nerdexam
(ISC)2

CISSP · Question #1405

An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be

The correct answer is A. Default the user to not share any information.. This question tests understanding of privacy-by-default principles, where users must opt-in to data sharing rather than being automatically enrolled without consent.

Submitted by marco_it· Mar 5, 2026Security and Risk Management

Question

An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be shared. What technical controls should be put in place to remedy the privacy issue while still trying to accomplish the organization's business goals?

Options

  • ADefault the user to not share any information.
  • BInform the user of the sharing feature changes after implemented.
  • CShare only what the organization decides is best.
  • DStop sharing data with the other users.

How the community answered

(30 responses)
  • A
    70% (21)
  • B
    17% (5)
  • C
    7% (2)
  • D
    7% (2)

Why each option

This question tests understanding of privacy-by-default principles, where users must opt-in to data sharing rather than being automatically enrolled without consent.

ADefault the user to not share any information.Correct

Defaulting users to 'no sharing' implements the Privacy by Default principle, a core tenet of modern privacy frameworks like GDPR Article 25, which requires that only necessary data is processed without user intervention. This technical control remediates the lack of informed consent by ensuring no data is shared until the user actively chooses to participate, balancing privacy with the organization's goal of enabling sharing as an opt-in feature.

BInform the user of the sharing feature changes after implemented.

Informing users after implementation is a reactive and insufficient remediation; privacy regulations and ethical standards require informed consent before data collection and sharing begins, not after.

CShare only what the organization decides is best.

Allowing the organization to unilaterally decide what is shared without user consent still violates the principle of informed consent and user autonomy, which is central to privacy compliance.

DStop sharing data with the other users.

Completely stopping data sharing eliminates the organization's business goal of enabling customers to share wearable device information, making it an overly restrictive solution that fails to balance privacy with functionality.

Concept tested: Privacy by default and informed consent controls

Source: https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/

Topics

#privacy by design#data privacy#user consent#technical controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice