Digital privacy has moved from a niche technical concern to a mainstream issue that touches everyone who owns a smartphone, uses the internet, or interacts with modern services — which is to say, virtually everyone. The data economy has created a world in which our browsing behaviour, location history, purchasing patterns, social connections, and even physical health metrics are constantly collected, processed, and sold, often with our nominal consent but rarely our genuine understanding.
The good news is that meaningful privacy protection does not require technical expertise or paranoid extremism. A modest investment of time in implementing a handful of key practices can dramatically reduce your exposure to the most common and significant privacy risks — data breaches, identity theft, advertising surveillance, and account takeover — without meaningfully disrupting your digital life.
The Password Manager: Non-Negotiable First Step
If you remember your passwords, they are almost certainly insecure. Secure passwords — long, random, unique to every account — are by definition not memorable. The solution is a password manager, which stores and generates passwords securely so that you only need to remember one strong master password. This single change eliminates the most common route to account compromise: credential stuffing, where attackers use username-password combinations leaked from one service to access others.
1Password and Bitwarden are the leading options. 1Password offers the most polished experience across platforms; Bitwarden is open-source and offers a genuinely excellent free tier. Either choice is transformative compared to reusing passwords or storing them in your browser's built-in manager (which, while convenient, is more vulnerable than a dedicated password manager). Set it up this week — it takes about two hours to migrate your existing passwords and is worth every minute.
Two-Factor Authentication: Your Second Line of Defence
Even a compromised password cannot access your account if two-factor authentication (2FA) is enabled and requires a second verification step. Activate 2FA on every account that offers it, prioritising email, banking, social media, and any account linked to payment methods. Authentication apps — Authy, Google Authenticator, or the 2FA built into your password manager — are significantly more secure than SMS-based codes, which can be intercepted via SIM-swapping attacks.
Hardware security keys (Yubikey is the most popular) represent the gold standard for critical accounts, being resistant to phishing attacks that can fool even authentication apps. For most people, an authenticator app covers 95% of the protection available from hardware keys at zero cost.
Encrypted Messaging: Switch to Signal
Standard SMS messages and most popular messaging apps offer little or no end-to-end encryption by default, meaning messages pass through servers where they can potentially be read by the service provider, shared with law enforcement, or exposed in breaches. Signal — free, open-source, and independently audited — offers the strongest available end-to-end encryption for both messages and calls, used even by security professionals and journalists working in high-risk environments.
For everyday users, WhatsApp provides end-to-end encryption for message content (though not metadata), making it a reasonable choice for casual communications. For anything sensitive — financial discussions, personal information, private conversations — Signal is the responsible choice. Convincing your most frequent contacts to install it is the main friction point; the actual use is identical to any other messaging app.
Your Browser and Search Engine
Your choice of browser and search engine significantly affects the volume of data collected about your online activity. Firefox with uBlock Origin installed offers strong privacy defaults without sacrificing compatibility. Brave offers similar protection with a Chromium base that improves compatibility with some web applications. For search, DuckDuckGo and Startpage are established alternatives that do not build advertising profiles from your queries.
The browser extension ecosystem for privacy is extensive. At minimum, install uBlock Origin (the most effective ad and tracker blocker available), Privacy Badger (for additional tracker blocking), and HTTPS Everywhere (which forces encrypted connections where available). These three extensions together eliminate a large proportion of common web tracking at no cost.
VPNs: Useful but Not Magic
Virtual Private Networks (VPNs) route your internet traffic through an encrypted tunnel to a server operated by the VPN provider, masking your IP address and encrypting traffic from your device to the VPN server. They are genuinely useful in specific scenarios: using public Wi-Fi networks, accessing geo-restricted content, and preventing your internet service provider from monitoring your browsing history.
They are often oversold, however. A VPN does not make you anonymous online — it shifts the entity that can see your traffic from your ISP to the VPN provider. It does not protect against account-based tracking (if you are logged into Google, Google knows what you are doing regardless of your VPN). For privacy, choose a VPN provider with a credible no-logs policy that has been independently audited: Mullvad and ProtonVPN are the most trustworthy options available.
Review Your App Permissions
Most smartphones' app ecosystems have become significantly more privacy-protective in recent years, with both iOS and Android requiring explicit permission for access to location, camera, microphone, contacts, and other sensitive data. The problem is that most users grant these permissions automatically during app installation without considering whether they are necessary.
Take 30 minutes to audit your app permissions — on iOS under Settings > Privacy & Security, on Android under Settings > Privacy > Permission Manager. Revoke any permissions that seem unnecessary for the app's core function. Does a weather app need access to your contacts? Does a game need your precise location? Most permissions can be safely restricted without affecting an app's primary functionality.
Data Broker Opt-Outs
Data brokers are companies that collect, aggregate, and sell personal information — your name, address, phone number, financial history, relationship status, and much more — to marketers, employers, and anyone willing to pay. Most people are unaware they exist; fewer still know that many jurisdictions legally entitle you to request removal of your data from these databases.
Services like DeleteMe and Kanary automate the opt-out process with major data brokers, which otherwise involves submitting individual requests to dozens of companies. While not perfect — brokers frequently re-add your information — systematic opt-outs meaningfully reduce your exposure over time and are worth the modest annual cost for anyone concerned about identity theft or online harassment.
Email Privacy
Email is one of the most privacy-invasive communication channels most people use. Standard email providers scan message content for advertising targeting, and email marketing involves extensive tracking of open rates and link clicks via invisible pixels embedded in messages. Proton Mail offers end-to-end encrypted email hosted in Switzerland, outside the jurisdiction of US and UK surveillance laws, and is the strongest available option for privacy-conscious users.
Digital privacy, like physical security, is about risk reduction rather than perfect protection. The measures above will not make you invisible online, but they will remove you from the lowest-hanging-fruit category that most threats target. Start with a password manager today, and add one more practice each week. Within a month, your digital life will be meaningfully more secure and private than the vast majority of internet users.