How to apply privacy by default settings in your tools

Your new CRM ships with everything shared "to make collaboration easier"? Since September 2024, Law 25 requires the opposite for technology services offered to the public: the highest level of privacy by default, not a maze of hidden settings.

What is privacy by default?

For years, the model was: everything is public, the user protects themselves. The law reverses that logic for your clients and visitors: minimal collection, sharing disabled, restricted visibility, unless an explicit choice goes the other way when the law allows it.

In practice: a person should not have to uncheck fifteen boxes to avoid being exposed. You start from the most protective setting.

Here are a few concrete examples:

Common SaaS (marketing, CRM, HR)

Each tool has its own settings. Here is where to look first:

However, checking "vendor default settings" without reading them is not compliance: it is wishful thinking.

Document to prove your choices

An internal page is enough: tool, setting chosen, date, owner (often the privacy officer). If there is a complaint or a PIA, you show that you thought it through, not that you improvised after the fact.

In brief

Privacy by default is not a suggestion: it is the starting configuration of your public services. After each new software rollout (CRM, portal, form), block thirty minutes for settings before opening access to real data.

Useful references

This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.