Privacy by default is the principle, codified in Article 25(2) of the GDPR, that organisations must ensure the highest level of privacy protection is applied automatically without requiring any action from the individual. This means that when a system or service offers multiple privacy settings, the most restrictive option must be the default, and only the personal data strictly necessary for the specific purpose should be processed.
In practice, privacy by default affects product design decisions such as opt-in rather than opt-out consent mechanisms, minimal data collection forms, limited default data sharing with third parties, and restricted access to personal data within the organisation. It works in tandem with privacy by design and requires collaboration between legal, product, and engineering teams to ensure privacy-protective defaults are embedded throughout the data processing lifecycle.