How long does it take to complete this checklist?

You can complete the most impactful steps — installing a VPN, enabling 2FA, and switching to a privacy browser — in under 30 minutes. The full checklist might take a few hours spread over a week as you review account settings, audit permissions, and set up encrypted services. You don't need to do everything at once.

Which items should I do first?

Start with the highest-impact items: install a VPN and keep it connected, enable 2FA on your most important accounts (email, banking, social media), and switch to a privacy-focused browser. These three changes alone dramatically reduce your exposure.

Do I need to pay for privacy tools?

Many privacy tools are free. Firefox and Brave browsers are free. Signal messaging is free. Proton Mail and Proton VPN have free tiers. However, a paid VPN subscription ($3-12/month) is worth the investment for reliable, fast, no-logs protection. A paid password manager ($1-4/month) is also highly recommended.

Is this checklist enough to be completely anonymous online?

This checklist significantly improves your privacy but does not guarantee complete anonymity. True anonymity requires advanced operational security — using Tor, avoiding all personal accounts, and never mixing anonymous and identified activities. For most people, this checklist provides strong everyday privacy protection.

How often should I review this checklist?

Review your privacy setup every 3-6 months. Check for new data breaches affecting your accounts, audit app permissions, update your VPN and browser, and remove any new unused accounts. Privacy is an ongoing practice, not a one-time setup.

Online Privacy Checklist — 25 Steps to Protect Your Data

Protecting your online privacy isn't a single action — it's a collection of habits, settings, and tools that work together. This checklist covers 25 practical steps organized into five categories. Work through them at your own pace. Each step includes a brief explanation and, where relevant, links to ipdrop.io tools you can use to verify your progress. You don't need to complete every item to make a difference — even a few changes significantly reduce your exposure.

Browser Privacy

Your browser is the primary gateway between you and the internet. These five steps reduce the amount of data your browser leaks to websites and trackers.

Use a privacy-focused browser — Switch to Firefox, Brave, or Tor Browser. These browsers block trackers by default, limit fingerprinting, and don't send your browsing data to advertising companies. Chrome is the most popular browser but is built by the world's largest advertising company.
Enable tracking protection — Turn on your browser's built-in tracking protection to its strictest setting. In Firefox, go to Settings > Privacy & Security and select Strict. In Brave, shields are enabled by default.
Clear cookies and site data regularly — Cookies track your sessions and browsing history across websites. Set your browser to clear cookies on exit, or use an extension like Cookie AutoDelete.
Disable WebRTC to prevent IP leaks — WebRTC is a browser feature that can expose your real IP address even when using a VPN. In Firefox, set media.peerconnection.enabled to false in about:config. In Brave, disable it in Settings. Use our WebRTC Leak Test to verify.
Check your browser fingerprint — Even without cookies, websites can identify you through browser fingerprinting. Use our Fingerprint tool to see how unique your browser is and which attributes are most identifying.

Network Security

Your network connection determines who can see your traffic and where your data travels. These steps ensure your connection is encrypted and leak-free.

Use a VPN — A VPN encrypts all your internet traffic and masks your real IP address. Choose a provider with a verified no-logs policy, strong encryption (WireGuard or OpenVPN), and a kill switch. Keep it connected at all times, especially on untrusted networks.
Check for DNS leaks — Even with a VPN, your DNS queries might still route through your ISP's servers, revealing every website you visit. Run a DNS leak test after connecting to your VPN to make sure all queries go through the VPN tunnel.
Use HTTPS everywhere — HTTPS encrypts the data between your browser and the website. Most modern browsers show a padlock icon for HTTPS connections. Avoid entering any sensitive information on HTTP sites. Consider using the HTTPS-Only mode in your browser settings.
Avoid public Wi-Fi without a VPN — Public Wi-Fi networks at cafes, airports, and hotels are inherently insecure. If you must use public Wi-Fi, always connect to your VPN first. See our Public Wi-Fi guide for full details.
Use encrypted DNS — Switch from your ISP's default DNS to an encrypted DNS provider like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) using DNS-over-HTTPS or DNS-over-TLS. This prevents your ISP from logging which websites you visit through DNS queries.

Account Security

Strong account security prevents unauthorized access to your personal data. These steps protect your accounts from breaches, phishing, and credential theft.

Enable two-factor authentication (2FA) — Add a second layer of protection to every account that supports it. Use an authenticator app (like Ente Auth or Aegis) instead of SMS. See our 2FA guide for setup details.
Use a password manager — A password manager generates and stores strong, unique passwords for every account. You only need to remember one master password. Proton Pass, Bitwarden, and 1Password are solid choices.
Use unique passwords for every account — If one service gets breached and you used the same password elsewhere, attackers can access all your accounts. This is called credential stuffing. A password manager makes unique passwords effortless.
Check if your data has been breached — Visit haveibeenpwned.com to check if your email or phone number has appeared in known data breaches. If it has, change the affected passwords immediately and enable 2FA on those accounts.
Review third-party app permissions — Audit the apps and services connected to your Google, Apple, Facebook, and other accounts. Remove any you no longer use. Each connected app is a potential entry point for your data to be accessed or leaked.

Communication Privacy

Your messages, emails, and files contain some of your most sensitive data. These steps ensure your communications stay private.

Use encrypted email — Standard email (Gmail, Outlook) is not end-to-end encrypted — the provider can read your messages. Switch to Proton Mail or Tuta. See our Encrypted Email guide for the full picture.
Use encrypted messaging apps — Use Signal for private messaging. It offers end-to-end encryption for texts, calls, and media with open-source code that has been independently audited. Avoid SMS and regular phone calls for sensitive conversations.
Use encrypted file storage — Store sensitive files in an encrypted cloud service like Proton Drive or Tresorit. Standard cloud storage providers (Google Drive, Dropbox) can access your files. See our Encrypted Storage guide.
Avoid SMS for two-factor authentication — SMS messages can be intercepted through SIM swapping attacks, where an attacker convinces your carrier to transfer your number. Use an authenticator app or hardware security key instead of SMS for 2FA.
Review app permissions on your phone — Check which apps have access to your camera, microphone, location, contacts, and photos. Revoke permissions for any app that doesn't need them. On iOS, go to Settings > Privacy & Security. On Android, go to Settings > Privacy.

Data Minimization

The less data you generate and share, the less can be collected, sold, or breached. These steps reduce your digital footprint.

Limit social media sharing — Every post, photo, and check-in adds to your digital profile. Avoid sharing your real-time location, travel plans, full birthdate, or information that could be used to answer security questions. Review your existing posts and delete anything overly personal.
Opt out of data tracking and ad personalization — Visit your Google, Facebook, and Apple account settings to disable ad personalization and activity tracking. On Google, go to myactivity.google.com to pause Web & App Activity, Location History, and YouTube History.
Use alias email addresses — Use email aliases or disposable addresses for online signups, newsletters, and services you don't fully trust. Proton Mail, SimpleLogin, and Firefox Relay let you create aliases that forward to your real inbox without exposing it.
Review privacy settings on all services — Go through the privacy settings of every major service you use — social media, email, search engines, cloud storage, and shopping sites. Set everything to the most restrictive option. Most services default to maximum data collection.
Delete unused accounts — Every account you have is a potential data breach waiting to happen. Delete accounts you no longer use. Sites like justdelete.me provide direct links to account deletion pages for hundreds of services.

TL;DR — Quick Summary

✓ Use a VPN at all times to encrypt your traffic and hide your IP address from websites, ISPs, and network operators.
✓ Switch to a privacy-focused browser (Firefox or Brave) and disable WebRTC to prevent IP leaks.
✓ Enable 2FA on every account and use a password manager to generate unique passwords.
✓ Use encrypted email (Proton Mail), encrypted messaging (Signal), and encrypted file storage (Proton Drive) for sensitive data.
✓ Minimize your digital footprint: limit social media sharing, use email aliases, opt out of ad tracking, and delete unused accounts.

Ready to verify your setup? Run our free IP Lookup, DNS Leak Test, WebRTC Leak Test, and Fingerprint tools to check your privacy posture.