The 2026 privacy stack for normal humans is four pieces. None of them require expert config and all of them are free or cheap. Twenty minutes of setup, real privacy gain that survives normal browsing.
Layer 1: A hardened browser
Install Mullvad Browser. It’s a Tor Browser fork without the Tor network, same fingerprint resistance, same anti-tracking defaults, but you connect over your normal internet. Free. Available for Windows, macOS, and Linux.
Why this beats Chrome with privacy extensions: every Mullvad Browser user shares the same browser fingerprint by design. Anti-fraud systems, ad-tech trackers, and data brokers can’t tell you apart from any other Mullvad user. Chrome plus extensions still leaves a unique fingerprint your extensions can’t hide.
Use Mullvad Browser for general browsing, news reading, and anything where you don’t want to be logged in. Keep Chrome or Safari for the handful of accounts that genuinely need persistent sessions (banking, work email, shopping you trust).
Layer 2: Global Privacy Control
Global Privacy Control is a browser-level signal that tells every site you visit “do not sell or share my data.” California, Colorado, and Connecticut now legally require sites to honour it; most other states’ privacy laws strongly recommend honouring it.
Mullvad Browser, Brave, Firefox, and DuckDuckGo all turn it on by default. Chrome doesn’t and probably won’t. If you’re sticking with Chrome, install the OptMeowt extension to send the GPC header.
Verify it’s working: visit globalprivacycontrol.org, the page tells you whether your browser is sending the signal.
Layer 3: Ad and tracker blocking
If your browser is Chrome (still allowed) or Firefox, install uBlock Origin. The single most effective privacy and security extension. Default settings catch most ads, trackers, and malware-distribution domains. Free. Open source.
If you’re on Safari, install 1Blocker or AdGuard. Both work natively with Safari’s content-blocking framework, both ~$20-$30 one-time.
Mullvad Browser ships with built-in blocking, no extension needed.
Layer 4: Email aliasing
Stop giving your real email to every signup. Use email aliasing, every service gets a unique forwarding address. Three good options:
SimpleLogin, free for 15 aliases, $30/year for unlimited. Owned by Proton.
addy.io (formerly AnonAddy), free for 20 aliases, $1/month for unlimited.
Apple’s Hide My Email, included with iCloud+ ($1/month). Cleanest UX if you’re in the Apple ecosystem.
The use pattern: when a site asks for your email, generate a fresh alias named after the site (e.g., [email protected]). The alias forwards to your real inbox. If that alias starts getting spam, you know exactly who sold it. You can disable any alias instantly without losing access to other services.
Optional layer 5: VPN, but only sometimes
VPNs are oversold for privacy. They hide your IP from sites you visit and from your ISP, but they tell the VPN provider everything instead. The tradeoff is worth it on hostile networks (hotels, coffee shops, sketchy hotspots) and for high-risk research, but a VPN is not a privacy panacea.
If you want one, the well-audited options in 2026: Mullvad VPN (€5/month, no account email required, accepts cash mail), Proton VPN (free tier with limits, paid from $5/month), IVPN (similar pricing, audited).
Avoid the heavily-marketed names, they’re well-marketed precisely because they have margin to spend on ads, which means more revenue per user, which means more aggressive logging or upsells.
The setup checklist
- Install Mullvad Browser (or enable GPC and uBlock Origin in your existing browser)
- Verify GPC is sending: globalprivacycontrol.org
- Sign up for SimpleLogin or use Apple Hide My Email
- Generate one alias per signup going forward
- For sensitive accounts you’ve already created with your real email, change them to an alias one at a time
Done in an afternoon. You won’t be invisible, that’s a different post, but you’ve cut the ad-tech tracking surface, your email is harder to harvest, and you’ve given yourself a shutoff valve for every service that turns hostile.