Short answer: Privacy by Design means building privacy into your software from the first design decision, not bolting it on later, with the default settings set to protect the user. It started as a Canadian framework, the FTC pushes it in enforcement, and it is now baked into law as the GDPR’s “data protection by design and by default.”
That title may be a slight overstatement, but I do think Privacy by Design is the future of privacy for SaaS and software companies.
Three Things You Should Know.
1) Adopted in the US, invented in Canada. The methodology was conceived by the Information and Privacy Commissioner of Ontario (Ann Cavoukian), and the US Federal Trade Commission joined in. It is not a standalone US statute, but the FTC pushes companies toward it through enforcement and consent orders.
2) Build privacy into development. Privacy should be addressed during the design of the software, not as an afterthought. The cheapest privacy control there is is the data you never collect.
3) It is all about default settings. A core principle is that the default setting protects privacy. The user does nothing, and their privacy is protected. The FTC reinforced this in the Google Buzz consent order in 2011.
The Seven Foundational Principles, in Plain English.
- Proactive, not reactive. Anticipate privacy risks before they happen.
- Privacy as the default. The user gets maximum privacy without lifting a finger.
- Privacy embedded into design. It is part of the architecture, not an add-on.
- Full functionality. Privacy and features are not a trade-off; aim for both.
- End-to-end security. Protect data through its full lifecycle, including deletion.
- Visibility and transparency. Tell users what you actually do with their data.
- Respect for the user. Keep it user-centric.
Why This Is Now Law, Not Just a Nice Idea.
When this post first ran, Privacy by Design was mostly an FTC talking point. It is now a legal requirement in the most important privacy regime in the world: Article 25 of the GDPR codifies “data protection by design and by default.” US state laws follow its spirit. The California regime (CCPA and CPRA) and the wave of state privacy statutes expect data minimization, purpose limitation, and reasonable security, which are Privacy by Design principles wearing statutory clothes. A SaaS vendor selling into the EU or to enterprise US customers is increasingly expected to show this, not just claim it.
How a SaaS Vendor Operationalizes It.
- Default to private. Ship with the privacy-protective setting on, and make the user opt in to sharing rather than opt out.
- Collect less. Data minimization is the cheapest control there is. You cannot lose what you never collected.
- Review new features for privacy. A short privacy impact assessment before launch catches problems while they are cheap to fix.
- Flow it down your contracts. Your DPA and vendor agreements should require sub-processors to meet the same bar.
Do that, and the privacy commitments in your customer agreements stop being aspirational and start being true.
Frequently Asked Questions.
Is Privacy by Design legally required in the US? Not as a standalone statute, but the FTC enforces its principles through consent orders, and state laws like CCPA/CPRA embed data minimization and reasonable security, which are the same ideas.
Is it required under the GDPR? Yes. Article 25 codifies “data protection by design and by default,” so a vendor selling into the EU is expected to demonstrate it.
What is the single most practical step? Default to private and collect less. Privacy-protective defaults plus data minimization deliver most of the benefit for the least engineering effort.
A few related reads. NAI Code of Conduct covers the self-regulatory baseline for online advertising. Privacy Issues for App Developers covers FTC and state guidance. 3 Privacy Takeaways from the Google Buzz Settlement covers the default-settings precedent. And 3 Employee Privacy Tips covers City of Ontario v. Quon.
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.