Most people are aware of the obvious privacy risks: weak passwords, clicking phishing links, oversharing on social media. But some of the most significant ways your personal data is being collected, tracked, and monetized happen through mechanisms most people never think about. Here are seven privacy risks that fly under the radar.

1. Your Browser’s Fingerprint Is More Unique Than Your Password

Websites can identify you without cookies by collecting data about your browser configuration: screen resolution, fonts installed, browser plugins, time zone, language settings, and dozens of other attributes. Combined, these create a “fingerprint” that is often unique to your specific browser/device combination. This fingerprint persists across cleared cookies, private browsing sessions, and even VPN connections.

Tools like coveryourtracks.eff.org let you see how unique your fingerprint is. Firefox with strict tracking protection and Chrome with a VPN still have measurable fingerprints — the only effective counter is a browser specifically designed for fingerprint uniformity, like Tor Browser.

2. “Free” Apps Are Selling Your Location History

Many free apps — particularly weather apps, games, and flashlight apps — monetize through data brokers by selling precise GPS location data. A 2023 investigation found hundreds of apps sharing location data with brokers, who aggregate it into profiles showing everywhere you’ve been, how often you visit certain places, and who else is frequently at the same locations.

The data is sold to advertisers, but also to insurers, employers, and law enforcement with few restrictions. Reviewing and revoking location permissions for apps that don’t genuinely need them is an underutilized privacy protection.

3. Your Old Accounts Are a Bigger Risk Than Your Active Ones

Think about the accounts you’ve created over the years: forums from 2008, services you stopped using, apps you deleted. These accounts still exist with your email address and often with old passwords you may still use elsewhere. They’re sitting targets in breaches — poorly-maintained old services often have worse security than the active platforms you use today.

JustDeleteMe.xyz helps you find deletion instructions for hundreds of services. Purging old accounts reduces your breach exposure and the volume of spam and targeted phishing you receive.

4. Metadata in Your Photos Reveals More Than the Image

Photos taken on smartphones embed EXIF metadata including GPS coordinates (your exact location), device model, timestamp, and sometimes lens aperture and focal length. Sharing these photos publicly, in emails, or via certain apps can reveal your home address, daily patterns, and device information to anyone who inspects the file.

Most social media platforms strip EXIF data when you upload, but direct file sharing (via email, messaging apps, Dropbox) typically preserves it. You can strip EXIF data before sharing using free tools like ExifTool.

5. Your WiFi Router’s Name Broadcasts Your Location

Companies including Google, Apple, and Microsoft maintain databases of WiFi network names (SSIDs) and their physical locations, built by war-driving and mobile device scanning. Your home network’s name is in this database, mapped to your approximate address. Apps with WiFi scanning permissions (even without GPS permission) can determine your location by cross-referencing nearby SSIDs with these databases.

6. Connected Home Devices Expand Your Attack Surface Significantly

Smart TVs, speakers, thermostats, doorbells, and baby monitors all collect and transmit data — and many have poor security practices. Smart TVs often use Automatic Content Recognition (ACR) to monitor everything you watch, even from non-streaming sources. Voice assistants store recordings by default. Many devices continue transmitting even when you think they’re “off.”

Review privacy settings on each connected device, disable ACR on smart TVs (usually under Settings > Privacy or Viewing Data), and segment IoT devices onto a separate network from your computers and phones.

7. Your Phone Number Has Become a Privacy Liability

Phone numbers were once throwaway contact information. Now they’re authentication credentials for 2FA, account recovery mechanisms, and rich data broker profiles. A phone number breach enables SIM-swapping attacks that can bypass SMS 2FA, and data brokers link your number to your identity, address history, and associated accounts.

Consider using a VoIP number for services that require a phone number but don’t need your real one — Google Voice (free) works well. And for 2FA, use an authenticator app rather than SMS wherever possible.

Assessing Your Full Privacy Risk Profile

The Privacy Risk Quiz assesses your habits across seven categories and identifies which risks apply most to your specific behavior — giving you a prioritized list of what to address first rather than an overwhelming checklist of everything that could theoretically go wrong.