By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Security and privacy aren’t just compliance checkboxes—they’re core product pillars that build trust, reduce churn, and prevent catastrophic breaches (e.g., Equifax’s $700M GDPR fine, Facebook’s Cambridge Analytica scandal). For PMs, this means designing features with security/privacy in mind, not bolting them on later.Example: When Stripe launched "Stripe Identity" (a KYC tool for fintechs), they had to balance frictionless onboarding (OAuth for quick logins) with fraud prevention (OWASP Top 10 mitigations) and GDPR compliance (data minimization, right to erasure). A misstep here could mean losing users or regulators.
Real-world: Slack’s "Sign in with Google" uses OAuth for AuthN; role-based access (Admin/Guest) is AuthZ.
OAuth 2.0 (Open Authorization)
Example: Spotify uses OAuth to let users import playlists from Apple Music.
OWASP Top 10 (2021)
PM’s role: Ensure engineers use OWASP’s Cheat Sheet Series for mitigations.
GDPR (General Data Protection Regulation)
Example: Airbnb’s GDPR compliance includes a "Download My Data" feature and granular consent toggles.
CCPA (California Consumer Privacy Act)
Example: Google’s "Ad Personalization" toggle lets users opt out of CCPA data sales.
Data Minimization
Example: Uber’s "Ride Receipts" only store trip start/end points, not full GPS trails.
Zero Trust Architecture
Example: Google’s BeyondCorp (replaced VPNs with identity-based access).
Privacy by Design (PbD)
Example: Apple’s App Tracking Transparency (ATT) forces apps to ask for permission before tracking users.
Security vs. Privacy
Trap: "We’re secure, so we’re private" → False. A hacked database is a security failure; selling user data without consent is a privacy failure.
Threat Modeling (STRIDE)
DPIA (Data Protection Impact Assessment)
Security ROI Formula
Example: For a "Save Payment Method" feature, map: User → Frontend → API → Tokenization Service → Database.
User → Frontend → API → Tokenization Service → Database
Run a Threat Model (STRIDE)
Output: A list of mitigations (e.g., "Use OAuth + MFA for AuthN").
Design for Privacy by Default
Example: DuckDuckGo’s default "no tracking" vs. Google’s opt-out model.
Implement AuthN/AuthZ Securely
Avoid: Rolling your own auth (use Firebase Auth, Auth0, or Okta).
Validate with Compliance Checklists
Example: Before launching in the EU, check:
Monitor & Iterate
Correction: PMs own the "why" and "what" (e.g., "We need OAuth to reduce friction and improve security"). Partner with engineers early to define requirements (e.g., "Must support PKCE for mobile").
Mistake: Assuming GDPR/CCPA only apply to "big tech."
Correction: If you have users in the EU/California, you’re in scope. Even startups must comply (e.g., a 10-person SaaS with EU customers needs a DPO and data deletion process).
Mistake: Using "security" as an excuse to add friction.
Correction: Balance security and UX. Example:
Mistake: Storing sensitive data "just in case."
Correction: Delete data you don’t need. Example:
tok_123
Mistake: Ignoring third-party risks.
Answer: "Security protects data from threats (e.g., encrypting payment info), while privacy protects user rights (e.g., letting them delete their data). For a health app, I’d:
OWASP Top 10 in Interviews
Answer: "I’d focus on the OWASP Top 3:
GDPR/CCPA Trade-offs
Answer: "I’d ask:
AuthN/AuthZ in System Design
Viewer
Admin
Why? Social logins introduce dependencies on external providers and expand your attack surface.
Scenario: A user requests to delete their account under GDPR. Your engineers say it’ll take 3 months to build. How do you respond?
Why? Non-compliance risks fines and reputational damage.
Scenario: Your analytics team wants to track user behavior across devices. What’s the privacy-preserving way to do this?
Data Collected = MVD + Optional (with consent)
(Risk Reduction – Cost of Control) / Cost of Control
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.