Privacy by design & by default: why the settings should protect you already

Art. 25 makes privacy-hostile defaults illegal: the most protective setting must be the starting point, not the buried option. A blunt weapon hiding in plain sight.

Two duties in one article. By design (Art. 25(1)): data protection engineered in from the start — minimisation, pseudonymisation, security as architecture, not patches. By default (Art. 25(2)) — the consumer-facing blade: out of the box, only data necessary for the specific purpose may be processed. Profile public-by-default, location-sharing pre-enabled, “personalised ads” pre-selected, contacts upload nudged at onboarding — each is an Art. 25(2) argument waiting to be made. Where it has bitten: child-account defaults were central to the Instagram children’s-data fine (public-by-default business accounts for minors) and to TikTok cases; the EDPB’s Art. 25 guidelines read defaults strictly, and every dark-pattern case leans on it — a manipulative interface is the opposite of protective design. How you use it: in complaints, name it — “the default setting violated Art. 25(2)” turns “I didn’t know sharing was on” from your fault into theirs. Practically: sweep the privacy settings of every new app on day one, assuming the vendor chose against you; five minutes at signup beats any cleanup later. For builders (see the business kits): the cheapest compliance ever shipped is a form that asks for less.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority