Privacy Audit Checklist 2026: 25 Actions

A weekend of focused privacy work can dramatically improve your security and privacy posture. Most readers can complete the top 10 actions in about 2 hours. The full 25 takes a focused weekend.

Pick the actions that match your threat model (see our threat modeling guide). Skip the ones that don’t apply.

TL;DR — top 10 highest-impact actions

If you only do 10 things, do these (rough impact ranking):

1. Move every account to a password manager
2. Enable hardware 2FA (YubiKey) on email + bank
3. Audit and close unused online accounts
4. Set up encrypted backups of critical data
5. Replace ISP DNS with DoH (Cloudflare or Mullvad)
6. Switch to a privacy-focused browser (Brave, Mullvad Browser, or arkenfox Firefox)
7. Configure phone privacy settings (location, ad ID, etc.)
8. Set up email aliases (Hide My Email, SimpleLogin, AnonAddy)
9. Audit and minimize app permissions on phone
10. Switch to encrypted messaging where possible (Signal)

Most readers can complete these in 2-4 hours. Compounding impact over time.

The full 25-item audit

Category 1: Identity and accounts (5 actions)

1. Audit your “Have I Been Pwned” presence.

Go to haveibeenpwned.com. Enter your primary email addresses. Count the breaches. For each major breach:
– Change the password for that account
– Verify that password isn’t reused elsewhere
– Sign up for HIBP notifications

Time: 30-45 minutes.

2. Install and migrate to a password manager.

If you don’t have one: Bitwarden free is the right choice for most.

• Install Bitwarden browser extension and mobile app
• Import passwords from your browser (Settings → Saved passwords → Export)
• Import into Bitwarden
• Verify all passwords transferred
• Disable browser password saving going forward

Time: 60-90 minutes for first-time migration.

3. Enable 2FA on every account that supports it.

Priority order:
– Email (most important — controls password resets)
– Bank accounts
– Investment accounts
– Password manager itself
– Cloud storage
– Social media
– Major services

Methods (best to worst):
– Hardware key (YubiKey)
– Authenticator app (Aegis Android, Raivo OTP iOS)
– SMS (worst but better than nothing)

Time: 90-120 minutes for full setup.

4. Get a hardware 2FA key (YubiKey).

Buy 2 YubiKeys (~$110 for 2 5C NFC). Register both on critical accounts. Keep one with you, one safely stored.

Our YubiKey setup guide walks through the process.

Time: 60 minutes to register on top 10 accounts.

5. Close unused online accounts.

Use justdelete.me to find delete URLs. Go through:
– Old social media you don’t use
– Long-forgotten signup accounts
– Sites you’ve used twice in 5 years

Each closed account is one less data exposure surface.

Time: 60-90 minutes for thorough cleanup.

Category 2: Email (3 actions)

6. Set up email aliases.

Pick a provider:
– Apple Hide My Email (if Apple ecosystem, included in iCloud+)
– SimpleLogin (free 10 aliases; Premium $30/year unlimited)
– AnonAddy/addy.io (cheaper standalone)

Going forward: every new service signup uses a unique alias.

Time: 15-20 minutes setup.

7. Migrate to encrypted email (if desired).

Move primary email to:
– ProtonMail ($5/mo for paid tier)
– Tutanota (€3/mo)
– Mailbox.org (€3/mo)

Full migration takes 6-12 months (slowly update each account’s email).

If you don’t want to migrate: at minimum disable “smart mail” features in Gmail that scan your email for product placement.

Time: 30 minutes for initial setup.

8. Audit email signatures and footers.

Remove personal info from email signatures that doesn’t need to be there. Phone number, address, social handles — these are public broadcast every time you email.

Time: 10 minutes.

Category 3: Browsing (4 actions)

9. Switch to a privacy-focused browser.

Pick:
– Brave (mainstream UX, ad blocking built in)
– Mullvad Browser (Tor-grade fingerprinting resistance)
– arkenfox Firefox (configurable; technical)

Time: 30 minutes for setup + migration of bookmarks.

10. Configure DNS to DoH provider.

In your device settings:
– macOS/iOS: install a Cloudflare/Mullvad/NextDNS profile
– Windows: Settings → Network → DoH
– Linux: depends on distro
– Or set at router level for whole home

Our DoH guide walks through.

Time: 15-30 minutes.

11. Install uBlock Origin.

Even if your browser has built-in blocking: uBlock Origin is more configurable and powerful. Free.

Configure:
– Enable EasyPrivacy and EasyList
– Add Annoyances list
– Enable advanced user mode if you want fine control

Time: 5-10 minutes.

12. Configure browser extensions cleanup.

Remove extensions you don’t actively use (each one is a fingerprinting and security surface). Audit what each remaining extension can access.

Time: 15 minutes.

Category 4: Phone (4 actions)

13. Disable advertising ID (or reset it).

• iPhone: Settings → Privacy & Security → Apple Advertising → Personalized Ads (off)
• Android: Settings → Privacy → Ads → Delete advertising ID

Time: 5 minutes.

14. Disable location services for unnecessary apps.

Go through every app with location access. Most apps don’t need it. Disable for apps that have it for no legitimate reason.

Time: 30-45 minutes for thorough audit.

15. Audit app permissions broadly.

Camera, microphone, contacts, photos — check every app’s permissions.

• iOS: Settings → Privacy & Security
• Android: Settings → Apps → permissions manager

Time: 30 minutes for thorough audit.

16. Set up encrypted messaging.

Install Signal. Migrate close contacts (family, friends) to Signal. Be patient — it takes weeks to fully shift.

Time: 15 minutes setup, weeks for full adoption.

Category 5: Network (2 actions)

17. Decide on a VPN strategy.

Based on your threat model:
– For privacy purists: Mullvad (€5/mo)
– For streaming + privacy: ProtonVPN Plus ($10/mo)
– For streaming-only: NordVPN or Surfshark
– For no VPN at all (low threat model): fine

Time: 30 minutes to evaluate and sign up if applicable.

18. Audit router and home network.

• Update router firmware
• Disable remote admin
• Change default admin password
• Set strong Wi-Fi password
• Disable WPS
• Consider router-level DoH or VPN

Time: 30-60 minutes.

Category 6: Backups and data (3 actions)

19. Set up encrypted backups.

For critical data (documents, photos, projects):
– Encrypted cloud backup (Proton Drive, Tresorit, Sync.com)
– Or encrypted local backup (Time Machine + FileVault on Mac; encrypted external drive)

Time: 60-90 minutes setup + initial backup (overnight).

20. Migrate from cloud storage you don’t trust.

If you have personal data on Google Drive or iCloud Drive that you’d rather keep private:
– Move to Proton Drive or similar
– Or encrypt-then-upload via Cryptomator

Time: 1-3 hours depending on data volume.

21. Audit social media exposure.

• Make personal accounts private if appropriate
• Remove location data from old posts
• Delete old posts that are too revealing
• Audit “who can see your profile” settings on each platform
• Consider whether you need social media accounts at all

Time: 60-90 minutes for thorough cleanup.

Category 7: Specific privacy concerns (4 actions)

22. Set up location privacy.

• Disable Google location history
• Disable Apple “Significant Locations” (if applicable)
• Audit which apps continuously track location

Time: 15 minutes.

23. Remove yourself from people-search sites.

Use a service like:
– DeleteMe (~$129/year, handles ~30 sites)
– Privacy Bee (~$179/year, more sites)
– Manual: Search “your name people search” and find sites listing you. Each has a delete process.

Time: 1-2 hours if DIY; or $130/year for DeleteMe.

24. Audit “About” pages on sites you’ve used.

Some sites publish your name, photo, work history, etc. Check Wikipedia, professional sites, alumni directories. Adjust public visibility as needed.

Time: 30 minutes.

25. Set up a privacy alert system.

Use:
– HaveIBeenPwned (free) for breach alerts
– Google Alerts for mentions of your name
– Periodic search of your name in major search engines

Time: 15 minutes setup.

Doing the audit

Weekend session approach:

Saturday morning (2-3 hours):
– Items 1-5 (identity and accounts)
– Item 6 (email aliases)

Saturday afternoon (2 hours):
– Items 9-12 (browsing)
– Items 13-16 (phone)

Sunday morning (2 hours):
– Items 17-18 (network)
– Items 19-20 (backups)

Sunday afternoon (2 hours):
– Items 21-25 (audit / social / etc.)

Total: ~8 hours over a weekend.

Spread-over-month approach:

If 8 hours is too much: do 2-3 items per week. Spread across a month.

Hire help approach:

Some readers hire a “privacy consultant” or use a service like DeleteMe to handle the broad audits. Costs $200-500 but saves substantial time.

Maintenance after the audit

Monthly:
– Check HIBP for new breaches involving you
– Update important accounts’ passwords (if reused or weak)
– Review subscriptions you signed up for and may not need

Quarterly:
– Re-audit app permissions
– Update password manager
– Check that backups are running

Annually:
– Full re-audit using this checklist
– Threat model update
– Tool stack review

Privacy is a maintenance task. Once-and-done doesn’t work.

What this audit catches

After completing the top 10:

• 60-80% of advertiser tracking eliminated
• Account takeover risk dramatically reduced (password manager + 2FA)
• ISP visibility into browsing reduced (DoH + privacy browser)
• Phone-level tracking minimized
• Cross-account data exposure reduced (email aliases)

After completing all 25:

• 90%+ of personal privacy concerns addressed
• Strong defense against typical adversaries (advertisers, hackers, cybercriminals)
• Solid foundation for further specialization if higher-threat needs arise

Disclosure

We mention specific tools (Bitwarden, YubiKey, Brave, Signal, ProtonMail, Mullvad, NextDNS, ProtonDrive, etc.) — some have affiliate programs we use, some don’t. We recommend tools based on quality and fit, not commission. See our affiliate disclosure.

---

Last updated 2026 Q2.