Last updated June 2021
These Tips from Privacy Experts Are Easy and Effective
Device manufacturers, websites, and software companies relentlessly scoop up information about you. They track web pages you visit and what you clicked; they follow your movements from site to site; they use GPS signals to record where you travel; they listen in to your conversations using your devices’ microphones. Even brick-and-mortar retailers use Bluetooth and Wi-Fi beacons to signal when you pass near or enter their stores, and then track your movements throughout their spaces.
Your recorded online life is compiled and sold or traded by thousands of companies, usually with the help of data brokers that are largely unregulated and not required to tell you what they’ve collected or shared.
Privacy advocates call this industry “commercial surveillance”—your private life is now a product for sale as part of a $227 billion-a-year industry.
The companies that perform or enable all this snooping—Amazon, Apple, Facebook, Google, and Microsoft—are so prevalent and dominant in hardware and software that they’re de facto monopolies. You can’t divorce yourself from them without going off the digital grid.
In 2019, Kashmir Hill, a columnist for Gizmodo.com and The New York Times, experimented to see how hard it would be to remove these tech giants from her life. She quickly found it was impossible. Amazon and Google were the most difficult to avoid: Amazon dominates cloud services, which meant several websites she needed went dark to her; Google Maps is so dominant that she couldn’t use apps like Lyft or Uber. Hill “came to think of Amazon and Google as the providers of the very infrastructure of the internet, so embedded in the architecture of the digital world that even their competitors had to rely on their services.” In the end, she went back to using the companies’ services again, because she “didn’t have any other choice.”
Much of this creepy snooping is done to serve you up to companies as a likely target for their advertising. That might seem innocuous. “However, when advertising leaves the realm of marketing and enters the world of decision-making, that’s a problem,” said Pam Dixon, executive director of the World Privacy Forum.
“Often, data is collected for advertising, but once it goes into the ecosystem, there are few restrictions on it,” said Michelle Richardson, former director of the privacy and data project at the Center for Democracy & Technology.
Many companies use these data to determine how much they can charge you for their products and services—or whether to let you buy from them at all. Internet users’ personal data has also been used to help crooks find victims. But the biggest problem with this digital surveillance that digs into every nook and cranny of our lives? We have little say over what is done with this info, which was largely obtained without our knowledge or consent. And so far, unlike banks and other financial institutions, the companies that grab, share, and use our data usually aren’t required to disclose what they do with it. All that info about your life is up for sale, but you can’t have it.
Virginians will get some help controlling their data from the state’s Consumer Data Protection Act, passed in March 2021 and effective in 2023. However, many privacy advocates say the law’s protections are extremely weak and won’t do as much as a pioneering law passed in California (see "Your [Hopefully] Growing Privacy Rights," below). The Maryland legislature considered but failed to pass its Online Consumer Protection Act. There’s no similar legislation in the works in D.C.
While these types of new laws are good starts to offering consumers protections and authority over their private data, there’s plenty of room for improvement, and it will likely take years before all U.S. consumers get the full rights needed.
You can’t completely stop all this surveillance and sharing, but you can drastically reduce it. We share easy and effective steps recommended by privacy experts we interviewed.
But “ultimately, we’re talking about sticking fingers in the holes of a dike, and we have more holes than fingers because businesses lack strong regulatory guiderails for privacy,” said Emory Roane, policy counsel for the Privacy Rights Clearinghouse, a nonprofit advocacy group.
Switch Up Search
Google offers a lot of useful, often free services—Google Search, Gmail, Google Shopping, Google Maps, Chrome browser, Android cell phone operating system, Chromebooks, Google Nest home monitoring, Google Drive storage, and more. But almost all its products and services are designed to attract consumers so it can mine data from their activity. Google’s real business is as the world’s largest advertising company—ads make up more than 80 percent of its revenue, according to the company’s latest annual report. It’s also the internet’s leading tracker, collecting data from more than 80 percent of all web traffic.
You can start to disentangle yourself from Google’s information vortex by using a different search service.
“DuckDuckGo is an excellent alternative search engine, which, unlike Google, was built from the ground up to protect and respect your privacy,” said Roane. DuckDuckGo also doesn’t collect or share your information, doesn’t track your searches, and blocks Google’s and other companies’ trackers hidden on the websites you visit. It also by default sends websites your Global Privacy Control (GPC) signal, which tells them you don’t want them to share or sell your data. Although websites are not yet legally required to honor these instructions, many are now doing so to comply in advance with California’s new privacy law that takes effect in 2023.
This search engine can be added as a desktop computer browser extension to Firefox, Microsoft Edge, Safari, Internet Explorer, Opera, Chrome, and 21 lesser-known browsers. It can also be downloaded as a standalone mobile browser app and search engine for Androids and iPhones.
Google also uses its Chrome browser—used by 48 percent of U.S. consumers—to spy on users.
Alastair Mactaggart, founder of Californians for Consumer Privacy and initiator of the nation’s first and most comprehensive state privacy laws, said consumers should switch to Mozilla’s Firefox browser.
Firefox blocks third-party cookies and trackers, hard-to-detect-and-remove super-cookies, many ads, and “fingerprinting,” which uniquely identifies your computer—and you—to link you to all that data, even if cookies are blocked. Firefox also collects little personal data and doesn’t sell what it does capture.
Mactaggart and other experts we spoke with also recommended the Brave browser. Unlike Firefox, Brave sends websites you visit your GPC signal.
Get Rid of Gmail
Because your most intimate information often gets passed through emails, keep it out of Google Mail’s hands.
Experts recommended Proton, which has end-to-end encryption, requires no personal information to create an account, and keeps no IP activity logs. Its free Basic accounts provide strong privacy features; for $48 a year you can buy a Plus account that offers extra features, including 5GB of storage.
“Don’t necessarily pull the plug on Gmail and delete everything right away,” said Sven Taylor, a privacy advocate and founder of Restore Privacy, an ad-free website that reviews and tests privacy and security products and services. “Take baby steps and slowly move away from services that don’t respect your privacy toward services that do a better job.”
In Gmail settings, auto-forward all incoming messages to your new email address and opt to “delete Gmail’s copy”—doing so will mean you won’t need to check your Gmail inbox anymore. Then set aside time to review and trash saved emails you no longer need and forward to your new, separate inbox those worth keeping. As you log in to various online accounts, update your profiles with your new email address. When you’re done, don’t delete your inactive Google and Gmail accounts—you may need something in the future.
For more alternatives to Google’s other numerous products, visit restoreprivacy.com/google-alternatives.
Use an iPhone
Because Americans are now more likely to access the internet via cell phones instead of other types of devices, there’s another big door to barricade.
Mactaggart’s advice: “Use Apple devices, if you can, because they don’t make their money from selling your information.”
Roane and Dixon also praised the valuable privacy features on Apple devices and its latest iOS 14 operating system.
One of the most important is an anti-tracking option in “Privacy” settings that denies apps’ permission to collect your advertising identifier and track you across other apps and websites that they don’t own—unless you first opt in and give apps your OK. That confounds their ability to send you targeted ads, measure what you do in response to the ads, or sell or share your information with data brokers. Apple requires app developers to honor these denials and ask you to opt in.
On an iPhone, click “Settings” and then “Privacy” and then “Tracking.” Toggle off the “Allow Apps to Request to Track.” That tells Apple you don’t want any apps to track you. As of spring 2021, even if you leave your tracking toggled to “On,” apps that want to track you across other apps and websites they don’t own will ask your permission in a pop-up screen when you open the app.
Phones that use Google’s Android operating system don’t offer any of this, but when we posted this article Google was reportedly in the early stages of considering an alternative that is “less stringent than Apple’s solution,” according to a Bloomberg report published in February 2021. Google did not respond to our requests for comment, but in a blog post to its business partners the company said “app publishers may see a significant impact to their Google ad revenue on iOS.”
No matter what type of phone you use, ratchet up your privacy settings. Don’t let apps “always” have access to your location information—set that for “just one time,” “while using the app,” “ask next time,” or “never.” Apps also may request access to your contacts, microphone, camera, and calendar; if you see no reason for that access to get the services you want, deny it.
Quit or Limit Facebook
“There has never been a better time to delete Facebook,” said Roane.
Like Google, Facebook is mostly an advertising company—it derives 98 percent of its revenue from that. And it’s second only to Google in tracking you, collecting data from about one-fourth of all measured web traffic.
Many companies install Facebook’s business tools on their websites and apps to track visitor actions, including searches and purchases. It’s why if you browse for running shoes online your Facebook newsfeed will soon be overrun with ads for similar kicks.
“If you love Facebook, at least take the time to check its privacy, ad, and profile settings to give yourself the maximum protection possible,” said Richardson.
Facebook lets you halt this type of sharing—but it makes these settings hard to find. Look for a “Settings & Privacy” section and then “Privacy Checkup.” From there, look for a link that lets you check on other settings. You’re hunting for the site’s “Off-Facebook Activity” page. When you find it—congratulations!—you can see which businesses have shared your information with Facebook and what they’ve shared, delete that information, and manage what gets shared in the future. Back on your settings page, also click the “Privacy,” “Location,” and “Ads” links to manage those options.
Our editor recently checked his off-Facebook activity and was stunned to find 668 apps and websites listed there—including a complete picture of where he banks, invests, shops, travels, and seeks healthcare. We advise you to clear all past activity and then click to opt out of Facebook’s collection of future activity.
Click here for more advice from Checkbook on giving your Facebook account a privacy checkup.
Keep in mind that Facebook also owns Instagram and Whats-App—and tracks you to deliver targeted ads in those apps, too.
Use a VPN
The changes we’ve outlined so far will help thwart Google, Facebook, and most of their partners from getting your data, but your home and mobile internet service providers (ISPs) can still see almost everything you do online—even if you’re browsing in private or incognito mode.
A virtual private network (VPN) can limit what your ISP sees by creating a private connection from your computer to the VPN. Your ISP can see only that you connected to the VPN, when, for how long, and the amount of data traveling between you and the VPN; but it won’t be able to read the information itself sent to and through the VPN because it’s encrypted. The VPN’s servers then connect to the websites you want to visit, so the ISP can’t trace those to you, either.
Sign up for a VPN that doesn’t log your activity—that way, it won’t just turn around and store or sell your data. There are many to choose from, but we like Mozilla VPN—the company has a strong privacy culture and its VPN service costs just $4.99 a month for up to five devices.
Make a Habit to Opt Out
Your shared and sold private data isn’t obtained just from your devices, software, and ISP; your bank and other financial institutions, insurance companies, and even schools also participate.
“All sorts of data are sold about students,” said Dixon, including the student’s name, school, address, telephone number, major, weight and height of athletes, and more.
Whenever you are given a chance to reject collection of your personal information, do it. Request that the company erase your file and then opt out of further collection. By opting out, you’ll reduce companies’ access to your data and limit how they can share it.
Dixon recommended using the World Privacy Forum’s “Top 10 Opt Outs” list, which provides detailed instructions on how to stop the bulk of this sharing.
The Network Advertising Initiative also offers an easy portal to help you opt out of data-driven advertising and delete cookies. These instructions are used only by NAI’s members, which include Google, Microsoft, and many other major players.
Adopt Safe Computing Habits
In this article we focus on ways to reduce legal collection and sharing of your data, but there’s much more to do to protect your devices, credit history, and finances from criminals, including using smart passwords and multifactor authentication, freezing your credit reports, monitoring your credit files, and being diligent about avoiding phishing attacks and other scams.
Your (Hopefully) Growing Privacy Rights
Lawmakers are finally beginning to enact privacy protections. But consumer advocates say the legislation that has been passed or is currently being considered doesn’t go far enough. Most contain loopholes and make consumers responsible for opting out of data collection and sharing, rather than by default making companies respect privacy.
California’s Consumer Privacy Act, which took effect in 2020, was the first comprehensive law in the U.S. It was prompted by a 2018 voter ballot initiative created by Californians for Consumer Privacy. That organization’s second ballot, Proposition 24, the California Privacy Rights Act, passed last year and strengthened privacy rights. It will take effect in 2023.
Even consumers living outside of California will benefit from its new laws. Because California is the fifth-largest economy in the world, many companies are already offering the rights required by the state to all their U.S. customers; these companies include Facebook, Google, and Microsoft, said Michelle Richardson, director of the privacy and data project at the Center for Democracy & Technology.
Key provisions of the new California laws include consumers’ right to request disclosure of the data collected by companies doing business in the state that have revenues of at least $25 million—or that traffic information on more than 100,000 consumers, households, or devices. Consumers can request correction, deletion, and limitation of the use and disclosure of sensitive information, and can opt out of the collection, sale, and sharing of their data.
Websites are also required to honor California residents’ “Do Not Sell My Personal Information” requests, and the state’s attorney general has indicated that a Global Privacy Control signal sent by your browser is a legally valid request. Companies also may not punish consumers who exercise these rights by, for example, shutting them out of using their websites, charging different prices, or providing different levels or quality of service.
Many consumer advocates want even stronger privacy protections. “We’re not thrilled by the new California law,” said Susan Grant, director of consumer protection and privacy at the Consumer Federation of America. “There are some good things about it, but it doesn’t go far enough.”
For example, it puts the burden on consumers to opt out of allowing their data to be sold or shared. By contrast, the Massachusetts Information Privacy Act, currently under consideration there, requires that consumers opt in before companies can collect and process their data.
Other advocates see the California law as an important step forward. It’s “a good sign,” said Richardson. “It’s the first time there has been a ballot initiative on privacy, and it’s very exciting to see it was so popular.” Richardson, however, also didn’t like the opt-out (rather than opt-in) procedures and believed the law could be made stronger.
As is often the case for consumer and privacy laws, once California pioneers new protections, other states follow. Virginia passed its own law in March 2021 and, as of this writing, 12 other states were actively considering protections similar to California’s, including Illinois, Massachusetts, Minnesota, and New Jersey. The rights and details vary by state.
Key provisions of Virginia’s new Consumer Data Protection Act include your right to request a copy of the data collected by companies doing business in the state that traffic information on more than 100,000 consumers, or that get more than 50 percent of revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill also grants consumers the right to correct or delete their data, and opt out of the businesses’ processing and sale of the data for targeted advertising.
“Sadly, the Virginia law is exceptionally weak. I would hesitate to characterize it as a comprehensive privacy law, as it does not reach baseline protections according to modern standards,” said Pam Dixon, executive director of the World Privacy Forum. “It actually won’t do as much for the privacy of Virginians as California’s law.”
The Consumer Federation of America, meanwhile, said the law provides only the illusion of privacy. “The Consumer Data Protection Act should be called The Business Data Protection Act, because it cements in place the current system of corporate surveillance,” said Grant. “Even worse, it allows companies to discriminate against consumers who exercise the limited rights they would have.”
The act was signed into law in March and will go into effect in 2023.
The Maryland legislature this year considered but failed to pass the Maryland Online Consumer Protection Act, and D.C. has no online-privacy legislation in the works.
Consumer advocates, including Checkbook, back Sen. Sherrod Brown’s (D-Ohio) 2020 draft of federal legislation as a stronger solution. It takes a different approach by banning the collection, use, and sharing of personal data unless a law specifically allows it. Brown also seeks to prohibit the use of personal data to discriminate in housing, employment, credit, insurance, and public accommodations.
Bottom line: Privacy rights hopefully will evolve in the coming years. We’re encouraged that the issue seems to be moving in favor of consumers, especially as companies like Apple now recognize the marketing value of products that protect privacy. But it’s clear stronger laws and regulations are needed.