Reviewing for Privacy & Compliance

In ads infrastructure, the data is the product — and the privacy mistakes are the ones that make the news.

Privacy is the one review dimension where a single missed line can become a regulatory incident, a breach of user trust, or a headline. For an ads-events engineer this is not a specialist's concern — you handle user identifiers, ad interactions, and behavioral signals every day, so privacy review is core to the job. This question tests whether you review a diff for what data it touches, whether it's allowed to touch it, where that data flows, and how long it lives. The senior instinct is to treat every field as classified until proven otherwise, and to know the concrete controls — classification, purpose limitation, retention, access, encryption, and the cardinal rule of never logging PII or secrets.

Flow of reviewing for privacy: classify data, purpose limitation, retention, access control, encryption, don't log secrets, consent and lineage, audit
The privacy lens: classify the data, enforce purpose limitation, set retention, gate access to least privilege, encrypt in transit and at rest, never log PII/secrets, verify consent and lineage (GDPR/CCPA), and keep an audit trail.

What this question is really testing

Whether privacy is a reflex for you, not a checkbox you delegate to a review bot. The signal is that you notice when a diff introduces or moves personal data, ask the right questions about legal basis and lifecycle, and know the specific failure modes — PII in logs, an over-broad access grant, a missing retention TTL, plaintext at rest, using data for a purpose it wasn't collected for. It also tests that you understand privacy as a system property (lineage, deletion, audit), not just field-level hygiene.

How to answer What the interviewer is looking for

The most common privacy catch in review — PII leaking into a log line:

# WRONG: user email + raw token land in a broadly-readable, long-lived log
logger.info("processing user=%s token=%s payload=%s",
            user.email, auth_token, request.body)   # PII + secret in logs

# RIGHT: log a stable non-PII id, redact the secret, drop the raw payload
logger.info("processing user_hash=%s auth=redacted",
            hash_id(user.id))                         # queryable, no PII/secret

Common follow-ups

How do you know a field is PII if it isn't labeled?

How to answer

A diff exports an existing dataset to a new consumer. Concerns?

How to answer

How do you handle deletion / right-to-be-forgotten in review?

How to answer

Isn't privacy the review-bot's or privacy team's job?

How to answer
Where to get your data (Meta)