CISSP · Question #1405
An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be
The correct answer is A. Default the user to not share any information.. This question tests understanding of privacy-by-default principles, where users must opt-in to data sharing rather than being automatically enrolled without consent.
Question
An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be shared. What technical controls should be put in place to remedy the privacy issue while still trying to accomplish the organization's business goals?
Options
- ADefault the user to not share any information.
- BInform the user of the sharing feature changes after implemented.
- CShare only what the organization decides is best.
- DStop sharing data with the other users.
How the community answered
(30 responses)- A70% (21)
- B17% (5)
- C7% (2)
- D7% (2)
Why each option
This question tests understanding of privacy-by-default principles, where users must opt-in to data sharing rather than being automatically enrolled without consent.
Defaulting users to 'no sharing' implements the Privacy by Default principle, a core tenet of modern privacy frameworks like GDPR Article 25, which requires that only necessary data is processed without user intervention. This technical control remediates the lack of informed consent by ensuring no data is shared until the user actively chooses to participate, balancing privacy with the organization's goal of enabling sharing as an opt-in feature.
Informing users after implementation is a reactive and insufficient remediation; privacy regulations and ethical standards require informed consent before data collection and sharing begins, not after.
Allowing the organization to unilaterally decide what is shared without user consent still violates the principle of informed consent and user autonomy, which is central to privacy compliance.
Completely stopping data sharing eliminates the organization's business goal of enabling customers to share wearable device information, making it an overly restrictive solution that fails to balance privacy with functionality.
Concept tested: Privacy by default and informed consent controls
Source: https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/
Topics
Community Discussion
No community discussion yet for this question.