Privacy advice on the internet skews toward the maximalist. Use Tails, run your own email server, never own a smartphone. Most people will not do any of this, and the perfect-as-the-enemy-of-good-enough effect leaves them with nothing. Here’s the opposite: a six-step monthly audit that takes thirty minutes and meaningfully reduces your exposure. Schedule it on the first of every month. Coffee in hand, calendar reminder set.
1. Have I Been Pwned check (3 minutes)
Type each of your active email addresses into haveibeenpwned.com. Note any new breaches since last month. For any account associated with the breached email, change the password and enable two-factor authentication if it isn’t already. Pay close attention to high-value accounts (banking, primary email, password manager).
2. Mobile advertising ID reset (30 seconds)
iPhone: Settings → Privacy & Security → Tracking → toggle “Allow Apps to Request to Track” off (if you haven’t already), then Reset Advertising Identifier. Android: Settings → Privacy → Ads → Delete advertising ID. Doing this monthly fragments the cross-app behavioural fingerprint that data brokers use to track you.
3. Active sessions sweep (5 minutes)
Open the security pages of your big-three accounts: Google, Apple, Microsoft. Each one shows a list of devices currently signed in. Sign out anything you don’t recognise or haven’t used in three months. Repeat for your password manager and primary email if those are different. Most users find at least one stale session per audit.
4. App permission triage (8 minutes)
On your phone, walk through Settings → Privacy → Location, then Microphone, then Camera, then Contacts. Anything granted “Always” gets downgraded to “While Using” or revoked. Most apps don’t need any of these. Particular attention to flashlight apps, weather apps, and anything that came pre-installed.
Bonus pass: in Settings → Privacy → Advertising or Settings → Tracking, deny tracking permissions to any app that asked.
5. Browser extension review (5 minutes)
Open chrome://extensions or about:addons. For each extension: do I still use it, does it match the publisher I expect, and is the permission scope appropriate? Remove anything that fails. Set the survivors to “On click” or “On specific sites” instead of “On all sites” wherever possible.
6. Data broker check-in (5 minutes)
If you use a removal service (DeleteMe, Privacy Bee, Optery), open its dashboard and check that this month’s removals went through. If you don’t, manually search your name on Spokeo, BeenVerified, and Whitepages. Submit a removal request via each one’s portal, it takes about ninety seconds per site once you’ve done it once.
Quarterly add-ons (every third month)
Once a quarter, add three more checks. Credit freeze status at all three bureaus (Equifax, Experian, TransUnion), confirmed frozen, no surprises. SIM-swap protection with your mobile carrier, port-out PIN still set, recovery options reviewed. Recovery options on your primary email, the recovery phone and email are still ones you control, and they aren’t tied to a defunct account.
Why this works
Privacy degrades through accumulation. One forgotten app, one breach, one stale session, one extension. Doing thirty minutes of small corrections every month is more effective than spending a Saturday on it twice a year, because the small accumulations have less time to compound. The audit is also self-reinforcing: each pass surfaces the next one’s improvements.
Set the calendar reminder. Block thirty minutes. The first audit feels like work; by the third one it’s automatic.