How to apply privacy by default settings in your tools
Your new CRM ships with everything shared "to make collaboration easier"? Since September 2024, Law 25 requires the opposite for technology services offered to the public: the highest level of privacy by default, not a maze of hidden settings.
What is privacy by default?
For years, the model was: everything is public, the user protects themselves. The law reverses that logic for your clients and visitors: minimal collection, sharing disabled, restricted visibility, unless an explicit choice goes the other way when the law allows it.
In practice: a person should not have to uncheck fifteen boxes to avoid being exposed. You start from the most protective setting.
Here are a few concrete examples:
- Client portal: profile set to "private" by default; no visible friends list without action.
- Website: non-essential cookies blocked before consent (CAI cookie banner).
- Newsletter: checkbox unchecked by default; no presumed consent through inaction.
Common SaaS (marketing, CRM, HR)
Each tool has its own settings. Here is where to look first:
- CRM: who sees which fields; bulk export limited to roles that need it; not "everyone is admin".
- Marketing email: double confirmation (double opt-in) when possible; separate lists by purpose.
- HR: access to employee files limited to necessary roles; logging of sensitive lookups.
However, checking "vendor default settings" without reading them is not compliance: it is wishful thinking.
Document to prove your choices
An internal page is enough: tool, setting chosen, date, owner (often the privacy officer). If there is a complaint or a PIA, you show that you thought it through, not that you improvised after the fact.
In brief
Privacy by default is not a suggestion: it is the starting configuration of your public services. After each new software rollout (CRM, portal, form), block thirty minutes for settings before opening access to real data.
Useful references
- CAI, Protection of personal information: privacy by default and technology services.
- Act P-39.1 (private sector): requirements since September 2024.
- Cookie banner: protective settings on the public website.
This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.