Privacy by Default: GDPR Requirement Explained
Learn what privacy by default means under the GDPR, how it differs from privacy by design, and practical steps to implement it in your organization.
Privacy by default is a binding legal obligation under the GDPR that dictates how organizations must configure their systems, products, and services before users interact with them. The principle of privacy by default requires that the strictest data protection settings apply automatically, without requiring any action from the individual.
Despite being codified in Article 25(2) of the GDPR since 2018, privacy by default remains one of the most frequently misunderstood and poorly implemented requirements. This guide explains what the law actually requires, how it differs from the related concept of privacy by design, and what concrete steps organizations need to take. This content is for educational purposes and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Privacy by Default Means Under Article 25(2)
Article 25(2) of the GDPR states that the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. The article explicitly states that this obligation applies to:
- The amount of personal data collected
- The extent of processing performed on that data
- The period of storage for which data is retained
- The accessibility of data, meaning who and how many people can access it
The regulation further specifies that by default, personal data shall not be made accessible without the individual's intervention to an indefinite number of natural persons. This provision directly targets scenarios like social media profiles that are public by default or user directories that expose information to all members of a platform.
The European Data Protection Board (EDPB) issued detailed guidance on this requirement in Guidelines 4/2019 on Article 25. The EDPB emphasized that privacy by default is not a suggestion or best practice. It is a standalone legal obligation with its own enforcement provisions. Organizations that treat it as optional expose themselves to regulatory action.
Privacy by Default vs. Privacy by Design
Article 25 of the GDPR contains two distinct but complementary obligations. Understanding the difference is essential because they address different phases of data processing.
Privacy by design (Article 25(1)) requires data protection to be integrated into the development and engineering process from the earliest stage. It is about how systems are built. The controller must implement appropriate technical and organizational measures, such as pseudonymization and data minimization, and integrate safeguards into the processing itself. This obligation applies "at the time of the determination of the means for processing" and "at the time of the processing itself."
Privacy by default (Article 25(2)) governs the configuration that ships to users. It is about what the end user experiences when they first use a product or service without changing any settings. The default state must be the most restrictive, privacy-protective option.
A practical example illustrates the distinction:
- Privacy by design: An application development team builds a user profile system that stores data in encrypted fields, implements granular access controls, and logs all data access events.
- Privacy by default: When a user creates an account, their profile visibility is set to "private," optional data fields are left blank rather than pre-filled, and marketing communications are turned off.
Both requirements must be satisfied simultaneously. A system that is well-engineered but ships with permissive defaults violates Article 25(2). A system with restrictive defaults but poor underlying security violates Article 25(1).
Key Elements of Privacy by Default Compliance
The EDPB's Guidelines 4/2019 identify specific elements that controllers must address to meet the privacy by default obligation. These apply to any product, service, application, or system that processes personal data.
Data minimization by default
The system must collect only the personal data strictly necessary for the defined purpose. Optional fields should be clearly marked as optional and left empty by default. Registration forms should not require phone numbers, dates of birth, or other data points unless they are genuinely necessary for the service.
Processing limitation by default
Personal data collected for one purpose must not be processed for additional purposes without explicit user action. If a user signs up for an account, their data should not be used for personalized advertising, profiling, or analytics unless they specifically opt in.
Storage limitation by default
Retention periods should be set to the minimum necessary, and data should be automatically deleted or anonymized when the retention period expires. Systems should not retain data indefinitely by default, even if longer retention is available as a user-configurable option.
Access restriction by default
Personal data should be accessible to the smallest number of people necessary. Within an organization, access controls should follow the principle of least privilege. Externally, user data should be private by default, with sharing only enabled through deliberate user action.
User-facing defaults
All privacy-related settings visible to the user must default to the most protective option:
- Marketing and promotional email preferences: off
- Profile visibility: private or restricted
- Location sharing: disabled
- Data sharing with third parties: disabled
- Cookies and tracking beyond strict necessities: blocked until consent is given
- Search engine indexing of profiles: disabled
Practical Implementation of Privacy by Default
Translating Article 25(2) into practice requires changes across product development, system configuration, and organizational processes. The following measures address the most common areas where privacy by default applies.
Application and product settings
Review every user-facing setting that affects data processing and ensure the default is the most restrictive option. This includes:
- Account creation flows: Collect only the data necessary to create the account. Do not pre-check boxes for newsletters, marketing, or third-party data sharing.
- Notification settings: Default to essential notifications only. Promotional and marketing messages require explicit opt-in.
- Visibility and sharing: User profiles, posts, and activity should be private by default. Any sharing beyond the minimum required for the service must be user-initiated.
- Connected services: Integrations with third-party services should be disabled by default, with clear explanations provided before the user enables them.
Website configuration
Websites present specific privacy by default challenges around cookies, tracking, and data collection.
- Cookie consent: Load only strictly necessary cookies before the user grants consent. Analytics, advertising, and social media cookies must be blocked by default. A properly configured consent management platform handles this automatically.
- Contact forms: Collect only the information needed to respond to the inquiry. Do not include pre-checked consent boxes for marketing.
- Analytics: If using analytics tools that process personal data, ensure they do not fire until valid consent is obtained.
- Embedded content: Third-party embeds (videos, maps, social widgets) that set cookies or transmit personal data should be replaced with privacy-friendly placeholders until the user opts in.
Your privacy policy should document the default settings your organization applies and explain how users can adjust them.
Internal systems and employee access
Privacy by default also applies to internal data handling:
- Database and CRM access should be restricted to employees who need the data for their specific role
- Admin panels should not display full personal data by default; use masking or partial display with an option to reveal when needed
- Log files should minimize personal data capture and apply automatic rotation and deletion schedules
- Employee onboarding should provision the minimum access permissions required for the role
Common Privacy by Default Violations
Supervisory authorities and the EDPB have identified several patterns that commonly violate the privacy by default requirement.
Pre-checked consent boxes: Any consent mechanism where the default state is "opted in" violates privacy by default. This includes pre-ticked checkboxes for marketing emails, pre-selected cookie categories beyond strict necessities, and default enrollment in data sharing programs. The Court of Justice of the European Union confirmed in Planet49 (Case C-673/17) that pre-checked boxes do not constitute valid consent.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowPublic-by-default profiles: Social media platforms and community services that make user profiles publicly visible by default violate Article 25(2). The EDPB specifically addressed this in Guidelines 4/2019, stating that personal data should not be made accessible to an indefinite number of persons without the individual's active choice.
Excessive data collection at registration: Requiring users to provide data that is not necessary for the service at the point of account creation. If a service can function with only an email address, requiring a full name, phone number, date of birth, and physical address at registration violates data minimization by default.
Indefinite data retention: Systems that store personal data without defined retention periods or automatic deletion mechanisms fail the storage limitation element of privacy by default. Data should have a defined lifecycle, and the default behavior should be deletion or anonymization when the purpose is fulfilled.
Broad employee access: Granting all employees or departments access to all customer data, rather than restricting access based on role and necessity, violates the accessibility element of Article 25(2).
Enforcement and Penalties for Privacy by Default Failures
Violations of Article 25 fall under Article 83(4) of the GDPR, which provides for fines of up to 10 million EUR or 2% of the organization's annual global turnover, whichever is higher. In practice, privacy by default failures often occur alongside other violations that carry the higher penalty tier of up to 20 million EUR or 4% of turnover.
Notable enforcement actions involving Article 25 include:
- The Spanish AEPD fined CaixaBank 6 million EUR in 2021, citing violations of Article 25 alongside other provisions, for processing customer data for purposes they had not consented to
- The Norwegian Datatilsynet fined Grindr approximately 6.3 million EUR (65 million NOK) in 2021 for sharing user data with advertising partners without valid consent, with the authority referencing inadequate default privacy settings
- Multiple supervisory authorities have cited Article 25 in enforcement actions against organizations using pre-checked consent boxes or public-by-default profile settings
The EDPB has also emphasized that Article 25 obligations can be enforced independently, meaning a supervisory authority can issue penalties specifically for failing to implement privacy by default even without evidence of a concrete data breach or individual harm.
Privacy by Default in Website Compliance
For website operators, privacy by default intersects directly with cookie consent, tracking technologies, and data collection practices. The requirement means that a visitor arriving at your website for the first time should experience the most privacy-protective configuration.
Concretely, this means:
- No tracking scripts load until the visitor provides valid consent through a cookie banner
- No pre-selected cookie categories in the consent interface beyond strictly necessary cookies
- Contact and signup forms do not include pre-checked marketing consent boxes
- Third-party embeds do not load until the visitor opts in to the relevant cookie category
- User accounts, if applicable, default to private profiles and minimal data sharing
Maintaining these defaults requires both proper technical implementation and clear documentation. Your cookie policy should explain what cookies are blocked by default and what changes when a visitor grants consent. Your privacy policy should describe the default data processing configuration and the choices available to the user.
Tools like TermsBox can help maintain this documentation by scanning your website for cookies and trackers and generating policies that accurately reflect your site's actual behavior, keeping your privacy documentation aligned with your technical defaults.
Privacy by Default as an Ongoing Obligation
Privacy by default is not a one-time checkbox. Article 25 requires controllers to implement and maintain appropriate measures on an ongoing basis. The EDPB's guidelines emphasize that organizations must:
- Review default settings whenever a product or service is updated
- Reassess defaults when new processing purposes are introduced
- Monitor third-party integrations for changes that affect default data collection
- Update documentation when defaults change
- Train staff on privacy by default principles as part of data protection awareness programs
Each new feature, integration, or product update is an opportunity to either maintain or violate privacy by default. Development workflows should include a privacy review step that specifically evaluates whether new functionality respects the principle that the default configuration must be the most privacy-protective option.
Organizations that embed privacy by default into their development and review processes not only meet their legal obligations under the GDPR but also build products that earn user trust through demonstrated respect for personal data.
Frequently Asked Questions
What does privacy by default mean under the GDPR?
Privacy by default, as required by Article 25(2) of the GDPR, means that the default settings of any system, product, or service must process only the minimum personal data necessary for each specific purpose. Without the user taking any action, the most privacy-protective options must be active. This applies to the amount of data collected, the extent of processing, the storage period, and accessibility.
How is privacy by default different from privacy by design?
Privacy by design (Article 25(1)) requires organizations to integrate data protection into the development process of systems and products from the earliest stage. Privacy by default (Article 25(2)) requires that the shipped product's default configuration is the most privacy-protective option. In practice, privacy by design is about the engineering process, while privacy by default is about what the end user experiences out of the box.
What are the penalties for not implementing privacy by default?
Failure to implement privacy by default can result in fines up to 10 million EUR or 2% of annual global turnover under Article 83(4) of the GDPR. Supervisory authorities have issued enforcement actions specifically citing Article 25 violations. In practice, privacy by default failures often accompany other violations such as unlawful processing or insufficient consent, which can push fines into the higher tier of up to 20 million EUR or 4% of turnover.
Does privacy by default apply to existing systems or only new ones?
Article 25 applies to all processing activities, not just new systems. While the text references implementing measures "at the time of the determination of the means for processing," the EDPB has clarified in Guidelines 4/2019 that controllers must continuously review and update existing systems to ensure they meet privacy by default requirements. Legacy systems that do not comply should be updated as part of ongoing compliance efforts.