Top 10 Privacy Mistakes You’re Still Making in 2025
And how they’re costing you control, money, and peace of mind
In 2025 it’s nearly impossible to exist without being online.
There are countless advantages for going digital.
But every advantage comes with a trade-off.
And some of those trades? You’re giving up more than you realize—sometimes way more than you’d ever agree to.
Here’s my hot take:
It’s not the shady links.
It’s not the hacks or breaches.
It’s the quiet, repeatable stuff.
The boring little habits you think are harmless.
That’s how they get you.
You check the same inbox.
Use the same browser.
Log in with Google. Let autofill do its thing. Click “accept all.”
That’s the data trail. That’s the profile. That’s the product.
And chances are, you’re feeding the machine without even noticing.
If even one of these habits shows up in your daily life—you’re overdue for a privacy reset.
I’ll show you how to fix it. But first, let’s get brutally honest about what’s actually costing you.
This list starts with in my opinion one of the most dangerous privacy mistakes but one that is quite easy to fix.
1. One Email = One Point of Failure. And You’ve Given It to Everyone.
Think about how many people have your email.
Now think about how many systems, platforms, data brokers, loyalty apps, and trackers do too.
Without thinking about it you’ve handed them your master key. Your location. Your shopping habits. The access to your accounts…
Your “digital DNA” is now tied to your inbox.
A savvy cyber criminal just bought your email address and log-in information from a data breach last week.
They could make short work of getting in and resetting all your passwords, or worse…
Draining your bank account.
What to do:
Start by creating a second, clean email address—ProtonMail is a great place to do it.
Then, for everything non-essential (shopping, subscriptions, newsletters, etc.) start using email aliases via ProtonMail or SimpleLogin.
One account = one alias.
If it leaks, you delete the alias.
If someone tries to track you, the trail goes cold.
This one shift breaks the biggest connection point in your digital life—and it’s one of the fastest, highest-leverage changes you can make.
2. Staying Logged In Like It's No Big Deal
You sign in once—and never think about it again.
Your email, Amazon, Instagram, cloud storage, even your bank… always open, always active, always “convenient.”
But here’s what most people don’t realize:
Every persistent login is a persistent vulnerability.
If someone gets physical access to your device—even for 30 seconds—they’ve got access to everything.
If your session token gets hijacked or sniffed, they’re in without needing your password.
And if you use “stay logged in” across multiple sites? You're giving ad networks and trackers a clear, continuous picture of your behavior.
This is basic session security.
The more doors you leave open, the easier it is for someone to walk in.
What to do:
Start by logging out of the stuff that matters—email, financials, cloud storage.
Yes, it takes five extra seconds. But so does locking your front door.
Don’t use “remember me” or auto-login on shared or portable devices.
If you're on mobile, enable biometric locks on your apps.
One caveat I’ve been encouraged to mention about this is that if you are being detained by the police or perhaps a criminal you could be compelled to unlock your phone but in most other situations this will prevent someone from swiping your phone and getting in to sensitive accounts.
And if you’re using a password manager (you are, right?), make sure it locks after a short timeout and you have an extremely strong master password.
This cannot be stressed enough.
I suggest using a passphrase that is at least 15 characters long with numbers and symbols.
Convenience isn’t worth compromise. Especially if your inbox is a master key to the rest of your accounts.
3. Letting Your Browser Autofill Everything
Autofill is one of those “small convenience, big risk” features people rarely question.
It saves time. It feels harmless. But behind the scenes, it’s handing out your personal info way too freely.
Here’s what’s really going on:
When you autofill your name, email, phone number, or address into a form—even once—your browser remembers it.
And the next time a form looks similar, it’ll offer to fill it again… even if it’s on a shady site, a spoofed domain, or a malicious form designed to trick you.
Some scripts are built specifically to harvest autofill fields—even invisible ones.
You don’t see them. But your browser does.
And the moment it drops your info in, it’s gone.
It’s a quiet leak. A low-friction data drip.
And most people have no idea it’s happening.
What to do:
Turn off autofill in your browser. Period.
For most browsers it will be just about the same process. Head to “settings” or “preferences” in the menu —> autofill —> turn off all toggles or buttons. Sometimes autofill will be in privacy & security. It really depends on your browser but it will be one of the combinations mentioned.
Then move your logins and personal info into a secure password manager like ProtonPass or Bitwarden.
They’re built to protect your data, not spray it across the web.
Want more peace of mind?
Use container tabs (Firefox) or separate browser profiles (Brave, Vivaldi, Chrome, DDG) to compartmentalize where you enter sensitive info—especially on e-commerce, medical, or financial sites.
Sorry Safari users there is nothing like this on your browser unfortunately.
Autofill is a lazy habit.
And lazy habits are where most breaches begin.
4. Using “Sign in with Google” (or Apple, or Facebook)
You see it everywhere.
“Sign in with Google.”
One click. No password to remember. You’re in.
Congratulations, You played yourself (DJ Khaled voice)
You’ve tied that account—whatever it is—to a Big Tech identity that tracks you across dozens of services.
Here’s what actually happens behind the scenes:
You give Google (or Meta, or Apple) a direct connection to that app or service
They get access to metadata (device info, IP, timestamp, location) every time you sign in
If the token gets stolen or hijacked? An attacker can access everything tied to that login—even without your password
It’s Single Sign-On (SSO).
Which also means Single Point of Failure.
You’re not just logging in. You’re linking ecosystems—and building a profile with way more reach than you intended.
What to do:
Stop using third-party logins. Period.
Go into your Google account, Apple account or Facebook account under “Security > Third-Party Apps” and remove access to anything you don’t recognize—or don’t use anymore.
Going forward this is what you’re going to do:
Create direct logins with email + unique passwords
Store them in a secure password manager
Use email aliases to keep accounts separated
And yes I know some apps require “Log in with XYZ” so if you can’t live without those apps just know you assume some risk.
If this already sounds like a nightmare to undo, you're not alone.
This exact issue is one of the reasons I built the Digital Detox Clinic—more on that soon.
5. Tapping “Allow” Without Reading App Permissions
You download a new app.
It launches, asks for a few permissions, and you tap “Allow” because you just want to use the thing.
And that’s where it starts.
That meditation app just got access to your location.
That flashlight app can now read your contacts.
That AI photo editor that turns your picture into a cute animated cat now sees your entire camera roll, 24/7.
Some apps need these permissions to work—but most just want them to collect data and sell it.
And once granted, that access often continues in the background, even when the app is closed.
This isn’t accidental. It’s the business model.
What to do:
Go into your phone’s settings and audit everything:
On iPhone: Settings → Privacy & Security → App Privacy Report
On Android: Settings → Privacy → Permission Manager
Look at who has access to your:
Location
Camera
Microphone
Contacts
Files and media
Bluetooth
Revoke anything that doesn’t need it—or apps you barely use.
Going forward:
Tap “Don’t allow” or “Only while using the app”
Never allow full background access unless it’s mission critical
Think twice before installing anything that’s not open source or widely trusted
If you’re shocked by what some of your apps have been doing in the background, good.
That means you're finally ready to break free.
6. Searching Personal Stuff on Google
You’re curious about something private.
Maybe it’s health-related.
Maybe it’s about money.
Maybe it’s none of their business.
So you type it into Google.
And just like that, it’s no longer just your business.
Google stores your search history—even if you’re not logged in.
If you are logged in, it ties it to your identity permanently unless you go in and delete it manually.
Even when you clear your browser history, the data sticks on their servers.
And it’s not just what you searched.
It’s when, where, from what device, and what you clicked afterward.
That’s how your search behavior becomes ad targeting.
That’s how a moment of curiosity becomes a long-term profile.
What to do:
Stop using Google for private searches. Use:
Brave Search (independent index, privacy-focused)
Startpage (anonymized Google results)
DuckDuckGo (if you're okay with some limitations)
SearxNG (for advanced users who want full transparency)
If you’re logged into a Google account on your device, log out—or use a separate browser profile/container for anything Google touches.
And go to:
myactivity.google.com → Delete your search history, location data, and voice/audio recordings.
Google doesn’t forget.
But that doesn’t mean you have to keep feeding it.
7. Clicking “Unsubscribe” from Sketchy Emails
You get a spammy email.
It looks like junk, smells like junk, and you never signed up for it.
So you scroll to the bottom and click “unsubscribe.”
Seems logical, right?
Except now the sender knows:
Your email is active
You opened the message
You clicked a link
You’re paying attention
That single click just validated your address—and in a lot of shady email operations, that’s all they needed to flag your inbox as “sellable.”
Congrats, you’re officially (potentially) more valuable to spammers and data brokers.
And if that unsubscribe link is laced with tracking scripts?
You just handed over your IP, browser type, and device fingerprint too.
What to do:
If the email is legit (like from a real company or brand), go ahead to their site, log in and unsubscribe from their site. (or roll the dice if you’re feeling lucky)
But if it looks even slightly sketchy?
Don’t click anything.
Mark it as spam. That tells your email provider to block similar junk in the future.
Use email aliases so you can shut down leaks instantly if one starts receiving spam.
Bonus tip:
Create a “burner inbox” exclusively for e-commerce, signups, and newsletters.
If it gets noisy, nuke it.
8. Leaving Old Apps Installed and Forgotten
You downloaded it six months ago. Maybe a year.
It was a mood tracker. A coupon finder. A random PDF scanner.
You used it once—maybe twice—and then?
Forgot it even existed.
But it didn’t forget you.
Many apps continue running background processes long after you’ve stopped using them. They still have access to:
Your files
Your location
Your contacts
Your device identifiers
Your data
And if that app came from a sketchy developer?
Or quietly updated its permissions with a new version?
You might’ve installed a data siphon without realizing it.Old apps are security liabilities just waiting to be exploited.
They don't need to be open. They just need to exist on your phone.
What to do:
Go through your phone like you're doing a digital detox.
Be ruthless.
iPhone: Settings → General → iPhone Storage
Android: Settings → Apps → See All Apps
Delete anything you haven’t used in 30+ days.
If you ever need it again, you can always reinstall it—minus the shady background data collection.
Less apps = Less access = Less exposure
9. Assuming Incognito Mode Actually Makes You Private
You open a private window.
No history. No cookies. No saved logins.
Feels like stealth mode, right?
Not even close.
Incognito mode (or Private Browsing) only does one thing:
It hides your activity from your own device.
It does not:
Hide your IP address
Block fingerprinting
Prevent tracking scripts
Stop your ISP from logging your activity
Block websites from identifying you through browser and device data
It’s not private. It’s just local amnesia.
Worse? Some people use it for banking or sensitive tasks thinking it’s safer—when in reality, they’re still fully exposed to network surveillance and trackers.
What to do:
Use a privacy-focused browser like Brave, Firefox (with hardened settings), or Vivaldi.
Combine it with:
uBlock Origin
Privacy Badger
Cookie AutoDelete
And a good quality VPN (like ProtonVPN or Mullvad) to mask your IP
Incognito mode is fine for keeping things off your roommate’s browsing history.
But if you care about actual privacy, you’ll need to go a whole lot deeper.
10. Believing Convenience is Risk Free
This is the main habit that fuels all the others.
You reuse emails because it’s easier.
You stay logged in because it’s faster.
You install apps without thinking because it’s more convenient in the moment.
But convenience is the bait.
It’s how Big Tech designs your behavior—and how they normalize surveillance.
Every autofill, every fingerprint, every lazy login you don’t think twice about?
It’s not just making your life smoother. It’s making your data more profitable.
And slowly, you stop noticing the trade:
Privacy for speed. Autonomy for comfort.
Until one day, you’re not in control anymore—and you didn’t even notice it happened.
What to do:
Start by recognizing the pattern.
If a tool or feature is saving you time, ask: what am I giving up in return?
Privacy doesn’t have to mean going off-grid.
But it does mean making conscious decisions instead of default ones.
That’s what the people selling your data hope you’ll never do.
You Don’t Need to Be Perfect. You Just Need to Stop Being Easy.
This list wasn’t about shame.
It was about showing you how convenience becomes exposure—and how fast it adds up when no one teaches you the right way to operate.
That’s why I created the Digital Detox Clinic.
It’s not a checklist of settings to toggle.
It’s the system.
It’s confidence and empowerment.
For people who are done second-guessing every app, every login, every “maybe I should look into that” moment.
You’ll be guided through step-by-step to:
Find and delete old accounts you forgot even existed
Clean up and lock down your social media so it stops bleeding data
Opt out of data brokers—the right way
Build a sustainable privacy mindset that you can actually maintain
Rewire the habits that keep you exposed without you realizing it
This is your final shot to join the waitlist before launch this Friday May 9th.
You’ll get special insider only pricing, and a cleaner, quieter digital life on the other side.
Don’t miss this opportunity because you can’t take action.
Let’s Talk Habits
Be honest—how many of these showed up in your day-to-day?
One? Three? All ten?
Which one hit hardest?
And which one are you finally ready to kick?
Drop it in the comments.
You might be surprised how many people are right there with you—quietly unlearning the same habits.
And if this post opened your eyes to just how exposed your daily routine really is…
restack it.
Someone you care about is probably making the same mistakes—and they won’t change until they see it spelled out.
Until next time…
Jason I appreciate you so much. Just pulled a dozen apps off my phone I haven’t used in ages.
I have NO idea why some of them thought they needed access to my camera or photo roll, but they don’t anymore! 🙏🏻
The peace of mind that your simple and clear explanations bring me… I’m very appreciative. Looking forward to upgrading my subscription when I’m able to do so. Your insights are worth it.
Being in IT for 30 years working on federal and private contracts you pick up good policies. When i install windows I use the NIST checklist to secure it. Never save PWs in the browser. Use a local install of PW repository. I use email rules to block unwanted mail. PI-hole DNS container to block domains. No Meta, Google etc. Foreign countries are blocked.
VPN for private financial transactions.
Sometimes sites don’t work but with a VPN. My thinking is if they don’t accept enhanced security on my side why would I trust their site.
FWIW