Which of the following must be true regarding surveillance conducted by private sector entities?

Surveillance conducted by private sector entities must indeed be based on legitimate purposes. This principle emphasizes that any data collection or monitoring activity should serve a specific, lawful objective that aligns with the interests of both the organization and the individuals whose data is being collected. Such legitimate purposes may include security concerns, fraud prevention, or improving service quality.

This requirement is rooted in various data protection regulations, including the General Data Protection Regulation (GDPR), which governs the processing of personal data within the European Union. The regulation stipulates that data processing activities must be lawful, fair, and transparent, reinforcing the idea that organizations must have justifiable reasons for surveilling individuals.

While consent is a significant aspect of data protection, it is not always a prerequisite in every scenario where surveillance occurs, especially when other lawful bases for processing exist. Continuous monitoring is not a requirement for all surveillance, and violating local laws is never permissible in a lawful surveillance framework. Thus, the focus on legitimate purposes reflects both a legal obligation and an ethical responsibility for organizations conducting surveillance.