Code Room
System designHardsd-g682
Subject Access controlLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology, IT services

Question

Design a consent and permissions management service that governs how a large platform (120M users, hundreds of internal services) may process personal data under GDPR/CCPA. Every data access must be checkable against the user's current consent (marketing, analytics, third-party sharing, each with purpose and legal basis), consent changes must propagate within seconds, and you must produce an auditable record proving lawful basis for any processing. Also support data-subject rights — export and right-to-erasure — across all downstream stores. Constraints: 500K consent checks/s, consent state must be strongly consistent at the point of decision. Cover the consent model, enforcement point, propagation, and erasure.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.