Privacy by design

Privacy by design is an engineering principle that embeds privacy protections into the architecture of systems from their inception, rather than adding them as afterthoughts. The concept, articulated by Ann Cavoukian in the 1990s, holds that privacy should be proactive, default, embedded into design, full-functionality, end-to-end, visible, transparent, and user-centric. In practice, this means data minimization, purpose limitation, and early consideration of privacy risks. Privacy by design is the technical counterpart to data protection law: where law constrains behavior, design constrains possibility. A system that cannot collect certain data does not need a policy about how to handle that data. The principle has been adopted in the EU's GDPR and is increasingly invoked in critiques of surveillance capitalism, though critics argue that corporate adoption remains largely performative.