Your Privacy Action Plan: The 80/20 in Priority Order

This is the capstone. Everything in this series — threat models, passwords, phone audits, email migration, browser and DNS changes, VPN assessments, social media containment, data broker removal — distilled into a single prioritized plan that a normal person can execute without quitting their job or abandoning the technology that makes modern life functional. The sovereign posture toward privacy is not maximalism. It is the 80/20: roughly twenty percent of possible privacy actions deliver eighty percent of the meaningful protection. This article identifies that twenty percent, puts it in order, and gives you a timeline that respects both the urgency of the problem and the reality of your schedule.

Why This Matters for Sovereignty

We have spent this series building a clear-eyed picture of the surveillance economy — who collects your data, how they collect it, what they do with it, and what you can realistically do about each layer. The picture is neither as dire as the paranoid corners of the internet suggest nor as benign as the platform companies would have you believe. The extraction is real. The enforcement gap is enormous. Most of the machinery is automated, indifferent to you as an individual, and primarily designed to sell advertising rather than to surveil in any targeted sense. Snowden’s Permanent Record (2019) and Zuboff’s The Age of Surveillance Capitalism (2019) together provide the honest frame: the apparatus exists, it is pervasive, and the individual’s best response is measured, practical action on the things that actually matter — not theater, not panic, not resignation.

Privacy is maintenance. This is the single most important reframe this series offers. It is not a project you complete and forget. It is more like dental hygiene — small, regular actions that are individually minor and cumulatively significant. The person who flosses daily has better outcomes than the person who does an intensive deep clean once a year and ignores their teeth the rest of the time. The same principle applies to your data. A few deliberate actions maintained consistently provide far more protection than a weekend of frantic configuration followed by twelve months of neglect.

Priority 1: This Afternoon (30 Minutes)

These four actions have the highest impact-to-effort ratio of anything in this series. If you do nothing else, do these.

Install a password manager. Bitwarden is free, open-source, and excellent. 1Password costs $36 per year and has a polished interface. KeePass is open-source and stores your vault locally if you prefer not to use cloud sync. Pick one. Any one. Install it on your phone and your computer. The specific choice matters far less than the act of using one.

Change your passwords on your email account and your primary bank account. Use the password manager to generate unique, random passwords for each. Your email account is the skeleton key to your digital life — every password reset flows through it. Your bank account is where the money is. These two accounts, secured with strong unique passwords, represent the highest-value targets in your digital life.

Enable two-factor authentication on your email account. Use an authenticator app (Authy or the authenticator built into your password manager) rather than SMS if the option is available. SMS-based 2FA is better than nothing but vulnerable to SIM-swap attacks. A hardware key like YubiKey is the strongest option. An authenticator app is the practical sweet spot for most people. This single action blocks the vast majority of automated account compromise attempts.

Change your DNS resolver. On your home router, replace your ISP’s default DNS with Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). This prevents your ISP from logging every website every device in your household visits. If you cannot access your router settings, change the DNS on your primary devices individually. This takes five minutes and the privacy benefit begins immediately.

These four actions — password manager, two critical passwords changed, 2FA on email, DNS resolver changed — take thirty minutes and address the threats most likely to cause you actual harm: credential compromise, account takeover, and ISP surveillance of your browsing.

Priority 2: This Weekend (2 Hours)

With the foundation in place, the weekend tier addresses the ambient surveillance layer — the tracking, profiling, and data collection that happens passively as you use your devices.

Audit your phone’s app permissions. Go through your installed apps and revoke permissions that are not necessary for the app’s core function. A weather app does not need access to your contacts. A restaurant app does not need your microphone. Both iOS and Android now provide permission management in their privacy settings. This takes thirty minutes and immediately reduces the data flowing from your phone to third-party collectors.

Disable your advertising ID. On iOS: Settings > Privacy & Security > Tracking, and deny tracking requests. On Android: Settings > Privacy > Ads, and delete or reset your advertising ID. This takes two minutes and removes the unique identifier that enables cross-app behavioral tracking.

Install Firefox and configure it for privacy. Import your bookmarks and passwords from your current browser. Set Enhanced Tracking Protection to Strict. Install uBlock Origin. Enable DNS over HTTPS. This becomes your primary browser for general web use. The entire setup takes fifteen minutes.

Review your social media privacy settings. On each platform you use, go through the privacy settings and configure them to the most restrictive options you find acceptable. Revoke third-party app connections you no longer use. If you use Facebook, clear your Off-Facebook Activity. The specific steps for each platform are covered in detail in the social media article in this series. Budget about fifteen minutes per platform.

Uninstall apps you no longer use. Every app on your phone is a potential data pipeline. Apps you installed once and forgot about may still be collecting location data, contact information, or usage patterns in the background. Removing them takes fifteen minutes and eliminates data sources you gain nothing from.

Priority 3: This Month (Ongoing)

The monthly tier includes actions that require more deliberation, more time, or ongoing commitment. None of them are urgent, but all of them are worthwhile.

Begin the transition to a privacy-respecting email provider. Set up a ProtonMail or Tuta account. Start using it for new signups and new correspondence. Set your Gmail to forward to the new address. Over the coming weeks and months, update your email address on important accounts — starting with financial institutions and medical providers. Do not rush this. The goal is a gradual migration, not a disruptive switch.

Sign up for a data removal service. DeleteMe or Kanary will submit opt-out requests to the major people-search sites and data brokers on your behalf. The cost is $100-200 per year. The alternative is doing it manually, which is free but time-consuming. Either approach is valid; the service simply trades money for time.

Set up email aliases for new signups. SimpleLogin (owned by Proton) and Firefox Relay generate unique email addresses that forward to your real inbox. Use a different alias for each new service. When one gets compromised or sold, you disable that alias without affecting anything else. This takes ten minutes to set up and seconds per use thereafter.

Assess whether a VPN adds value for your specific situation. If you travel frequently or use public Wi-Fi regularly, a VPN from a credible provider (Mullvad, ProtonVPN, IVPN) is worth the modest cost. If you work primarily from home and have already changed your DNS, the marginal benefit of a VPN is smaller. Do not buy one because you feel like you should. Buy one if your threat model identifies a gap that a VPN specifically fills.

Priority 4: Quarterly Maintenance

Privacy maintenance is what turns a one-time effort into durable protection. Four times a year, spend thirty minutes on the following.

Re-audit your phone’s app permissions. New apps accumulate, permissions creep, and operating system updates sometimes reset privacy settings. A quarterly review keeps the baseline intact.

Check your data removal service results, or submit fresh manual opt-out requests if you are handling broker removal yourself. Your data reappears on broker sites because they continuously re-collect. This is the maintenance layer that keeps removal effective.

Review third-party app connections on social media platforms. Services you authorized months ago may no longer be necessary, and the fewer active connections, the smaller your attack surface.

Check haveibeenpwned.com for your email addresses. If any accounts have been involved in a data breach since your last check, change those passwords using your password manager. This takes five minutes and catches breaches you might not have heard about.

What to Skip (Unless Your Threat Model Requires It)

This series has been explicit about proportionality, and the action plan is no different. The following actions are effective but impose a lifestyle cost that is disproportionate for most people’s actual threat model.

Full de-Googling — replacing all Google services with self-hosted or privacy-respecting alternatives — is covered in another series (S23) for those who want it. It is a significant project with significant benefits and significant costs. For most people, the actions in this plan capture the majority of the privacy benefit without the disruption.

Using Tor for everyday browsing slows your internet dramatically and breaks many websites. It is essential for journalists, activists, and dissidents operating under repressive governments. It is unnecessary for someone whose primary adversaries are data brokers and advertisers.

Carrying a Faraday bag to block your phone’s radio signals, using a de-Googled phone running GrapheneOS, or refusing to use any cloud services are all positions on the privacy spectrum that are defensible for specific threat models and disproportionate for the majority of readers.

The line between proportional and disproportionate is personal. It depends on your threat model, your technical comfort, and how much disruption you are willing to accept. This plan provides the proportional baseline — the actions that deliver the highest privacy return for the lowest cost in time, money, and convenience. If your threat model demands more, you know where to find it.

The Cost

Everything in Priority 1 and Priority 2 is free. The password manager, the browser, the DNS change, the app audit, the advertising ID toggle — all free.

Priority 3 and Priority 4 cost between zero and roughly $200 per year, depending on whether you use paid email (ProtonMail Plus is about $48/year), a data removal service ($100-200/year), and a VPN ($60/year for Mullvad). These are optional, and the free alternatives (manual broker opt-out, free email tiers, no VPN if your threat model does not require one) are entirely adequate.

This is not a significant financial investment. It is a fraction of what most people spend on streaming services. The return — in reduced exposure to credential theft, identity fraud, ISP surveillance, cross-site tracking, and data broker profiling — is disproportionately large relative to the cost.

The Sovereign Posture

You have now read a series that covers the full landscape of personal data privacy — from threat modeling to passwords to phones to email to browsers to VPNs to social media to data brokers. The picture is neither hopeless nor simple. The surveillance economy is the water we swim in. You cannot opt out completely. The sovereign posture is: understand the system, reduce unnecessary exposure, own the infrastructure that matters, and stop performing paranoia about risks that exist in theory but not in practice.

You have made proportional, informed choices. You know what you are protecting, who you are protecting it from, and what the realistic defenses look like. You are not paranoid. You are not naive. You are deliberate. And the plan you now hold is not a fortress — it is a practice. Tend it like Thoreau tended his bean field: regularly, without drama, because the work is worth doing and the harvest is yours.

This article is part of the Data & Privacy series at SovereignCML.

Related reading: The Privacy Landscape: What’s Real, What’s Theater, Your Threat Model: Who Are You Actually Defending Against?, Passwords and Authentication: The Foundation You’re Probably Getting Wrong