How to Audit Your Online Privacy in 30 Minutes

You don't need to become a security researcher to meaningfully improve your online privacy. A focused 30-minute audit covering the highest-impact areas will put you ahead of most people. Here's exactly what to check, in what order, and what to do about each finding.

Why a Privacy Audit Matters

Most people have never reviewed their account permissions, checked what data companies hold on them, or looked at what browser extensions are running on every page they visit. The result is a slow accumulation of exposure across dozens of services — each individually low-risk, but collectively forming a detailed profile that can be exploited in a breach, a phishing attack, or by data brokers selling your information.

A privacy audit is not about paranoia. It's about knowing what you've agreed to, removing access you no longer want to grant, and making informed choices about the data you share going forward.

Step 1: Google Account Privacy Checkup (5 minutes)

If you use Google services, start at myaccount.google.com/privacy-checkup. Google's Privacy Checkup walks you through:

• Data shared with apps: A list of every third-party app authorized to access your Google account. Revoke anything you no longer use — that fitness tracker from 2019 still has access to your account.
• Web & App Activity: Google's record of your search history and browsing behavior across all signed-in devices. You can pause collection and delete existing history.
• YouTube History: Separate from general search history; controls recommendations but also represents a record of your viewing behavior.
• Ad Personalization: Whether Google uses your activity to target ads across all its surfaces. You can turn this off without losing access to any services.
• Location History: Your timeline of physical movements. This is often on by default and the data is stored indefinitely unless you configure auto-delete.

At minimum: revoke old app access, set location history to auto-delete after 3 months, and review what activity Google is storing.

Step 2: Browser Settings and Extensions (8 minutes)

Your browser is where you spend most of your online time, and it's a significant source of privacy risk.

Audit Your Extensions

Every browser extension runs with access to every page you visit. Go to your browser's extension manager (chrome://extensions or about:addons in Firefox) and review the list critically. Ask yourself: Do I still use this? Does its permission level make sense for what it does? Remove anything you don't recognize or haven't actively used in the past month. Extensions have been compromised in the past and used to harvest browsing data or inject ads.

Check Cookie and Tracking Settings

In Chrome, go to Settings > Privacy and Security > Cookies and other site data. In Firefox, go to Settings > Privacy & Security. Enable Enhanced Tracking Protection in Firefox, or use a setting that blocks third-party cookies. Consider installing uBlock Origin (open source, well-audited) for broader tracker blocking.

Browser Fingerprinting

Beyond cookies, websites can identify you through your browser's unique combination of installed fonts, screen resolution, timezone, and other properties — a technique called fingerprinting. Check your exposure at coveryourtracks.eff.org. Firefox with strict tracking protection and the Firefox arkenfox user.js configuration provides the best resistance to fingerprinting.

Step 3: Mobile App Permissions (7 minutes)

Smartphones grant apps access to your camera, microphone, location, contacts, and more. Most people grant these permissions on install and never review them again.

• iOS: Settings > Privacy & Security — review each category (Location, Microphone, Camera, Contacts, Photos) and check which apps have access. Revoke any that don't need it for their core function.
• Android: Settings > Apps > Permission Manager — same process. Pay special attention to location: most apps that ask for "Always On" location don't need it. Change to "Only while using app" or deny entirely.

Priority permissions to check: Location (always-on is rarely justified), Microphone (only apps that genuinely need it), Contacts (many apps harvest contact lists to build social graphs), and Precise vs Approximate location.

Step 4: Check If Your Email Was in a Breach (3 minutes)

Visit haveibeenpwned.com and enter your email addresses. This free service, maintained by security researcher Troy Hunt, indexes known data breaches and tells you if your credentials appeared in any of them.

If your email appears in a breach, check which service was affected and whether your current password for that service (and any other service where you reused it) has been changed. Credential stuffing attacks work by taking a leaked email/password pair and automatically trying it on hundreds of other services — email, banking, shopping — until they find a match.

Step 5: Data Broker Opt-Outs (5 minutes to start)

Data brokers are companies that aggregate your personal information — name, address, phone number, relatives, income estimates — from public records, loyalty programs, and other sources, then sell it to anyone who pays. Sites like Spokeo, Whitepages, BeenVerified, and dozens of others likely have a profile on you.

Each site has its own opt-out process, which makes this tedious. Services like DeleteMe (paid) automate it, but you can also work through the list manually. Start with the largest aggregators: Spokeo, Intelius, Whitepages, and LexisNexis. Search for your name and use the opt-out links (usually in the footer) to request removal. Expect a 30–90 day turnaround per site, and expect to need to repeat the process periodically as data is re-added.

Step 6: Password Manager Check (2 minutes)

If you use a password manager, open it and look for the security dashboard. Bitwarden's Vault Health Reports, 1Password's Watchtower, and similar features flag reused passwords, weak passwords, and passwords that appeared in known breaches. Address any critical findings — especially reused passwords on high-value accounts like email, banking, and work.

If you're not using a password manager, now is the time to start. Every account should have a unique, randomly generated password — a goal that is practically impossible without a manager.

Quick Wins vs. Long-Term Improvements

Do right now (quick wins)

• Revoke third-party app access to your Google, Apple, and Microsoft accounts
• Remove unused browser extensions
• Set location history auto-delete to 3 months on Google
• Change location permissions from "Always" to "While using" on mobile apps
• Check your emails on haveibeenpwned.com

This week

• Enable two-factor authentication on your email, bank, and social accounts
• Start using a password manager and replace your 5 most reused passwords
• Opt out of data brokers for your name and home address

Ongoing

• Review app permissions quarterly
• Check haveibeenpwned.com when major breaches are reported
• Re-run data broker opt-outs every 6 months

The Bottom Line

Privacy is not binary — you don't have to choose between zero privacy and perfect privacy. Every step you take meaningfully reduces your exposure. A 30-minute audit done today is worth more than a perfect plan you'll start next month. Work through the steps above, tackle the quick wins immediately, and build the longer-term habits over the following weeks.