Digital Privacy Checklist for 2026

Most people do not have a data privacy problem. They have a data privacy audit problem. They have never sat down and looked at what personal information they are exposing, where it is going, and what systems are quietly collecting it in the background. They assume that because nothing bad has happened yet, nothing is wrong.

That assumption is expensive.

Online privacy in 2026 is not about paranoia. It is about understanding that your personal data has value, that multiple industries are built around harvesting it, and that the default settings on almost every platform you use are configured to extract as much of it as possible. Data collection is not incidental. It is the business model. This digital privacy checklist is designed to help you audit your digital life section by section, identify where you are leaking, and fix it without rebuilding your entire workflow from scratch.

What Not to Share with AI Tools

This is the section most digital security guides written before 2024 do not cover, because the risk did not exist at scale until recently. It now does.

Artificial intelligence tools are embedded in everyday work. They summarize documents, draft emails, analyze data, transcribe meetings, and assist with decisions. The problem is not that AI tools are malicious. The problem is that most of them are not private by default. When you paste content into a public artificial intelligence platform, that content may be logged, reviewed by humans for quality purposes, used to train future models, or stored in jurisdictions with weak data protection frameworks. Privacy policies on most AI platforms reserve broad rights over what you submit. Reading those privacy policies before using any AI tool with sensitive data is not optional. It is basic data protection.

Sensitive information that no AI system should ever need includes your national identity number, passport details, bank account or card numbers, medical history or diagnoses, clients’ personal data, login credentials of any kind, and your precise home address. None of these are necessary for any legitimate AI task. If a workflow requires you to input sensitive data into an AI tool, the workflow needs to change, not your privacy standards.

More broadly, treat AI inputs the way you treat public statements. If you would not say it in a room full of strangers, do not type it into a system whose data handling you have not verified.

For users who rely on AI tools professionally, routing interactions through a VPN at minimum masks your IP address and jurisdiction. More substantially, Proton is developing infrastructure that keeps AI-assisted workflows within its encrypted environment, meaning your inputs do not pass through third-party model providers. This is the direction serious privacy-first AI interaction is heading.

Password and Credential Hygiene

Weak credential practices are responsible for the majority of account compromises. Not sophisticated cyber attacks. Not elaborate phishing scams. Simple password reuse across multiple platforms, combined with the reality that at least one of those platforms has already experienced a data breach and your credentials are circulating on underground markets right now.

Every account should have a unique, randomly generated strong password that you do not know by memory. If you can remember your password, it is not strong enough. A password manager like Proton Pass generates and stores passwords securely across devices under a single subscription. It also flags reused or compromised passwords automatically, so your audit starts the moment you import your existing credentials.

Two factor authentication, or multi factor authentication where available, should be enabled on every account that supports it, prioritizing email, banking, and cloud storage. The authenticator app question matters more than most guides acknowledge. Avoid tying authentication to a single device in a way that cannot be recovered if that device is lost or replaced. Both Authy and Proton Pass offer authenticator functionality that is backed up and transferable across devices, meaning a phone upgrade or a lost handset does not lock you out of your accounts permanently. These are significantly more resilient options than device-bound authentication methods that disappear with the phone.

Never store passwords in your browser’s built-in password manager on a shared or work device. Browser-stored credentials are among the easiest targets for malware and unauthorized access.

Network and VPN Habits

Your network is the layer most people think they have covered and least often actually do. Public Wi Fi is one of the most exploited attack surfaces in everyday digital life. Hotel networks, café connections, and airport lounges are all environments where your internet traffic can be intercepted, monitored, and manipulated without you knowing.

Always connect to a VPN before using public Wi Fi. Never conduct banking, access work systems, or send sensitive communications on an unencrypted connection. Use a VPN provider with a verified no logs policy. Enable the kill switch feature, which cuts your internet connection entirely if the VPN drops rather than reverting to an unprotected connection.

At home, setting your VPN up at the router level protects every device on your network automatically, including smart TVs, tablets, and connected devices that do not support VPN apps natively.

For users in regions where ISPs use deep packet inspection to monitor internet traffic, choosing a VPN with obfuscation capabilities is particularly important. Standard VPN connections can be identified and throttled. Obfuscated protocols make your traffic look like regular encrypted browsing, which is significantly harder to detect and block. This is not a niche concern. It is a practical reality for a large portion of internet users globally.

Email Privacy and Alias Use

Email is one of the most overlooked surfaces in any privacy impact assessment. Your email address is your digital identity anchor. It connects your accounts, receives sensitive communications, and appears in breach databases when platforms you use are compromised.

Stop using your primary email address to sign up for services you do not fully trust. Use an email alias instead. Aliases are forwarding addresses that deliver to your real inbox but can be deactivated individually if they start receiving spam or appear in a data breach. Proton Pass includes alias functionality as part of its credential management suite, keeping your alias management and password management in the same place.

For primary email, Proton Mail offers end-to-end encrypted communication where email content and metadata are encrypted within its infrastructure. Even Proton cannot read your messages. For users currently relying on mainstream providers for sensitive professional communication, this is worth taking seriously from a data security standpoint. Proton Mail’s infrastructure is built around privacy as a technical guarantee rather than a policy promise, which is a meaningful distinction when evaluating provider trustworthiness.

Most people think about email privacy but forget that their messaging apps are just as exposed. Not all messengers are equal. Signal offers end-to-end encryption by default for both text and calls, making it one of the most reliable options for private communication. WhatsApp offers encryption technically but collects significant metadata about who you contact and when. Standard SMS is unencrypted and should never be used for anything sensitive. RCS is too new to accept as safe. Know what your messenger actually protects before you trust it with a conversation that matters.

Keep work and personal email on separate accounts. This limits the blast radius if either is compromised and keeps your personal data out of employer-controlled systems.

Browser and Cookie Habits

Your browser is one of the most data-hungry tools you use daily. Default settings on major browsers are configured to maximize data collection for advertising purposes. Every site you visit, every search you conduct, and every form you fill contributes to a behavioral profile built around your user data.

Switch to a privacy-focused browser or install privacy extensions on your existing one. uBlock Origin is one of the most effective tools available for blocking trackers, ads, and malicious scripts. Privacy Badger, developed by the Electronic Frontier Foundation, learns to block invisible trackers automatically as you browse. Running both together significantly reduces the data collection surface of your browser.

Clear cookies regularly or configure your browser to clear them on close. Disable third-party cookies in your privacy settings entirely. For search, replace default search engines with private alternatives that do not build behavioral profiles based on your queries. This single change eliminates one of the most persistent data collection mechanisms most people interact with dozens of times daily without considering it.

Also enable HTTPS-only mode in your browser settings. This forces encrypted connections and flags unencrypted HTTP sites before you interact with them, adding a layer of protection on pages your extensions might not catch.

Device and App Permissions

Every app on your device that has access to your location, microphone, camera, or contacts is a potential data collection point. Most apps request more permissions than they need as a matter of design, and most users approve without reading what they are agreeing to. This is one of the most straightforward areas where privacy practices can be improved immediately.

Audit your app permissions quarterly. Both Android and iOS allow you to view which apps have access to which device features and revoke them individually. Revoke location access for any app without a functional reason to need it. Set location permissions to only while using the app rather than always on.

Delete apps you no longer use. Dormant apps with broad permissions are a quiet but persistent risk. Review privacy labels before installing new apps. Both major app stores now display what data each app collects and whether it is linked to your identity. Make this part of your decision before installing, not after.

Devices and Physical Security

Parental controls deserve mention here as well. For households where children use shared or individual devices, parental controls limit app installation, screen time, and content access. They are also a data protection mechanism, since children are among the most vulnerable users when it comes to data collection by app developers.

Every device you own should lock automatically after a short period of inactivity and require authentication to unlock, whether that is a PIN, fingerprint, or face recognition. A phone with no lock screen undoes every other privacy measure on this list the moment it leaves your hand. Enable remote wipe on all your devices before you need it. Finding out your phone was lost and then scrambling to set up remote wipe is too late.

Keep your operating system, browser, and apps updated. Updates are not just new features. They are security patches closing vulnerabilities that are actively being exploited. Delaying updates means running software with known weaknesses. Set updates to install automatically where possible and treat pending updates as a priority rather than a later task.

Any internet-connected device in your home is a potential data collection point, not just your phone. Fitness trackers, smartwatches, smart speakers, baby monitors, and security cameras all gather data and transmit it to external servers. Cheap hardware frequently means lower investment in security practices by the manufacturer. Before purchasing any connected device, look up its data practices and any history of breaches. After setup, change default passwords immediately and keep firmware updated.

Social Media Oversharing

Audit what your profiles reveal publicly. Full name, location, employer, phone number, and date of birth together constitute enough personal information for identity theft. Review your privacy settings on every platform and restrict public visibility to the minimum necessary.

Geolocation data deserves specific attention because most people share it without thinking. Routine location tags on posts and photos reveal where you live, where your children spend time, your daily routes, and when you are away from home. Disable automatic geotagging on your camera and be deliberate about any location information attached to what you post. A pattern of tagged locations over time is a detailed map of your life, even if each individual post seems harmless.

Be deliberate about what you post of other people, not just yourself. When you share a photo of someone else, tag them in a location, or post a screenshot of a conversation, you are making a privacy decision on their behalf. They did not consent to that. Apply the same standards to other people’s personal information that you would want applied to your own.

Never post images containing visible ID documents, boarding passes, bank cards, or addresses, even partially. These are routinely mined for exploitable information.

Cloud Storage and File Privacy

If your files live in mainstream cloud storage under default settings, they are encrypted in transit and at rest, but the encryption keys are held by the provider. That means the provider can access your files if required to by law, by internal policy, or in a breach scenario. This is where data privacy laws and general data protection regulation frameworks matter, but compliance efforts by providers do not equal genuine privacy. Compliance means they follow the rules. End-to-end encryption means they cannot read your files regardless of the rules.

Proton Drive encrypts files before they leave your device. Only you hold the keys. No third party, including Proton, can access the content. For sensitive documents, financial records, and client files, this is the standard worth holding.

At minimum, encrypt sensitive files before uploading them to any provider that does not offer end-to-end encryption natively. A compressed archive with a strong password adds a layer of protection even on platforms where you have no control over the server-side encryption model.

When you stop using a device, a cloud service, or a storage account, the data on it does not disappear on its own. Old devices handed to others or sold without wiping are a consistent and avoidable source of data exposure. Wipe devices fully before disposal and confirm data deletion when closing any cloud account rather than simply abandoning it. Physical storage media like old hard drives and USB drives should be wiped or physically destroyed before being discarded.

Breach and Identity Monitoring

Even if you do everything above correctly, breaches still happen. Platforms you have accounts on get compromised. Credentials get resold. Your email address and personal data circulate in datasets you never consented to. Data breach exposure is not a question of if. For most people with an active digital life, it is a question of when and how often.

Monitoring closes the loop. Use a breach monitoring service that scans known breach databases and alerts you when your information appears. Change compromised credentials immediately. If a breach notification includes a password you reused anywhere, change it on every platform where you used it, not just the one that was compromised.

Identity theft becomes significantly harder when your exposure is monitored proactively rather than discovered after damage occurs. Consider dedicated identity monitoring if your exposure surface is wide, if you handle sensitive client data professionally, or if you have experienced a data breach before.

A useful habit that complements monitoring is keeping track of which services actually hold your personal data. Most people have registered with dozens of platforms over the years and have no clear picture of where their information sits. Your password manager already functions as a catalogue of every service you have an account with. Review it periodically, close accounts you no longer use, and where possible submit data deletion requests to platforms that hold your information. The less data circulating under your name across inactive accounts, the smaller your exposure surface becomes.

Digital Privacy Checklist

Screenshot this. Save it. Check off what you have done and come back to what you have not.

AI and Sensitive Data

1. Never input ID numbers, financial details, or medical information into public AI platforms.
2. Read the privacy policies of any AI tool you use for work before submitting sensitive data.
3. Use a VPN when interacting with AI tools to mask your IP address and jurisdiction.

Passwords and Authentication

1. Install a password manager such as Proton Pass and store all credentials inside it.
2. Replace every reused password with a unique, randomly generated strong password.
3. Enable two factor authentication or multi factor authentication on every account that supports it.
4. Use Authy or Proton Pass as your authenticator app so codes are backed up and transferable across devices.
5. Remove saved passwords from your browser on any shared or work device.

Network Security

1. Always connect to a VPN before using public Wi-Fi.
2. Enable your VPN’s kill switch so unprotected connections are blocked automatically.
3. Set up your VPN at the router level to protect every device on your home network.

Email, Messaging and Identity

1. Use email aliases for signups to services you do not fully trust.
2. Move sensitive professional communication to Proton Mail for end-to-end encrypted email.
3. Keep work and personal email accounts completely separate.
4. Use Signal for sensitive conversations. Know whether your messenger encrypts by default before trusting it with anything important.

Browser and Search

1. Install uBlock Origin and Privacy Badger on your browser.
2. Disable third-party cookies in your browser privacy settings.
3. Switch your default search engine to a private alternative that does not track queries.
4. Enable HTTPS-only mode in your browser settings.

Device and App Permissions

1. Audit app permissions on your device every three months and revoke what is unnecessary.
2. Delete apps you no longer use.
3. Check app privacy labels before installing anything new.
4. Enable parental controls on any device used by children in your household.

Device Security and Physical Habits

1. Set every device to lock automatically and require authentication to unlock.
2. Enable remote wipe on all your devices before you need it, not after.
3. Keep your operating system, browser, and apps updated. Treat pending updates as a security priority.
4. Before purchasing any connected device, check its data practices. Change default passwords immediately after setup.

Social Media

1. Restrict your social media profiles to minimum public visibility in privacy settings.
2. Disable automatic geotagging on your camera and be deliberate about any location data attached to posts.
3. Apply the same privacy standards to other people’s information that you would want applied to your own before posting photos or screenshots of others.
4. Never post images containing visible ID documents, boarding passes, bank cards, or addresses.

Cloud and Files

1. Move sensitive files to Proton Drive or encrypt them before uploading to any standard cloud provider.
2. Wipe devices fully before disposal and confirm data deletion when closing cloud accounts.

Breach Monitoring

1. Set up breach monitoring so you are alerted the moment your personal data appears in a compromised dataset.
2. Periodically review which services hold your data, close inactive accounts, and submit deletion requests where possible.

Further reading: the Electronic Frontier Foundation’s Surveillance Self Defense guide and Kaspersky‘s anti-doxing checklist are both worth bookmarking for anyone who wants to go deeper on specific threat models.