Start with what's already in your browser
Most people can meaningfully reduce tracking without installing anything. Modern browsers include privacy controls that are simply turned off by default.
In Chrome: go to Settings → Privacy and security → Cookies and other site data. Switch to "Block third-party cookies." This stops a significant portion of cross-site tracking. You should also turn on "Do Not Track" under the same menu — not because it's a legal requirement that companies honor, but because some do. Under "Security," switch to Enhanced protection.
Firefox has stronger defaults and you can push further. In Settings → Privacy & Security, choose "Strict" mode, which blocks more trackers and fingerprinters than the standard setting. Mozilla publishes what each setting actually blocks, which is more transparency than most browsers offer.
Safari's Intelligent Tracking Prevention runs automatically since 2017 and works well. If you're on Apple's ecosystem and not doing anything special, Safari on iPhone or Mac with default settings is already doing meaningful privacy work.
Check which apps have which permissions
Most people grant app permissions once, during installation, and never revisit them. It's worth spending twenty minutes going through your phone's privacy settings and reviewing what you've allowed.
On iPhone: Settings → Privacy & Security. Work through the list — location, contacts, microphone, camera, photos. For each, ask: does this app actually need this permission to function? A flashlight app doesn't need your location. A to-do list doesn't need your contacts. Revoke anything that isn't genuinely needed.
Pay particular attention to location. Apps with "always on" location access can track your movements continuously. "While using the app" is almost always sufficient. Very few apps need background location access, and most that request it don't strictly need it.
On Android: Settings → Apps, then select individual apps and look at their permissions. The path varies by manufacturer, but it's always under app settings somewhere.
Your email account and what it's actually worth
Free email accounts are products. Gmail indexes your emails to personalize advertising. Yahoo has had repeated large-scale breaches. Hotmail and Outlook are Microsoft services operating under terms that allow them to scan content for compliance and safety purposes.
If you want email that isn't read by your provider, Proton Mail is the most accessible option with a genuinely free tier. It's end-to-end encrypted for emails between Proton Mail users and uses zero-knowledge architecture, meaning Proton can't read your emails even if asked to. Tutanota (now called Tuta) is a German alternative with similar properties.
Switching email providers is genuinely inconvenient and most people won't do it completely. A realistic approach is to use a privacy-respecting provider for sensitive communications — financial, medical, legal — while keeping a Gmail address for newsletters, app signups, and things you care less about.
Passwords, briefly
This is covered in more depth in our password security guide, but the short version: unique passwords for each account and a password manager to keep track of them. Reusing passwords is the single fastest way to have a breach at one site turn into a breach everywhere.
What a VPN actually does (and doesn't do)
VPNs are heavily marketed for privacy, and the marketing often overstates what they do. A VPN encrypts your traffic between your device and the VPN server, and it masks your IP address from the sites you visit. It does not make you anonymous — it shifts trust from your ISP to the VPN provider.
If your threat is your internet service provider selling your browsing history (legal in some jurisdictions), a VPN addresses that. If your concern is being tracked by websites, a VPN doesn't help much — sites can still fingerprint your browser, track you via cookies, and identify you through login sessions regardless of your IP address.
For most people, the practical use cases for a VPN are: public Wi-Fi security (prevents the coffee shop from reading your unencrypted traffic), accessing region-locked content, and hiding your IP from sites you'd rather not associate with your real location. These are real uses. "Comprehensive privacy protection" is not really accurate marketing.
If you do use a VPN, choose one with a verified no-logs policy and an independent audit — Mullvad and ProtonVPN are the most credible current options for privacy-focused use. Free VPNs are often worse for privacy than not using one, because they need to monetize somehow.
Search engines beyond Google
Google associates your searches with your account and uses them to build an advertising profile. DuckDuckGo doesn't track searches and doesn't build user profiles. Brave Search uses its own independent index. Startpage shows Google results but acts as a proxy so Google doesn't see your IP or associate the search with you.
The search quality comparison has narrowed considerably in recent years. DuckDuckGo and Brave Search handle most everyday queries well. For highly specific or technical searches, some people find Google still gives better results, but it's worth trying an alternative as your default for a week before judging. You can always switch back.
The trade-off you're actually making
Privacy-protective choices involve trade-offs. A search engine that doesn't track you may give slightly less personalized results. An email provider that doesn't read your email offers a less integrated experience than Gmail. Stricter browser settings occasionally break sites that rely on third-party tracking to function (this is less common than it used to be, but it does happen).
The right approach is proportionate to your actual concerns. If you're a journalist covering sensitive topics or a person in a high-surveillance environment, you need stronger protections and some disruption is worth it. If you're a regular person who would simply prefer not to have their every click monetized, the steps in this article accomplish real improvement without dramatically changing how you use the internet.
Do the things that are easy first. Better browser settings cost nothing and take ten minutes. Reviewing app permissions takes twenty. These alone address the most common sources of unnecessary data collection without requiring any commitment to a new tool or service.