Question 32
Domain 4 — Privacy Risk Assessment and Compliance ValidationAn organization is planning a new implementation for tracking consumer web browser activity.Which of the following should be done FIRST?
Correct answer: C
Explanation
Tracking consumer web browser activity involves collecting personal data, so the first step is to obtain consent before monitoring begins. Privacy rules generally require notice and permission for data collection, especially when an organization is tracking users’ online behavior.
Why each option is right or wrong
A. Seek approval from regulatory authorities
Regulators generally do not pre-approve routine browser tracking implementations before deployment.
B. Conduct a privacy impact assessment (PIA)
A PIA evaluates privacy risk, but it does not replace obtaining user permission first.
C. Obtain consent from the organization's clients
Under GDPR Article 6(1)(a), processing personal data is lawful only where the data subject has given consent, and Article 7 requires that consent be freely given, specific, informed, and unambiguous before collection begins. Browser-activity tracking also implicates ePrivacy-style rules on access to terminal equipment and online identifiers, which generally require prior notice and permission before monitoring or storing such data. Because the plan is to track consumer web activity from the outset, the first compliance step is to secure valid consent before any tracking is implemented.
D. Review and update the cookie policy
Cookie policy updates provide notice, but notice alone is not the same as consent.