Question
Design a consent and permissions management service that governs how a large platform (120M users, hundreds of internal services) may process personal data under GDPR/CCPA. Every data access must be checkable against the user's current consent (marketing, analytics, third-party sharing, each with purpose and legal basis), consent changes must propagate within seconds, and you must produce an auditable record proving lawful basis for any processing. Also support data-subject rights — export and right-to-erasure — across all downstream stores. Constraints: 500K consent checks/s, consent state must be strongly consistent at the point of decision. Cover the consent model, enforcement point, propagation, and erasure.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.