Default Privacy Settings
Plain English Translation
Under Quebec Law 25 privacy by default requirements (Loi 25 article 9.1), organizations that offer technological products or services to the public must configure them to provide the highest level of confidentiality by default. This means users should not have to manually opt-out or adjust settings to protect their personal data; maximum privacy must be the automatic starting state. Notably, Law 25 default privacy settings do not apply to browser cookies, which are governed by other transparency and consent rules.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Audit current public-facing applications and SaaS platforms to identify all existing privacy toggles and user settings.
- Update the application configuration to set all identified privacy toggles to their most restrictive, private state by default for new users.
- Ensure location tracking and profiling features require explicit opt-in.
Required Actions (scaleup)
- Integrate 'privacy by default' requirements into the Secure Development Life Cycle (SDLC) and standard operating procedures.
- Maintain a Law 25 privacy by default implementation checklist for all new feature releases.
- Perform QA testing that simulates new user onboarding to verify that highest confidentiality settings are applied automatically.
Required Actions (enterprise)
- Automate configuration drift detection to ensure default privacy settings remain at the highest level of confidentiality continuously.
- Conduct and document Data Protection Impact Assessments (DPIAs) for all major application overhauls to confirm ongoing compliance with Loi 25 9.1 default confidentiality settings.
- Deploy robust technical controls for default privacy settings Law 25, integrating with infrastructure-as-code (IaC) pipelines.
Section 9.1 requires organizations offering a technological product or service to the public to ensure that those products provide the highest level of confidentiality by default. This must happen automatically, without any manual intervention from the individual.
In practice, it means that upon initial use or account creation, all optional data sharing, profiling, and public visibility settings must be deactivated or set to their most restrictive state. Users must explicitly opt-in to reduce their privacy protections.
No. The legislation explicitly states that the requirement for the highest level of confidentiality by default does not apply to privacy settings for browser cookies. However, other sections of the law still govern transparency and consent regarding cookie collection.
The rule covers any technological product or service that has privacy settings, collects personal information, and is offered to the public. This broadly includes consumer-facing mobile applications, SaaS platforms, connected IoT devices, and interactive websites.
To meet Quebec Law 25 tracking and profiling opt-in requirements, organizations must ensure that any functions allowing a user to be identified, located, or profiled are turned off by default. Organizations must inform users about these technologies and provide them the active choice to enable them.
CISOs should enforce secure development policies that mandate privacy-by-default, implement automated configuration drift monitoring, and require Privacy Impact Assessments (PIAs) before releasing new public-facing software features.
To audit default privacy settings for Loi 25 compliance, organizations can maintain version-controlled baseline configurations, utilize automated UI testing to simulate new user onboarding, and document the results in QA reports and change management logs.
Common mistakes include using pre-checked consent boxes, burying privacy controls deep in complex menus, and failing to maintain the highest level of confidentiality when deploying product updates that introduce new data-sharing features.
Both Law 25 privacy by design vs privacy by default and GDPR mandate that the maximum privacy settings be applied automatically. However, a major difference is that Law 25 explicitly exempts browser cookies from this specific default setting rule, whereas GDPR strictly regulates cookie defaults.
Organizations should maintain Privacy Impact Assessments (PIAs) for all technological products, secure development lifecycle (SDLC) policies, infrastructure-as-code baseline configurations, and detailed change management logs proving default settings are continuously enforced.
Proving “privacy by default” usually requires consistent evidence that default configurations are set to the most restrictive state and stay that way through releases. Tools like WatchDog Security's Compliance Center can help centralize control requirements, map evidence to §9.1, and highlight gaps when required artifacts (e.g., QA results or DPIAs) are missing.
Default privacy settings can degrade over time when new features introduce new toggles or when infrastructure changes alter defaults. Tools like WatchDog Security's Posture Management can help detect misconfigurations and drift against expected baselines, supporting ongoing verification that confidentiality defaults remain in the most restrictive state.
"Any person carrying on an enterprise who collects personal information when offering to the public a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned. The first paragraph does not apply to privacy settings for browser cookies."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
