-minute audit. Build the daily habits. Add layers over time. Each improvement compounds.
Your personal data is exactly that — personal. It belongs to you. Not to data brokers. Not to advertising networks. Not to companies who buried the terms in a 47-page privacy policy. To you.
Take it back.
For continued learning and tool access:
The internet doesn't have to be a surveillance machine. With the right knowledge and tools, it doesn't have to be one for you.
Akousa