Incognito — 2025: The Year Privacy Got Personal

Welcome to the January 2026 issue of Incognito, your monthly dive into privacy and security with DeleteMe.

This month: 

• Privacy in 2025: What went right (and wrong) in 2025 We break down what worked and what didn’t, and how to protect yourself in 2026.
• Have you checked out our podcast? DeleteMe’s award-winning podcast takes a deep-dive into the scams, breaches, and threats that defined 2025. Listen here.
• What you need to know: Hackers are impersonating police to trick tech giants into handing over personal data, the FBI warns about AI-powered virtual kidnapping scams, Google pulls the plug on its dark web monitoring tool, and 4.3 billion professional records exposed on an unsecured database.
• You asked, we answer: “I just switched from an Android to iPhone. Will websites start charging me more?”

2025: Your Privacy Recap

Here’s what helped and what hurt your privacy this year. 

The Bad

Let’s start with the bad news.

Companies may be charging more based on what they know about you. Your data determines what you pay. Retailers are now adjusting prices for everyday goods (even essentials like groceries) based on your personal data.

Everyone is on the AI hypetrain. Privacy be damned. Scammers are using deepfake audio to impersonate government officials and running phishing campaigns sophisticated enough to deceive even some large language models themselves by sending you to unrelated sites when you ask the AI chatbot for a URL. 

An increasing number of doctors are adopting AI tools to record and summarize patient visits.Once medical data enters these systems, however, controlling where it goes and who has access to it can be difficult or impossible. 

Employees keep putting sensitive information into AI chatbots even when their employers expressly prohibit it. 

Data brokers are still seriously abusing your privacy. For anyone concerned about privacy, these 2025 stories were impossible to unsee. 

• States quietly sold drivers’ data to private investigators and brokers.
• Hundreds of brokers failed to register with states that legally require it. 
• A data broker jointly owned and operated by several major airlines sold flight and travel data to CBP and ICE. 
• People search sites were used to target and kill a Minnesota lawmaker and her partner. The accused killer used publicly available data in his extensive planning. 
• A federal rule meant to rein in data brokers was quietly killed.
• A breach at a data broker giant exposed consumers’ sensitive personal information. 

Data breaches were relentless. Do we even need to point this one out? From airlines and retailers to car-sharing apps and messaging platforms, the breaches kept coming. 

Millions of users had personal messages exposed, login credentials leaked, and medical information compromised. By year’s end, reports showed more than half of Americans had their personal data leaked online at least once.

The Good

Now, onto the things that improved our privacy this year. 

States stepped in where Congress didn’t. Eight previously enacted state consumer privacy laws became effective during 2025, including: 

• Delaware
• Iowa
• Nebraska
• New Jersey
• Tennessee
• Minnesota
• Maryland
• New Hampshire

Other states strengthened existing laws, expanded protections to cover car manufacturers, biometric data, and even neural (brain) data. 

Plus, New York became the first state to enact legislation to curb discriminatory algorithmic pricing. Retailers that use personalized pricing must have a disclaimer saying they do so. For now, though, most consumers still have little visibility into why prices change from person to person.

Data brokers faced (some) consequences. States expanded data broker registration requirements and sued companies for selling driver data. Plus, everyone’s favorite genealogy site made it harder for law enforcement to get your data. 

Privacy-focused technology gained ground. Surveys show that over 70%+ of consumers now prioritize data privacy when choosing digital services. A small but telling case in point: consumers and institutions are embracing end-to-end encrypted messaging, with Signal growing to 70+ million monthly users and becoming the gold standard for secure communications, even adopted by government agencies. 

This momentum is also visible among major platforms. Google introduced end-to-end encryption in Gmail Workspace accounts. 

Have you checked out What the Hack?

Our award-winning podcast hosted by Beau Friedlander takes on cybercrime, scams, fraud, and the Wild West of digital privacy making that possible. A binge-worthy podcast, whether you’re stuck in traffic heading to family dinner or tackling that post-party cleanup. Find it wherever you get your podcasts. 

3 Things NOT To Do In 2026 to Improve Your Privacy (And 5 Worth Doing) 

1. Don’t give AI browser agents too much access. These tools a) need broad permissions (email, logins, calendars) and b) are still vulnerable to prompt-injection attacks. Until defenses mature, limit what they can see and do, avoid linking banking/health accounts, and only use them for low-risk tasks where a mistake wouldn’t matter.
2. Don’t share medical data with AI chatbots. Bradley Malin, a professor of biomedical informatics at Vanderbilt University Medical Center, warned that if you share your medical information with AI bots, “you’re basically waiving any rights that you have with respect to medical privacy.”
3. Don’t fall for “hacklore.” Forget the old advice about avoiding public WiFi, never using public USB chargers, and changing your passwords regularly is apparently not it. Cyber OG Bob Lord (Yahoo, DNC, CISA) got 100 current and former CISOs to sign his open letter about the bad advice that distracts people from the few things that actually make a difference. Want the whole story? Check out the full episode of DeleteMe’s podcast “What the Hack?” 

Do

1. Create a family safe word or question and use it to verify urgent calls or requests for money. Worried about a scammer pretending to be a loved one in trouble? Impossible now. 
2. Use AI to quickly summarize privacy policies you’d otherwise skip, then ask targeted follow-up questions (about data collection, sharing, security, and opt-outs) to spot red flags and find the exact sections worth reading. It’s not perfect, but it’s better than just clicking “agree.”
3. Turn on your carrier’s free SIM/number lock features in your account settings. Your phone number is the skeleton key to your online identity, and it can be hijacked by SIM-swapping, giving hackers access top your digital life. (And if you’re a DeleteMe customer, use masked phone numbers wherever you can). 
4. Change weak passwords. If any of your passwords are still “123456” or “password” (or equivalent), it’s just a matter of time before you’re hacked. Start using passphrases (or get a password manager). 
5. Check out EFF’s Age Verification Resource Hub (EFF.org/Age) and learn how the new age-verification systems work, why they threaten privacy and free expression, and how to protect yourself and push back.

We’d Love to Hear from You!

Have a story for our podcast? Any privacy stories you’d like to share, or topics you’d like to see in Incognito? We’d love to hear from you!

Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Hackers Impersonate Police, Trick Tech Giants to Hand Over Personal Data

Hacking groups that provide doxing-as-a-service are impersonating US law enforcement to trick major tech companies into releasing sensitive personal data through emergency data requests. A hacker known as “Exempt” says he completed hundreds of successful requests across companies like Apple, Amazon, and Charter, exploiting weak email-based verification systems and the urgency around public safety. 

FBI Warns of Virtual Kidnapping Scams Using AI-Altered Media

The FBI warn about criminals that scrape photos from social media and use them to make fake “proof of life” images used in virtual kidnapping scams, demanding ransom payments for loved ones who were never actually abducted. The FBI advises people to verify loved ones’ safety directly, avoid sharing personal information, and report incidents to the Internet Crime Complaint Center.

Google to Shut Down Dark Web Report Tool In January 

Google is discontinuing its dark web report feature, which scans the dark web for users’ personal information and alerts them when their data is exposed. The tool will stop monitoring for new results on January 15, 2026, with all data becoming unavailable by February 16, 2026. Google cited user feedback indicating the tool lacked actionable next steps and said it will instead focus on other security features. 

Unsecured Database Exposes 4.3 Billion Professional Records

Security researchers discovered an unsecured database containing approximately 4.3 billion professional records, including names, emails, phone numbers, LinkedIn profiles, job histories, and employer information. The database, found on November 23, 2025, was secured two days after the owner was notified, but it remains unknown who may have accessed the data beforehand. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: I have refrained from donating to charitable causes due to concerns about personal data being sold or shared, which has previously resulted in unwanted spam. What options are available to prevent this? I would like to donate to charities I support in the future.

A: Totally understandable. It’s annoying to donate to a charity and then feel like they sold you out. Many view your data as an important revenue stream, which proves perspective is everything.

Your best bet is to read the charity’s privacy policy before donating to see who they may share your data with and if you can opt out (or have an LLM do it for you). 

If you’re not entirely happy with what you see, it may be worthwhile to consider using anonymous donation platforms. 

On the other hand, if you want to donate directly through a charity’s website, masked emails, masked phone numbers, and virtual credit cards can help. Bear in mind, if you use a virtual credit card with your real details, your donation may still be linked to your identity). 

Always watch out for any pre-checked checkboxes allowing data sharing when donating. And if you’ve already donated and want to stop the spam, you can register with the Data & Marketing Association or contact the individual charities and ask them to stop. 

Q: I just switched from an Android to iPhone. Will websites start charging me more? I heard about that happening, but I’m not sure if that’s true. 

A: Device-based pricing does exist in some cases, but it’s not a simple “iPhone users always pay more” situation. 

In fact, if you look at anecdotal evidence, it’s very mixed. For example, some users report Uber being cheaper on their iPhones, while others report the opposite. That’s because device type is just one of many data points companies use to personalize prices. 

As we know from the recent FTC surveillance pricing study and news reports about algorithmic pricing, retailers can factor in your location, demographics, browsing patterns, shopping history, and even your mouse movements on a webpage. 

Switching to an iPhone could affect pricing in some cases, but it’s likely only one variable in a much larger equation.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

That’s it for this issue of Incognito. Stay safe, and we’ll see you next month.