Privacy by Default

Privacy by Default is a principle requiring that privacy-protective settings be the default configuration for products, services, and systems, without requiring users to take action to protect their privacy. This means that when someone starts using a service, the most privacy-preserving options should already be selected—minimal data collection, restricted sharing, strongest security settings, and no tracking unless the user actively opts in. The principle recognizes that most users don't change default settings, so defaults powerfully shape actual privacy outcomes. Under the GDPR Article 25, controllers must implement appropriate technical and organizational measures to ensure that by default, only personal data necessary for each specific purpose is processed. This applies to the amount of data collected, extent of processing, period of storage, and accessibility. For example, a social media platform should default to private profiles, not public; a mobile app should default to not sharing location, not tracking it continuously. Privacy by Default is closely related to Privacy by Design but focuses specifically on the default configuration rather than the overall design. Organizations implementing Privacy by Default should set restrictive defaults, require affirmative action to reduce privacy protections, avoid dark patterns that manipulate users into less protective settings, and regularly review defaults to ensure they remain privacy-protective as technology and practices evolve.