News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Privacy by default in online services Related reading: OCR issues rule for reproductive health care under HIPAA

rss_feed

""

Privacy as the default setting is one of the "seven foundational principles" of privacy by design, a concept developed back in the '90s. PbD has been widely recognized in the business environment and subsequently became part of various legal frameworks. For example, it is expressly included in Australian Privacy Principles.

Most recently, data protection by design and by default was introduced by EU lawmakers as a prominent part of the provisions of the GDPR. In this context (see Article 25 of the GDPR) technical and organizational measures are mentioned, which should aim to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 

As the ePrivacy Regulation is being developed in the EU, which will also have a tremendous effect on the online environment, the fundamental question, "What are the very settings which are by default private?" remains.

This will be a very practical problem for many companies wishing to ripe the benefits of digital market, and some up-to-date guidance from regulators and industry standards would definitely help.  

In the meantime, let’s try to analyze it ourselves. 

It is quite obvious that the online environment is built around collecting all kind of information, including user-related data. Many big players of the Internet have their core activities and business models revolving around gathering and sharing user-related data. Equally obvious is that for a long time, these business models were not designed to be privacy-friendly, and various forms of user tracking remain a prevalent practice. So it generally looks more like a "tracking by default" than "privacy by default."

Through consumer awareness and regulatory interventions, some changes have been introduced, and quite often users can now adjust their settings to make them more private. Right of choice and openness are supported by various tools, such as interactive dashboards, videos and pop-ups, through which users get basic understanding of what happens with their data and what can they do if they are not happy about it. In other words, opt-out supported by different software tools is offered to users.

Although any improvements which strengthen consumer rights in an online environment are more than welcomed, and in fact are necessary since users’ trust is critical for digital economy, this is still by far not something we would call ‘Privacy as the default setting’.

Therefore, more adjustments seem to be necessary.

In particular, it seems online service providers should by default only use such data which are necessary for the core functionalities of the services requested by consumer, e.g., when she created her account or downloaded an application. Making services better, enhancing a user’s experience, or personalizing services, justifications all too often used by services providers in their notices, would not meet this condition.

In such cases, or for such additional functionalities, opt-in instead of opt-out would be a more appropriate method. This would be in fact more logical altogether.

Why not convince people to switch on personalized advertisements instead of pushing it on consumers? The free and informed consent would no doubt have a more lasting effect, and if someone makes conscious choices, it is more likely that she will be in fact interested in viewing some content, rather than fighting against pop-up windows. Perhaps this would call for modifying some business models so quality goes before quantity, also, in an online environment where it still could be measured in many ways.  

It should be clear also, that no data traditionally viewed as sensitive or harmful should be gathered "by default" from consumers using online services. Under the GDPR, that kind of data includes:

  • data revealing racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health, and
  • data concerning a natural person's sex life or sexual orientation. 

It also includes data on criminal convictions and offenses or related security measures, which are not called sensitive data per se, but are treated similarly.

Processing such data would require, in most cases, explicit consent. In some situations, e.g., when such data were manifestly made public by the data subject, such consent would not be needed. However, even then, this should not be the default setting to publicize such data or disseminate them.

This would in fact be, to some extent, relevant to all categories of personal data, as they should not be made accessible without the individual's intervention to an indefinite number of natural persons.

Almost equally important is not to use default settings which would collect and further process, without the user’s explicit will, data such as: financial information and in particular credit card numbers or other data that could be used to authorize financial transactions, government IDs, Social Security numbers and other identifiers having a similar role, or precise geo-location. The risks for the individuals and the sheer probability of misusing such data are too big to allow for gathering such data from the outset and without making sure that users are aware of existing risks before providing such data.   

Similarly, this would be relevant to all kinds of automatic or semi-automatic profiling practices consisting of predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements. No kind of tracking of individuals should be enabled by default. This should clearly be an opt-in preceded by sufficient description of techniques used and potential consequences to the individuals concerned. Instead, privacy-friendly algorithms based on processing of aggregated and anonymous data could work well with defining types of information or advertisements for particular groups of users.

It should be noted that the risks of creating detailed user profiles have been widely discussed and described in WP29 opinions and in particular in Opinion 02/2013 on apps on smart devices and in Opinion 8/2014 on the on Recent Developments on the Internet of Things. The former describes certain categories of data, typically processed in an online environment, as having a significant impact on the private lives of users and other individuals. This covers in particular such data as:

  • location;
  • contacts;
  • unique device and customer identifiers;
  • identity of data subjects;
  • identity of phone number;
  • credit card and payment data;
  • phone call logs;
  • SMS or instant messaging;
  • browsing history;
  • email;
  • information society service authentication credentials;
  • pictures and videos, and
  • biometrics.

It would be more than welcomed, that when providing such data, the user should be warned with some kind of additional prompt window, and asked, as with online bank transactions, for a second confirmation of her intent to submit the data and allow for their processing. Such consent should be, where possible, only for the given period of time, or at least user should be reminded, from time to time, of her right to withdraw such consent by changing relevant settings. This could be less relevant and practical if the service itself is, for example, about providing email account or storage for photos, inasmuch as it relates to this content processed solely to deliver the core functionality to the user. However, it would be relevant in many other situations and it would be certainly better to err on the side of privacy when engineering apps or services.

While still not sure what will be the final version of ePrivacy Regulation and what would be the default settings, good enough to be GDPR compliant, building consumer awareness and industry good practices remains also crucial. Ultimately all these factors: laws, consumer expectations and industry standards, are strongly interrelated and will shape privacy standards in an online environment.

What would be recommended, as a good practice, is that only the data needed for the core functionalities of the app or service, which are apparent and transparent to the user, should be collected based on the default settings. For any other types of data, only anonymized and aggregated data should be gathered, unless the user herself will modify such settings so that personal data may be processed for specific purposes.    

Author
Headshot Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Tags
Europe
Privacy Law
Privacy Operations Management
3 Comments

If you want to comment on this post, you need to login.

  • comment Jason Cronk • Jun 20, 2017 
    Piotr, while I absolutely agree with you that informed consent should drive data usage and companies should only use data necessary for the core service, I think those concepts more appropriately fall under consent and data minimization. Under the original PbD formulation, Privacy by Default consisted of situations where "No action is required on the part of the individual to protect their privacy." If the risk were of communication surveillance, for instance, Privacy by Default would imply that the user need not take their own effort encrypt their communications. Outside the security realm, consider the risk of aggregation of data (i.e. building dossiers). Privacy by Default might imply that identifiers be randomly assigned to reduce the risk of correlation across services. I, as the user, don't have to take the step of creating different usernames for every service I use to protect my privacy, the service provider has considered this risk and built in a control to help me.  

I often use the analogy of passwords. We don't give users the ability to choose "password" as their password, even though many would. Why? Because they don't have the security expertise to realize the risks of choosing a simple password (dictionary attacks, rainbow tables, etc.). Similarly, with privacy, we (privacy professionals) need to protect users by default because often users can't, won't or don't understand the risks involved to protect their own privacy.
  • comment Piotr Foitzik • Jun 20, 2017 
    Hi Jason, I agree very much that data minimization is relevant here, what's more I would call data minimization by default the very essence of settings which would be by default private. It seems that this is also how it needs to be interpreted under the GDPR as it says 'The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.' (cf. Article 25 (2) of the GDPR). It may be, as you suggest, that concepts of the PbD and 'Data protection by design and by default' under GDPR although being close to each other, are not exactly identical.
  • comment Sayantan Dey • Feb 13, 2021 
    Very well explained text
Related Stories
UK NCSC updates cyber assessment framework
The U.K. National Cyber Security Centre updated its cyber assessment framework to include a focus on critical infrastructure vulnerabilities. It now includes sections on remote access, privileged operations, user access levels and multifactor authentication.Full story...
Read More queue Save This
IAB Europe responds to EDPB opinion on pay or consent
IAB Europe published a response to the European Data Protection Board's opinion on the legality of pay-or-consent models for obtaining valid consent to process personal data. IAB Europe said the opinion creates "legal uncertainty for many businesses beyond large online platforms" and the EDPB made "...
Read More queue Save This
EDPB publishes 2023 Annual Report
The European Data Protection Board issued its 2023 Annual Report. The report contains recaps of the EDPB's adoption of two binding decisions, as well as its urgent binding decision to order Meta to cease all processing of personal data in the European Economic Area.Full story...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Law
Privacy Operations Management
Recent Comments