ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Privacy by design + by default documentation

privacy-by-design-docDomain: data-privacyType: policy

Description

Privacy by design and by default is the GDPR Article 25 obligation that privacy considerations be built into product development from the outset rather than retrofitted before launch, and the by-default piece is the second-order requirement that the most privacy-protective configuration be the out-of-the-box state for any given setting. The substantive consequence is mostly process: privacy considerations enter the design review (typically as a checklist or a privacy-impact assessment proportional to data sensitivity), the engineering team selects the technical option that minimizes data collection consistent with the product purpose (pseudonymization where feasible, aggregation rather than per-user retention, retention windows scoped to purpose), and the default settings on configurable privacy controls start at the most privacy-protective option rather than the most engagement-maximizing one. Article 25 is not prescriptive about which technical choices are right; it requires that the choices be considered, documented, and proportional to the risk. The defensibility argument is the artifact set: design-review notes showing privacy was on the agenda, DPIAs for high-risk processing, change-history showing privacy carried through implementation. The thing that surfaces in enforcement is the by-default question, which marketing and growth instincts pull the opposite way; the documented design-review record is what shows the choice was deliberate rather than drift.

Required by (2 regulations)

  • GDPR

    Article 25 — data protection by design and by default.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • UK AADC

    Standard 1 — best interests of the child by design.

    Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

Fulfilled by (1)

  • In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • design review records
  • default-settings audit
  • pseudonymization design notes

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy