Privacy Audit: Complete Guide to Protecting Your Digital Life

We generate data simply by existing online. Every time you accept cookies, log in with Facebook, or connect a smart device to your Wi-Fi, you leave behind digital exhaust. Over the years, this exhaust solidifies into a massive, searchable footprint that’s bought, sold, and analysed—often without your knowledge.

If you’re reading this, you likely feel the weight of that exposure. Perhaps you’ve been targeted by a suspiciously accurate advert, or you’re simply uneasy about how much the internet “knows” about you. Most advice on “cleaning up your digital life” is outdated. Deleting your Facebook account isn’t enough anymore. A comprehensive privacy audit is the only way to truly understand your exposure.

To truly secure your privacy in 2025, you need to look beyond social media and conduct a thorough privacy audit of the invisible layers of your digital existence: the data brokers selling your address, the smart devices recording your voice, and the old accounts leaking your passwords. This guide ignores the fear-mongering and focuses on control.

We’ve structured this privacy audit into a 3-Layer Framework covering the Cloud (your public accounts and data brokers), the Device (what your phone and computer are broadcasting), and the Connection (how your data travels through the web). You’ll also learn how to use UK-specific GDPR rights to demand data deletion from companies that ignore your requests.

Phase 1: The Discovery Audit (Assess Your Current Exposure)

Before you can scrub your data, you must understand where it lives. Most people underestimate their digital footprint by a factor of ten. The first stage of any privacy audit starts not by deleting, but by searching. This discovery phase reveals exactly what personal information is publicly accessible and where your data has been exposed.

“Google Dork” Yourself

Typing your name into Google provides a surface-level view. To see what a dedicated researcher or background check algorithm sees, you need to use Boolean search operators (known as “Google Dorking”). This is the foundation of your privacy audit—understanding exactly what information about you is publicly searchable.

Open an incognito window and try these specific search strings:

1. The Exact Match: "Firstname Lastname" (keeps the search tight).
2. The Location Pair: "Firstname Lastname" AND "City" (finds local records).
3. The File Hunt: "Firstname Lastname" filetype:pdf (critical—this often unearths old CVs, conference attendee lists, or meeting minutes hosted on public servers).
4. The Email Trace: "[email protected]" site:twitter.com (replace with your handle/email to see where your contact info is exposed on specific platforms).

Create a spreadsheet named “Privacy Audit.” List every URL you find containing your personal data. We’ll tackle these in Phase 2. This spreadsheet becomes your privacy audit master document, tracking every exposure point you discover.

The “Login With” Vulnerability Check

One of the most common privacy leaks isn’t an account you use—it’s the “bridge” you built years ago. We often use Google, Facebook, or Apple IDs to “sign in” to third-party apps (quizzes, budgeting tools, games) and then forget them. These bridges often remain open, granting those dormant apps continuous access to your profile data.

How to audit your bridges:

1. Google: Go to Google Account > Data & Privacy > Third-party apps with account access.
2. Facebook: Go to Settings & Privacy > Settings > Apps and Websites.
3. Apple: Go to Settings > Apple ID > Sign-in with Apple.

Likely scenario: you’ll find 20+ apps you haven’t used since 2018. Revoke access to anything you don’t recognise or currently use immediately.

The Breach Check

Finally, verify if your credentials are already for sale on the dark web. Visit Have I Been Pwned and enter your primary email addresses.

1. Green? You’re safe for now.
2. Red? Note down which service was breached (e.g., LinkedIn 2016). You must assume that the password you used for that service is now public knowledge. If you reused that password anywhere else, mark those accounts as “Critical Priority” in your audit spreadsheet.

Check your exposure level with this quick assessment:

Habit	Risk Level	Action Required
I use the same password for banking and social media	🔴 CRITICAL	Change your banking password immediately
I have “Location Services” set to ‘Always On’ for most apps	🟠 HIGH	Proceed to Phase 3: The Device audit
I accept “All Cookies” to make popups go away faster	🟠 HIGH	You need to install a Consent Manager (covered in Phase 4)
I haven’t Googled my own name in over 2 years	🟡 MODERATE	Perform the “Google Dork” step above

Phase 2: Layer 1 – The Cloud and Public Footprint

Now that you know what’s exposed, it’s time to scrub the cloud layer. This phase of your privacy audit includes social media, data brokers, and the ghost accounts you’ve forgotten about. Cloud-based data is often the most visible part of your digital footprint, making it the priority target for privacy audit efforts.

De-indexing from Data Brokers

Data brokers are companies that collect, aggregate, and sell personal information. In the UK, 192.com is particularly aggressive, scraping electoral roll data, Companies House records, and property ownership details to build profiles. Removing yourself from data brokers is a critical step in any privacy audit.

How to remove yourself from UK data brokers:

1. 192.com:
   • Visit 192.com and search for your name.
   • Click “Remove My Information” at the bottom of your listing.
   • Submit the removal form with your email address.
   • You’ll receive a confirmation link within 48 hours.
2. Spokeo (US-based but indexes UK data):
   • Visit spokeo.com/optout.
   • Search for your listing.
   • Copy the URL of your profile.
   • Paste the URL into the opt-out form.
   • Verify via email.
3. Whitepages:
   • Find your listing on whitepages.com
   • Copy the profile URL.
   • Visit whitepages.com/suppression-requests.
   • Submit the removal request.

This process takes 30-60 minutes for the major brokers. Set a calendar reminder to repeat this every 6 months, as data brokers re-scrape public records. Including data broker removal in your regular privacy audit routine prevents your information from reappearing online.

The Social Media “Harden or Delete” Matrix

Not all social media accounts deserve deletion. Use this decision matrix:

1. Delete if:
   • You haven’t logged in for 12+ months.
   • The platform has been breached (check Have I Been Pwned).
   • You can’t remember why you created it.
2. Harden if:
   • You use it monthly for work or personal connections.
   • It’s your primary communication channel with certain groups.
   • You have historical posts you want to preserve.

For accounts you’re keeping, harden them immediately:

1. Facebook:
   • Settings > Privacy > Who can see your friends list? → Only me.
   • Settings > Privacy > Who can look you up using the email address you provided? → Friends.
   • Settings > Privacy > Do you want search engines outside of Facebook to link to your profile? → No.
2. Instagram:
   • Settings > Privacy > Private Account → On.
   • Settings > Privacy > Activity Status → Off.
   • Settings > Privacy > Story → Hide Story From (select people/accounts).
3. LinkedIn:
   • Settings > Visibility > Profile viewing options → Private mode.
   • Settings > Visibility > Edit your public profile → Minimise visible sections.
   • Settings > Data Privacy > Who can see or download your email address → Only you.

“Ghost Accounts”: Identifying and Closing Dormant Logins

The average person has 100+ online accounts. Most are dormant, but still vulnerable. Your old MySpace account from 2007? Still online. That forum you joined once to download a driver? Still has your email.

Use JustDelete.me, a directory of direct links to deletion pages for 500+ services. Search for services you might have used, then follow the deletion links.

For accounts without deletion options, use this tactic:

1. Change the email to a burner address (using Guerrilla Mail).
2. Change the password to a random 50-character string you don’t save.
3. Change the name/profile to gibberish.
4. The account effectively becomes anonymous and inaccessible.

AI Opt-Outs: Removing Content from LLM Scrapers

Most people are unaware that their social media posts, blog comments, and public profiles are being scraped to train AI models like ChatGPT, Claude, and Meta’s Llama.

How to opt out:

1. OpenAI (ChatGPT): Visit openai.com/form/data-subject-request and submit an erasure request. OpenAI is required under GDPR to comply within 30 days.
2. Adobe (Firefly AI):
   • Adobe.com > Account > Privacy Settings.
   • Scroll to “Content Analysis”.
   • Toggle OFF “Allow Adobe to analyse my content”.
3. Meta (Facebook/Instagram AI training):
   • Settings > Privacy > Generative AI.
   • Toggle OFF “Use my posts to train AI”.
4. Google (Bard/Gemini):
   • myactivity.google.com
   • Click “Delete activity by” > All time.
   • Enable “Auto-delete” → 3 months.

This won’t remove data already trained into models, but it prevents future scraping.

Phase 3: Layer 2 – The Device and Hardware Audit

Your phone and computer are surveillance devices if misconfigured. This section addresses a crucial aspect that most privacy guides overlook: hardware-level data leakage. A complete privacy audit must include device-level permissions, as these often represent the most significant ongoing data exposure in your digital life.

iOS and Android Permission Audits

Apps request far more permissions than they need. A torch app doesn’t need access to your contacts. A weather app doesn’t need your microphone.

iOS Audit:

1. Settings > Privacy & Security.
2. Review each category (Location, Microphone, Camera, Photos).
3. For each app, change “Always” to “While Using” or “Never”.
4. Pay special attention to:
   • Social media apps: Change location to “Never”.
   • Shopping apps: Remove microphone access.
   • Games: Remove contact access.

Android Audit:

1. Settings > Apps > Permission Manager.
2. Review Location, Microphone, Camera, Contacts.
3. Tap each permission type.
4. Change “Allowed all the time” to “Only while using the app”.
5. Revoke permissions from apps you haven’t used in 30 days.

Special concern: weather apps. WeatherBug was caught selling precise location data to advertisers. Use BBC Weather or Met Office apps instead—both are privacy-respecting UK services.

Cleaning “Physical” Meta-Data (Photos and EXIF Data)

Every photo you take contains hidden EXIF data: GPS coordinates, camera model, timestamp, and sometimes even your device serial number. When you share photos on Facebook, Twitter, or forums, this data often remains embedded.

Check your photo metadata:

1. On Windows:
   • Right-click a photo > Properties > Details.
   • Scroll to GPS section—if it shows coordinates, your location is embedded.
2. On Mac:
   • Open photo in Preview.
   • Tools > Show Inspector.
   • Click the “i” tab (More Info).

Remove EXIF data:

1. iOS: Use the Shortcuts app to create a “Remove Metadata” automation that strips EXIF before sharing.
2. Android: Use the app “Photo Metadata Remover” (free, no ads).
3. Desktop: Use ExifTool (free, open-source) or Bulk Resize Photos.

Better yet, disable location services for your camera app entirely. You can always manually tag important photos later.

The Smart Home Sweep (TV ACR Settings, Alexa/Siri History)

Smart devices are data collection points you’ve invited into your home. They’re constantly listening, watching, and reporting back. Including smart home devices in your privacy audit is essential, as many people overlook these continuous data collection points.

Smart TV ACR (Automatic Content Recognition):

Modern TVs scan everything you watch—broadcast TV, DVDs, streaming apps—and sell this data to advertisers.

1. Samsung:
   • Settings > Privacy > Viewing Information Services → OFF.
   • Settings > Privacy > Interest-Based Advertisement → OFF.
2. LG:
   • Settings > All Settings > General > Live Plus → OFF.
   • Settings > All Settings > General > Ads → Limit Ad Tracking.
3. Sony (Android TV):
   • Settings > Device Preferences > Security & Restrictions > Samba TV → OFF.
   • Settings > Device Preferences > About > Legal Information > Ads → Opt out of Ads Personalisation.
4. Amazon Alexa Voice History:
   • Alexa app > Settings > Alexa Privacy.
   • Review Voice History > Filter by date.
   • Delete individual recordings or “Delete All Recordings”.
   • Enable “Automatically Delete Recordings” → 3 months.
5. Google Home/Nest:
   • myactivity.google.com
   • Filter by “Voice & Audio”.
   • Delete activity.
   • Enable auto-delete after 3 months.
6. Apple Siri:
   • Settings > Siri & Search.
   • Toggle OFF “Listen for ‘Hey Siri'”.
   • Settings > Privacy > Analytics & Improvements.
   • Toggle OFF “Improve Siri & Dictation”.

Consider creating a “guest” Wi-Fi network for IoT devices. This isolates them from your main network and prevents them from scanning other devices.

Phase 4: Layer 3 – The Connection and Financials

How your data travels matters as much as what data you have. This layer covers browser fingerprinting, financial data sharing, and network-level privacy. Your privacy audit isn’t complete without examining the connections and financial permissions that continuously transmit your personal information.

Browser Fingerprinting and Cookie Audits

Websites track you even without cookies, using browser fingerprinting—a technique that creates a unique profile based on your browser version, installed fonts, screen resolution, and timezone.

Test your browser fingerprint: Visit amiunique.org or coveryourtracks.eff.org to see how unique your browser is. If you’re “unique among thousands,” websites can track you across sessions even in incognito mode.

Reduce your fingerprint:

1. Use Firefox with privacy.resistFingerprinting enabled:
   • Type about:config in the address bar.
   • Search for privacy.resistFingerprinting
   • Toggle to true
2. Install uBlock Origin (not just AdBlock—uBlock Origin blocks trackers too)
3. Use a privacy-focused browser:
   • Brave: Built-in fingerprint protection, shields active by default.
   • LibreWolf: Firefox fork with privacy pre-configured.
   • Mullvad Browser: Built with Tor Project, maximum privacy

Cookie audit:

Don’t just “accept all” cookies. Use these consent management tools:

1. I don’t care about cookies: Auto-accepts only essential cookies.
2. Cookie AutoDelete: Automatically deletes cookies when you close a tab.
3. Consent-O-Matic: Auto-rejects non-essential cookies.

Financial Data Sharing (Open Banking Permissions)

In the UK, Open Banking allows third-party apps to access your bank account with your permission. Budgeting apps like Emma, Yolt, and Money Dashboard use this to track spending. The problem: most people forget which apps have access. A thorough privacy audit should always include reviewing these financial connections.

Audit your Open Banking connections:

1. Barclays:
   • Log in to online banking.
   • Settings > Manage 3rd Party Access.
   • Review connected apps.
   • Revoke access to apps you don’t recognise.
2. HSBC:
   • Log in to HSBC UK app.
   • Profile > Connected Apps.
   • Review and disconnect unused services.
3. Lloyds/Halifax/Bank of Scotland:
   • Internet banking > Settings.
   • Open Banking Permissions.
   • Remove old connections.
4. Nationwide:
   • Online banking > Settings.
   • Connected Services.
   • Disconnect inactive apps.
5. Monzo/Starling (app-only banks): Check your app’s “Connected Apps” section directly.

If you don’t use Open Banking features, consider disabling it entirely at your bank. You can always re-enable it later.

DNS and VPN: Masking the Pipe

Your ISP can see every website you visit, even in incognito mode. They’re required by UK law (Investigatory Powers Act 2016) to retain browsing records for 12 months.

Use encrypted DNS:

1. Cloudflare DNS (1.1.1.1):
   • Fast, privacy-focused, doesn’t log queries.
   • Setup: Change DNS in router settings to 1.1.1.1 and 1.0.0.1
2. Quad9 DNS (9.9.9.9):
   • Blocks malware domains automatically.
   • Based in Switzerland (strong privacy laws).

Use a VPN for sensitive browsing:

Not all VPNs are equal. Free VPNs often sell your data. Use these audited providers:

1. Mullvad VPN: €5/month, accepts cash, no logs verified by independent audit.
2. ProtonVPN: Free tier available, Swiss jurisdiction, open-source.
3. IVPN: $6/month (£4.70), anonymous signup, no email required.

Avoid: ExpressVPN (owned by Kape Technologies, history of malware distribution), Hotspot Shield (logs data despite “no logs” claims), and any free VPN without open-source code.

Phase 5: UK Data Protection Rights (Your Legal Weapons)

Unlike the US, UK residents have powerful legal tools to control personal information. The GDPR grants you the “Right to Erasure” (Article 17), which companies must honour within 30 days or face ICO penalties. These legal rights transform your privacy audit from voluntary requests into enforceable demands.

Your Right to Erasure Under GDPR Article 17

When you request data deletion, companies cannot refuse unless they have a specific legal basis (e.g., contractual obligation, legal requirement, or public interest).

Use this email template:

Subject: Subject Access Request / Right to Erasure – GDPR Article 17

Dear [Company] Data Protection Officer,

Under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, I am exercising my right to erasure pursuant to Article 17.

I request that you:
1. Confirm what personal data you hold about me
2. Delete all personal data related to [specify: email address, account, transactions]
3. Confirm erasure within 30 days as required by law

My details:
Name: [Your name]
Email: [Your email]
Account reference: [If applicable]

If you cannot comply, please explain your lawful basis for retention under GDPR Article 17(3).

Regards,
[Your name]

Send this to any company refusing to delete your data. Most comply immediately once GDPR is mentioned.

How to Submit a Subject Access Request (SAR)

A SAR forces companies to disclose what personal data they hold about you, where they obtained it, with whom they’ve shared it, and how long they intend to retain it.

1. When to submit a SAR:
   • You suspect a data breach but the company won’t confirm.
   • You’re unsure what data a company has collected.
   • You want to verify deletion after requesting erasure.
2. How to submit a SAR:
   • Email the company’s Data Protection Officer (find the contact in their privacy policy).
   • Use this template:.

Subject: Subject Access Request – GDPR Article 15

Dear Data Protection Officer,

Under Article 15 of the UK GDPR, I request a copy of all personal data you hold about me. Please provide:

1. Categories of personal data processed
2. Purposes of processing
3. Recipients with whom data has been shared
4. Retention periods
5. Source of data (if not collected directly from me)
6. Whether automated decision-making is used

Please respond within 30 days as required by law.

Name: [Your name]
Email: [Your email]
Account reference: [If applicable]

Companies must respond within 30 days. If they don’t, you can escalate to the ICO.

Filing ICO Complaints for Non-Compliance

If a company fails to respond to your erasure request or SAR within 30 days, you can file a complaint with the Information Commissioner’s Office (ICO).

How to complain to the ICO:

1. Visit ico.org.uk/make-a-complaint
2. Select “Data protection”
3. Provide:
   • Evidence of your original request (email copy)
   • Company’s response (or lack thereof)
   • Timeline of events
4. Submit the complaint

The ICO investigates and can issue fines up to £17.5 million or 4% of global turnover. Companies take these complaints seriously because ICO enforcement is public and damages reputation.

Recent ICO enforcement actions in 2024:

1. British Airways: £20 million fine for failing to protect customer data.
2. Marriott International: £18.4 million fine for data breach affecting 339 million guest records.
3. TikTok: £12.7 million fine for using children’s data without parental consent.

Phase 6: Maintenance – The Annual “Spring Clean” Routine

A privacy audit isn’t a one-time task. Digital hygiene requires regular maintenance. Here’s how to make your privacy audit sustainable and prevent data exposure from creeping back over time.

Setting Up a Dedicated “Spam” Email Alias

Never use your primary email address for online shopping, newsletter sign-ups, or one-time registrations. Create a dedicated “burner” email for these purposes.

Best practices:

1. Use email aliasing services:
   • SimpleLogin: Free tier includes 15 aliases, forwards to your real email.
   • AnonAddy: Open-source, self-hostable, unlimited aliases.
   • Duck.com (DuckDuckGo Email): Free, strips trackers from forwarded emails
2. Gmail’s “+” trick: If your email is [email protected], use [email protected] for retail sites. All emails arrive in your main inbox, but you can filter them easily.
3. Create service-specific aliases:
   • [email protected] for Amazon
   • [email protected] for LinkedIn

If you start receiving spam at a specific alias, you know which service leaked your email.

The 6-Month Privacy Audit Calendar

Download this .ics calendar file to set recurring reminders for your ongoing privacy audit tasks:

1. January/July:
   • Review Open Banking connections.
   • Check Have I Been Pwned for new breaches.
   • Update passwords for financial accounts.
2. February/August:
   • Re-submit opt-out requests to data brokers (192.com, Spokeo).
   • Review third-party app access (Google, Facebook, Apple).
   • Delete old photos and videos from cloud storage.
3. March/September:
   • Audit smart home device permissions.
   • Delete voice assistant history (Alexa, Google, Siri).
   • Review browser extensions and remove unused ones.
4. April/October:
   • Check location history (Google Timeline, Apple Significant Locations).
   • Review social media privacy settings.
   • Unsubscribe from newsletters using unroll.me.
5. May/November:
   • Test browser fingerprint (amiunique.org).
   • Review mobile app permissions.
   • Delete dormant online accounts.
6. June/December:
   • Full Google Dork search for your name.
   • Review DNS and VPN settings.
   • Update this checklist based on new privacy threats.
   • Complete a full privacy audit review using this guide.

Set these reminders in your calendar now. Privacy audits take 2-3 hours twice yearly—far less time than recovering from identity theft.

You’ve just completed a comprehensive privacy audit covering three critical layers: the Cloud (public accounts and data brokers), the Device (hardware-level privacy settings), and the Connection (how your data travels online). You’ve also learned how to use UK-specific GDPR rights to demand deletion from companies that ignore informal requests.

The digital exhaust you generate won’t disappear overnight, but you’ve taken control of what you share moving forward. Update your calendar with the 6-month maintenance routine, and you’ll stay ahead of emerging new privacy threats.

Your privacy audit spreadsheet should now contain:

1. URLs of old accounts to delete.
2. Data broker opt-out confirmations.
3. Companies you’ve sent GDPR deletion requests to.
4. Smart devices with updated privacy settings.
5. A list of Open Banking connections to review.

The most crucial step is the one you take next: actually implementing these changes. Start with Phase 1 (Discovery Audit) today, then work through one phase per week. In six weeks, you’ll have complete control over your digital footprint. Regular privacy audits aren’t about hiding—they’re about choosing what you share and who sees it. You’ve now reclaimed that choice.