Most guides on how to protect your privacy online are written for an internet that no longer exists. They tell you to use a strong password and enable two-factor authentication, and stop there. That advice is correct and necessary, but it is also profoundly incomplete. The actual privacy threats facing professionals today are larger, more systemic, and more difficult to defend against than any password manager can solve on its own.

This guide is written from a different perspective. As a Chief Information Security Officer who works with executives, federal contractors, and regulated organizations on regulatory compliance and data protection, I see the gap between what privacy guides recommend and what actually moves the needle. The good news is that meaningful online privacy is achievable. The harder news is that it requires more than checklists.

What follows is the practical, layered approach to online privacy that I share with executives, board members, and the audiences I speak to about privacy, technology, and the risks organizations ignore. Some of it will be familiar. Some of it will be new. All of it is what I actually do, what I recommend to clients, and what I believe matters for professionals operating in a connected world.

What "Privacy Online" Actually Means

Before any tactic makes sense, the concept needs to be clear. Online privacy is not the same thing as cybersecurity, though they overlap. Cybersecurity protects you from attackers. Privacy protects you from observation, profiling, and the secondary uses of your information by parties who have legitimate access but use it in ways you didn't intend or expect.

A bank protecting your account from a hacker is cybersecurity. The same bank selling your transaction patterns to data brokers is a privacy issue. A healthcare provider securing patient records against breach is cybersecurity. The same provider sharing de-identified data with AI companies is a privacy question. The distinction matters because the defenses differ. You cannot password-manager your way out of legal data sharing. You cannot two-factor your way out of behavioral tracking.

For most professionals, the privacy threats divide into three categories:

A real privacy strategy addresses all three. Most consumer guides only address the second.

The Threat Landscape Is Bigger Than You Think

Before discussing defenses, it helps to be honest about what we are defending against. The data ecosystem operates at a scale most people genuinely do not appreciate.

Data Brokers

Hundreds of companies you have never heard of maintain detailed profiles on you. They aggregate purchase history, location data, demographic information, and online behavior, then sell that information to advertisers, employers, insurers, debt collectors, and anyone else willing to pay. Most operate legally. Most profiles include your home address, phone number, family members, estimated income, and inferences about health, politics, and personal life. Removing yourself from these databases is possible but tedious and incomplete.

Behavioral Tracking

Every website you visit, every app you use, and every email you open is feeding behavioral analytics systems. Cookies are only the surface. Modern tracking uses device fingerprinting, network-level signals, and cross-device identity graphs. Even when you use private browsing, much of this tracking continues. The "anonymized" data is often re-identifiable when combined with other sources.

AI Training Data

An entirely new category of privacy concern has emerged with generative AI. Public posts, comments, photos, and writing have been ingested into AI training sets at scale. Once your information is part of a model's training data, it cannot be removed. Your professional voice, your phrasing patterns, your photographic likeness can all be reproduced or referenced by AI systems indefinitely. This is one of the topics I cover in my keynote on the risks technology creates that organizations ignore — because it is moving faster than most leaders realize.

Breaches

Your personal information is in dozens of breached databases right now. Credentials, security questions, partial credit cards, phone numbers, addresses. Most people have never been notified. The data protection failures of every company you have ever done business with become your problem when those records are sold or published.

Targeted Social Engineering

The combination of all the above creates a threat unique to professionals: tailored social engineering. An attacker who knows your name, role, employer, recent travel, family members, and writing style can craft phishing attempts that bypass both technical filters and human skepticism. Generative AI has made this dramatically easier.

The online privacy threat landscape
The threat landscape includes data collection, data exposure, and data weaponization — each requiring different defenses.

Foundational Privacy Practices

Even with that landscape, the foundational practices still matter. They will not solve the systemic problems, but they prevent the avoidable ones.

Use a Password Manager — Properly

The single highest-leverage privacy action remains password management. Not because passwords are exciting, but because reused or weak passwords are the entry point for the cascading failures that destroy privacy at scale. One breached credential becomes account takeover, which becomes identity theft, which becomes years of remediation.

Use a reputable password manager — 1Password, Bitwarden, and the password managers built into Apple and Google ecosystems are all reasonable choices. Generate unique random passwords for every account. Never reuse passwords across services. The practical effect is that a breach of one service exposes only that service.

Enable Two-Factor Authentication, Preferably with a Hardware Key

Two-factor authentication (2FA) is the single most important defense against credential theft. SMS-based 2FA is better than nothing but vulnerable to SIM swapping. Authenticator apps (Authy, Google Authenticator, the password manager's built-in option) are significantly better. Hardware security keys (YubiKey, Google Titan) are the gold standard and what I personally use for high-value accounts: email, financial, work, password manager itself.

If you do nothing else from this article, set up hardware-backed 2FA on your primary email account. Email is the master key to your digital life — password resets for every other service flow through it. Protecting that account is disproportionately valuable.

Encrypt by Default

Use encrypted messaging (Signal) for personal conversations. Encrypt your laptop and phone storage. Use HTTPS-everywhere by ensuring your browser blocks unencrypted connections. Most of these are now defaults, but verify rather than assume.

Update Religiously

Most exploited vulnerabilities are old vulnerabilities. Operating systems, browsers, and apps issue security updates constantly. Auto-update wherever possible. Restart your devices regularly so updates actually apply. The gap between a patch being available and you applying it is a window of vulnerability.

Bring Privacy Clarity to Your Audience

I deliver keynotes and executive briefings on privacy, AI risk, and the threats most organizations are missing. Audiences leave with practical guidance they can actually use.

Book Carl to Speak

Practices That Actually Move the Needle

The advice above is the floor. What follows is what most guides skip — the practices that meaningfully reduce your exposure rather than just hardening accounts.

Limit Data Exposure at the Source

The most effective privacy practice is the simplest in concept and hardest in practice: do not give your data to people who do not need it. Skip optional fields on forms. Use the minimum information required for any account. Decline to provide a phone number where it isn't strictly necessary. Pay attention to what an app or service actually requires versus what it asks for "to improve your experience."

Most data breaches expose data that should never have been collected in the first place. The data that does not exist cannot be breached.

Use Email Aliases and Disposable Addresses

Stop giving your real email address to every service. Use email aliasing services like SimpleLogin, AnonAddy, or Apple's "Hide My Email" to generate unique forwarding addresses for each service. The benefits compound: you can identify which service leaked your information when you start receiving spam, you can shut off any individual address without changing your email, and you make it dramatically harder to correlate your activity across services.

Opt Out of Data Brokers

Services like DeleteMe, Kanary, and Optery systematically file removal requests with the major data brokers on your behalf. None of them remove you completely — brokers re-aggregate your information from new sources — but they substantially reduce your visibility on people-search sites. For executives and public-facing professionals, this is genuinely worthwhile. For everyone else, it depends on your threat model.

Use a Separate Browser Profile (or Browser) for Sensitive Activity

Cross-site tracking works best when all your activity flows through the same browser instance. Use a dedicated browser or browser profile for sensitive activity — banking, healthcare, work — separated from your general browsing. Brave, Firefox with strict privacy settings, and Safari with cross-site tracking prevention all work well. The friction is small. The privacy benefit is real.

Pay Attention to Your Financial Footprint

Credit card transactions are one of the most thoroughly monetized data streams in existence. Use virtual card numbers (Privacy.com, your bank's virtual cards, Apple Pay's transaction obfuscation) for online purchases where possible. Freeze your credit at all three bureaus when you are not actively applying for credit — it is free, it takes minutes, and it prevents the most damaging form of identity theft.

Mobile-Specific Privacy

Your phone is the largest privacy attack surface in your life. It travels everywhere, sees everything, and contains apps from companies whose business models depend on monetizing your behavior.

Audit App Permissions Regularly

Every app you install asks for permissions. Most ask for more than they need. A flashlight app does not need your contacts. A weather app does not need your microphone. Walk through your phone's privacy settings monthly and revoke permissions that no longer make sense. iOS and Android have made this dramatically easier in recent years — use what they offer.

Limit Location Sharing

Apps with continuous location access are tracking your movements in detail. For most apps, "while using the app" is sufficient and "always allow" is unnecessary. Some apps need fine-grained location; most just want it. Be skeptical of the difference.

Be Cautious With Voice Assistants

Voice assistants on phones, smart speakers, and connected appliances are listening more than most people realize. Even when working as designed, they capture surrounding audio to detect wake words. Review what your assistant has recorded; most platforms now allow you to delete recordings or disable saving. Decide if the convenience is worth the trade-off in your home and office.

Watch Your Wireless Behavior

Your phone broadcasts unique identifiers as it scans for Wi-Fi networks. Public spaces increasingly use this to track foot traffic, dwell time, and return visits. Disable Wi-Fi auto-connect when not actively using a known network. iOS and modern Android randomize MAC addresses by default, but verify the setting is on.

Social Media and Personal Brand

For professionals, social media is both unavoidable and dangerous. The same posts that build your reputation also build the dossier an attacker uses against you.

Share Strategically, Not Reactively

Before posting, ask: would I want this content in front of an attacker tailoring a phishing campaign against me, an employer evaluating me, an opposing counsel deposing me, or an AI training set processing me? If the answer to any of those is uncomfortable, reconsider.

Audit Your Old Accounts

Most people have abandoned accounts on services they have not used in years. Old MySpace pages, dormant Twitter accounts, forgotten forum profiles, lapsed dating apps. Each is a privacy liability. Inventory your accounts (your password manager and email search history are starting points) and either delete or harden the ones you no longer use.

Be Careful with Photos

Photos contain metadata: location, time, device information. Many social platforms strip this on upload, but not all. Photos also reveal context an attacker can use — the visible street sign that confirms your home neighborhood, the laptop screen reflecting an open document, the family member identifiable in the background.

AI and the New Privacy Frontier

Generative AI has changed the privacy landscape in ways that are still being absorbed. A few practical considerations:

Be Careful What You Put Into AI Tools

Most consumer AI tools (ChatGPT, Claude, Gemini, Copilot) train on user inputs by default in their free tiers, with various opt-out mechanisms. When you paste sensitive content into a chat — client information, internal documents, personal details — you are potentially adding it to a future training corpus. Use the privacy settings these tools provide. For sensitive work, use enterprise versions with explicit data controls or run models locally.

Watch for AI-Generated Impersonation

Voice cloning requires only a few seconds of recorded speech. Video deepfakes of public figures are now indistinguishable from authentic footage. Phishing attempts increasingly use AI-generated content tailored to the target. Verify unexpected requests through a second channel — especially anything involving money, credentials, or sensitive information — even when the request seems to come from a familiar voice or face.

Assume Public Content Is Training Data

Anything you have published publicly — blog posts, social media, podcasts, video, code — should be assumed to be in or about to be in AI training datasets. This is not entirely a bad thing. It is just reality. Adjust your future publishing decisions accordingly.

For Executives and Public-Facing Professionals

Some additional considerations apply specifically to high-profile professionals. The threat model is different. So is the appropriate level of effort.

Executive privacy considerations
Public-facing professionals face elevated privacy threats and benefit from elevated countermeasures.

What Organizations Owe Their People

This guide has focused on individual practices, but a meaningful portion of online privacy is shaped by organizational decisions. Employers, vendors, and platforms make choices that affect the privacy of their employees, customers, and users at scale. Organizations that take privacy seriously make different choices than those that treat it as a compliance checkbox.

The conversation about privacy is increasingly a conversation about leadership. Boards and executives who understand the full landscape — not just regulatory compliance, but the practical realities of how data flows, how AI changes the equation, and how individual privacy connects to organizational risk — build different programs than those who don't. This is the conversation I bring to keynotes and executive briefings and the reason audiences continue to find the topic relevant.

📖
Related Reading
What Is Regulatory Compliance? A Practical Guide for Leaders →

Privacy Is Ongoing, Not a Destination

The most important thing to understand about online privacy is that it is not a problem you solve once. The threat landscape changes. New tools emerge. Your own situation evolves — new accounts, new devices, new exposures. A privacy posture that was strong two years ago may have meaningful gaps today.

The professionals who maintain genuine privacy are not those who installed the right tools once. They are those who built habits of intentionality — what they share, what they sign up for, what they install, what they say yes to. The tools matter, but the discipline matters more.

That discipline is harder than buying a password manager and forgetting about it. It is also more rewarding. A real privacy practice produces compound benefits: fewer breaches, less spam, less profiling, less anxiety about the digital trail you are creating. For professionals whose careers depend on their judgment and reputation, the investment is genuinely worth it.

If your organization is wrestling with these questions — how to protect employee privacy, how to think about AI risk, how to build privacy programs that hold up — this is the conversation I have with audiences, executive teams, and boards. Reach out about speaking, and let's talk.