Privacy by default
Data protection by default or privacy by default is a principle stating that data protection settings must be preset in such a way that as little data as possible is collected, stored and shared from the outset. One of the goals of privacy by default is to provide a minimum level of data protection even for data subjects who have no knowledge of data protection settings.
The General Data Protection Regulation does not make specific demands for privacy-friendly settings, but it does give a few examples: Measures include minimising the processing of personal data or pseudonymising data. For social networks, for example, this means that the default settings should be that only a small, necessary amount of data is collected and that not all data is automatically made public.
See also Privacy by design
Article 25 GDPR (Data protection by design and by default)
(…)
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Source: Regulation (EU) 2016/679 (see also recital 78)
