Default system settings must provide the highest level of privacy protection without requiring user action.
Privacy by Default means that the default settings of any system or service must be the most privacy-protective options available. Users should not need to navigate complex settings to protect their data — protection should be the starting state. Under DPDPA, this means optional data collection must be off by default, data sharing must require explicit opt-in, and the minimum necessary data access should be the default for all roles and processes.
If your product defaults to collecting maximum data or sharing broadly, you violate DPDPA even if privacy settings exist somewhere in the UI. The Board evaluates default behaviour, not theoretical capability.
A Jaipur social media startup launches profiles as "private" by default, analytics tracking as "off" by default, and third-party data sharing as "disabled" by default. Users can opt in to each, but the starting position protects their data.
Having a "privacy settings" page is not sufficient. If the defaults are permissive and users must actively restrict them, you are not compliant with Privacy by Default.
DPDPA Shield automates Consent Management. See how →