“Privacy by default” is being discussed as one important principle for ICT system design. This principle has been taken up as “data protection by default” in the proposal for a European Data Protection Regulation published in 2012. However, it is debated what this principle should mean in practice. In this text, we analyze the relation to “security by default” and “privacy by design” and discuss different possible interpretations of the “data protection by default” principle. After presenting general considerations on how to choose and implement appropriate default settings, we exemplarily describe recommendations for typical identity-related application scenarios such as social network sites, user tracking on the web and user-controlled management of one’s identities. Both the general and the scenario-based elaborations provide guidance for developers as well as evaluators.