The Ultimate Online Privacy Checklist (2026 Edition)
Twenty concrete steps to take control of your digital privacy. Not vague advice โ specific actions with specific tools. Check each item off as you complete it. Your progress is saved locally in your browser so you can come back anytime.
Your Progress
Loading...
Key Takeaway
Online privacy is not about doing one big thing โ it is about doing twenty small things consistently. A VPN alone will not save you if you reuse passwords. A password manager will not help if your browser leaks your fingerprint to every ad network. This checklist covers all the layers. Complete them all and you will be more private than 99% of internet users.
Why Privacy Matters More Than Ever
Every time you open a browser, you generate data. Your ISP logs every domain you visit. Ad networks track you across websites using cookies, fingerprints, and pixel trackers. Data brokers compile your name, address, browsing history, and purchase patterns into profiles they sell to anyone willing to pay. In 2025, the average American had their personal data exposed in 4.3 data breaches.
I built this checklist because I got tired of vague privacy advice like "be careful online." That helps nobody. What you need is a concrete list of actions โ each one reducing your attack surface by a measurable amount. I have organized them from simplest to most advanced. You do not need to do all twenty today. But every item you check off makes a real difference.
The checklist is interactive. Check items off as you complete them. Your progress is stored in your browser's localStorage โ it never leaves your device (that would be ironic for a privacy guide). Come back tomorrow, next week, next month โ your progress will be right where you left it.
Section 1: Browser Privacy
Loading...
Use a privacy-focused browser
Chrome sends data to Google with every keystroke in the address bar. Switch to Firefox (with Enhanced Tracking Protection set to Strict) or Brave (which blocks ads and trackers by default). Both are free, open-source, and support all the same extensions as Chrome. I have been using Firefox as my daily driver for three years and have not looked back.
Install uBlock Origin
uBlock Origin is the most effective content blocker available. It blocks ads, trackers, crypto miners, and malware domains using filter lists. It is free, open-source, and uses less memory than any other ad blocker. Install it from your browser's extension store. Do not confuse it with "uBlock" (without Origin) โ that is a different, inferior project.
Disable third-party cookies
Third-party cookies are how ad networks track you across the internet. When you visit Site A, a cookie from AdNetwork.com is set. When you visit Site B (which also uses AdNetwork.com), the same cookie identifies you โ building a complete browsing profile. Firefox blocks these by default. In Chrome: Settings > Privacy and Security > Cookies and Other Site Data > Block Third-Party Cookies.
Enable Do Not Track
The Do Not Track (DNT) header is a signal your browser sends to websites asking them not to track you. The honest truth: most sites ignore it. But some reputable sites (like Medium, Pinterest) do honor it, and the EU's GDPR gives the signal legal weight in some interpretations. It costs nothing to enable. In Firefox: Settings > Privacy & Security > check "Send websites a Do Not Track request". In Chrome: Settings > Privacy > Send a "Do Not Track" request.
Check your browser fingerprint
Even without cookies, websites can identify you through browser fingerprinting โ your screen resolution, installed fonts, WebGL renderer, timezone, and dozens of other attributes combine into a unique signature. Test how unique your browser is with our fingerprint tool. If your fingerprint is highly unique, consider using Firefox with resistFingerprinting enabled (about:config > privacy.resistFingerprinting = true).
Section 2: Network Privacy
Loading...
Use a VPN
A VPN encrypts all traffic between your device and the VPN server. Your ISP sees encrypted gibberish instead of which websites you visit. The VPN server's IP replaces yours, so websites cannot determine your real location. This is the single most impactful network privacy tool available. I recommend NordVPN for its speed, no-logs audits, and server count. Avoid free VPNs โ if you are not paying, you are the product.
Test your VPN for leaks
A VPN is only as good as its implementation. DNS leaks expose your queries to your ISP despite the VPN tunnel. WebRTC leaks reveal your real IP through browser APIs. IPv6 leaks occur when VPN only tunnels IPv4 traffic. Test your VPN with our leak test tool โ it checks all three leak types simultaneously. If any leaks are detected, switch to a different VPN protocol or enable the kill switch.
Use encrypted DNS
Traditional DNS queries are sent in plaintext โ your ISP can see every domain you visit even if you use HTTPS. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt these queries. In Firefox: Settings > Privacy & Security > Enable DNS over HTTPS (select Cloudflare). System-wide: configure your router or OS to use Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) with DoH/DoT enabled.
Secure your Wi-Fi with WPA3
WPA2 (the standard since 2004) has known vulnerabilities โ the KRACK attack can decrypt traffic on vulnerable networks. WPA3 uses Simultaneous Authentication of Equals (SAE), which prevents offline dictionary attacks and provides forward secrecy. Check your router settings: most routers manufactured after 2020 support WPA3. Set it to WPA3-Personal (or WPA3/WPA2 transitional if older devices need to connect).
Check your privacy score
How private is your current setup? Our privacy score tool analyzes your browser configuration, checks for WebRTC leaks, tests DNS encryption, evaluates your fingerprint uniqueness, and checks whether your IP appears in known databases. It gives you a single score from 0-100 with specific recommendations for improvement.
Section 3: Account Security
Loading...
Enable 2FA on all accounts
Two-factor authentication means a stolen password alone is not enough to access your account. An attacker also needs your second factor โ a code from an authenticator app, a hardware key, or a biometric scan. Enable it on every account that supports it. Priority order: email, banking, social media, cloud storage. Use an authenticator app (Authy, Google Authenticator) over SMS โ SIM swapping attacks can intercept text codes.
Use a password manager
The average person has 100+ online accounts. Nobody can remember 100 unique, strong passwords. A password manager generates and stores them for you. You memorize one master password; it handles the rest. I use 1Password, but Bitwarden (free, open-source) is excellent too. The important thing is using one โ any password manager is infinitely better than reusing passwords or writing them on sticky notes.
Check for data breaches
Billions of credentials have been leaked in data breaches. Your email and password may already be compromised without you knowing. Visit haveibeenpwned.com, enter your email, and see if it appears in any known breaches. If it does, change the password for that service immediately. If you reused that password anywhere else, change it everywhere. This is why unique passwords matter โ one breach should not compromise all your accounts.
Review app permissions
That flashlight app does not need access to your contacts, microphone, and location. On iOS: Settings > Privacy & Security โ review each category. On Android: Settings > Apps > [App] > Permissions. Revoke anything that does not make sense. Pay special attention to Location (set to "While Using" instead of "Always"), Camera, Microphone, and Contacts. Do this quarterly โ apps sometimes add permission requests through updates.
Use unique passwords for every site
If you use the same password on LinkedIn and your bank, a LinkedIn breach gives attackers access to your bank account. This is called credential stuffing โ automated tools test leaked username/password pairs against thousands of sites. It works because 65% of people reuse passwords. With a password manager, you never need to reuse a password again. Generate 20+ character random passwords for every account.
Section 4: Advanced
Loading...
Disable WebRTC in your browser
WebRTC (Web Real-Time Communication) is a browser API used for video calls and peer-to-peer connections. The problem: it can reveal your real IP address even when using a VPN. In Firefox: go to about:config and set media.peerconnection.enabled to false. In Brave: Settings > Privacy > WebRTC IP Handling Policy > Disable Non-Proxied UDP. In Chrome: install the WebRTC Leak Prevent extension. Test with our VPN leak tool afterward.
Use email aliases
Every time you give a website your real email, you are handing them a permanent identifier that links all your accounts together. Email alias services (SimpleLogin, AnonAddy, or Apple's Hide My Email) generate unique forwarding addresses for each service. If one gets breached or sold to spammers, you disable that alias without affecting anything else. I use a different alias for every online account.
Opt out of data brokers
Companies like Spokeo, WhitePages, BeenVerified, and Intelius collect your personal information โ name, address, phone number, relatives โ and sell it to anyone who pays. Most are legally required to honor opt-out requests. Visit each broker's opt-out page and submit removal requests. This is tedious (there are 200+ brokers), so consider a service like DeleteMe ($129/year) that does it automatically and monitors for re-listing.
Review social media privacy settings
Social media platforms default to maximum visibility because that is how they make money. Lock down your settings: set profiles to private or friends-only, disable location tagging, turn off ad personalization, limit who can find you by email or phone number, and review connected third-party apps. Do this on Facebook, Instagram, Twitter/X, LinkedIn, and TikTok. Repeat every few months โ platforms often reset settings after updates.
Encrypt your phone and laptop storage
If your device is stolen, encryption prevents the thief from accessing your data โ even if they remove the storage drive and connect it to another computer. On Mac: enable FileVault (System Settings > Privacy & Security > FileVault). On Windows: enable BitLocker (Settings > Privacy & Security > Device Encryption). On iPhone: encryption is on by default if you have a passcode. On Android: Settings > Security > Encryption (most modern Android phones encrypt by default).
Your Privacy Grade
Calculating your grade...
Beyond the Checklist
Completing this checklist puts you ahead of the vast majority of internet users. But privacy is not a destination โ it is an ongoing practice. Here are the habits that matter most long-term:
Audit quarterly. Come back to this page every three months. Re-check your settings, review app permissions, run a fresh VPN leak test, and verify your password manager is still up to date. Platforms change defaults, new vulnerabilities emerge, and habits slip.
Stay skeptical of new services. Every app you install, every account you create, and every permission you grant expands your attack surface. Before signing up for anything, ask: do I actually need this? What data will they collect? What happens if they get breached?
Teach someone else. Privacy knowledge compounds when shared. Show a friend how to set up a password manager. Help your parents enable 2FA. The more people who practice good privacy hygiene, the harder mass surveillance becomes for everyone.
Frequently Asked Questions
A VPN is one of the most effective privacy tools available. It encrypts all your internet traffic, hides your IP address from websites, and prevents your ISP from logging which sites you visit. It is especially important on public Wi-Fi, where anyone on the same network could intercept your unencrypted traffic. However, a VPN alone is not enough โ you also need good browser hygiene, strong passwords, and awareness of tracking techniques.
No. Incognito mode only prevents your browser from saving your history, cookies, and form data locally. Your ISP, employer, school, and the websites you visit can still see your activity. Your IP address is still visible, and your browser fingerprint does not change. For real privacy, you need a VPN, a privacy-focused browser, and proper configuration of tracking protections.
Browser fingerprinting is a tracking technique that identifies you based on your browser's unique characteristics โ screen resolution, installed fonts, timezone, WebGL renderer, audio context, canvas rendering, and dozens more attributes. Combined, these create a fingerprint that is unique to your device. Unlike cookies, you cannot delete a fingerprint. You can reduce it by using Firefox with resistFingerprinting enabled, or Brave browser which randomizes fingerprint data.
Visit haveibeenpwned.com and enter your email address. This free service checks your email against billions of leaked records from known data breaches. If your email appears, change the password for that service immediately. Enable 2FA if available. If you reused that password elsewhere, change it on every site where you used it.
If you can only do one thing: use a password manager with unique, strong passwords for every account and enable two-factor authentication everywhere it is available. Most privacy breaches stem from credential reuse โ one leaked password gives attackers access to every account where you used it. A password manager eliminates this risk entirely.
Yes. Most items apply equally to phones and tablets. Use a privacy-focused mobile browser (Firefox Focus or Brave), install a VPN app, enable 2FA on all accounts, use a mobile password manager, review app permissions regularly, and encrypt your device storage. Both iOS and Android have built-in encryption โ make sure it is enabled in your security settings.
Related Tools
Privacy Score
Get a comprehensive privacy score based on your current browser and network configuration.
Browser Fingerprint
See how unique and trackable your browser fingerprint is.
VPN Leak Test
Check if your VPN is leaking DNS, WebRTC, or IPv6 data.
DNS Lookup
Check which DNS servers are handling your queries.
MAC Address Lookup
Identify device manufacturers from MAC addresses on your network.
Change MAC Address
Step-by-step guide to change your MAC address on any device.
More Tools