Privacy Tools #privacy#security audit#checklist

Digital Privacy Audit Checklist 2026

A complete digital privacy audit checklist for 2026. Secure your accounts, browser, devices, and online presence with this actionable step-by-step guide.

9 min read

Most people have accumulated years of digital footprint without ever auditing it. Old accounts, weak passwords, browser data leaks, apps with excessive permissions — it all adds up to a significant privacy and security exposure. This checklist walks you through a complete digital privacy audit you can do in a weekend. Work through it section by section; each completed item meaningfully reduces your attack surface.

Section 1: Account Security

Check for breached credentials. Go to haveibeenpwned.com and enter every email address you use. If any appear in known data breaches, change those passwords immediately — especially if you reused the password elsewhere.

Enable two-factor authentication (2FA) everywhere. Prioritize:

  • Email accounts (Gmail, Outlook, ProtonMail)
  • Banking and financial services
  • Social media
  • Password manager (master account)
  • Domain registrars and hosting

Use Aegis Authenticator (Android) or Raivo OTP (iOS) for TOTP codes. Avoid SMS-based 2FA where possible — SIM swapping attacks make phone-number 2FA the weakest option.

Audit active sessions. Log into Google, Microsoft, Apple ID, and social media accounts and review “Active Sessions” or “Logged-in Devices.” Revoke any devices you don’t recognize or no longer use.

Delete unused accounts. Visit JustDeleteMe.xyz to find direct links to account deletion pages for hundreds of services. Old accounts you’ve forgotten about are breach liabilities.

Section 2: Password Health

Switch to a password manager if you haven’t. Bitwarden (open source, free tier excellent) or KeePassXC (fully local) are the top recommendations. Never reuse passwords across sites.

Generate new passwords for all important accounts. Use at least 20 characters, randomly generated. Your password manager should do this automatically.

Check your password manager’s breach monitoring. Bitwarden Premium and 1Password both have built-in breach monitoring that alerts you when a saved password appears in a known data breach.

Section 3: Browser Privacy

Audit browser extensions. Remove any extensions you don’t actively use. Each extension can read your browsing history and modify page content. Check permissions carefully for extensions you keep.

Install essential privacy extensions:

  • uBlock Origin — blocks ads and trackers; use medium mode for stronger protection
  • Privacy Badger — learns and blocks invisible trackers
  • LocalCDN or Decentraleyes — serves common CDN resources locally to prevent tracking

Clear stored data. Go to your browser’s Privacy settings and clear cookies, cached images, and browsing history. Set cookies to clear on browser close.

Check for DNS leaks. Visit dnsleaktest.com and run the extended test. If you see your ISP’s DNS servers listed instead of your VPN or chosen DNS provider, you have a DNS leak to fix.

Disable WebRTC (Firefox: about:configmedia.peerconnection.enabled → false). WebRTC can leak your real IP address even when using a VPN.

Section 4: Device Security

Enable full-disk encryption:

  • Windows: BitLocker (Settings → Privacy & Security → Device Encryption)
  • macOS: FileVault (System Settings → Privacy & Security → FileVault)
  • Linux: Ensure LUKS was set up during installation

Audit app permissions on your phone. On Android: Settings → Apps → [each app] → Permissions. On iOS: Settings → Privacy & Security. Revoke location, microphone, and camera access for apps that don’t legitimately need them.

Review which apps have access to your contacts, calendar, and photos. Social apps often request broad access they don’t need. Be especially cautious with keyboard apps — a keylogger disguised as a keyboard sees everything you type.

Enable automatic updates on all devices. Most breaches exploit known vulnerabilities that were patched months before the attack. Staying current is the single most effective security measure for most people.

Check your router’s firmware. Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1) and check for firmware updates. Many routers ship with outdated firmware that never gets updated.

Section 5: Data Brokers

Opt out of major data broker sites. Data brokers collect and sell your personal information — name, address, phone number, relatives, income estimates. Manual opt-outs are free but tedious. Priority targets:

  • Spokeo (spokeo.com/optout)
  • Whitepages (whitepages.com/suppression_requests)
  • BeenVerified (beenverified.com/opt-out)
  • Intelius (intelius.com/optout)
  • Radaris (radaris.com/page/how-to-remove)
  • PeopleFinder (peoplefinder.com/optout.php)

For automated removal, services like DeleteMe ($129/year) or Kanary handle ongoing removal across 100+ brokers. One-time removal isn’t sufficient — brokers re-add data from public records regularly.

Opt out of Google’s data collection. Visit myaccount.google.com/data-and-privacy and review:

  • Web & App Activity — turn off or auto-delete after 3 months
  • Location History — delete all and disable
  • YouTube History — delete and pause
  • Ad personalization — disable

Review and delete your Google search history, Maps history, and Assistant activity at myactivity.google.com.

Section 6: Email Privacy

Check email forwarding rules. In Gmail and Outlook, malicious actors who gain access often set up forwarding rules to silently copy your email. Go to Settings → See all settings → Forwarding and POP/IMAP, and verify there are no rules you didn’t create.

Use email aliases. Services like SimpleLogin (open source) or Apple Hide My Email let you create unique email aliases for each service. If one gets breached and starts receiving spam, you disable that alias without exposing your real address.

Avoid opening email tracking pixels. Install PixelBlock (Chrome) or Ugly Email to detect and block tracking pixels in email. These tiny 1×1 images tell senders when you opened an email, your IP address, and your email client.

Section 7: Network Privacy

Use a reputable VPN. Mullvad, ProtonVPN, and IVPN are the top choices for privacy — they have no-log policies that have been independently audited. Avoid free VPNs.

Configure DNS over HTTPS (DoH) or DNS over TLS (DoT). Your ISP can see every domain you visit through standard DNS. Switching to NextDNS, Quad9, or Cloudflare’s 1.1.1.1 encrypted DNS prevents this. In Windows 11: Settings → Network & Internet → Wi-Fi/Ethernet → DNS Server Assignment → Manual → enter your preferred server and enable DNS over HTTPS.

Audit connected smart home devices. Every IoT device on your network is a potential entry point. Change default passwords, enable automatic firmware updates, and consider placing IoT devices on a separate network VLAN.

Tracking Your Audit Progress

Print or save this checklist and work through it systematically. Don’t try to do everything in one sitting — burnout leads to half-completed audits that give false confidence. Focus on the highest-impact items first: 2FA on email and banking, password manager adoption, and data broker opt-outs.

Repeat this audit every six months. The digital privacy landscape changes constantly, and a review twice a year keeps your defenses current.

#browser security #VPN #data broker #2FA #checklist #security audit #privacy

// related articles

privacy-tools VPN over Tor vs Tor over VPN: Which Setup Actually Protects You? 7 min read privacy-tools DNS Leak Test and Fix Guide 7 min read privacy-tools Self-Hosted OpenVPN Server: Setup Guide for Privacy and Remote Access 8 min read