The organization should disclose the relationship to those affected in jurisdictions where such disclosures are required, as this is the most appropriate and compliant action to take after identifying a privacy risk related to third-party data collection. Disclosing the relationship to the data subjects is a way of providing transparency and accountability, as well as respecting their rights and choices regarding their personal data. It also helps the organization avoid regulatory fines or sanctions for not complying with the applicable privacy laws or regulations that mandate such disclosures. The other options are not as effective or sufficient as disclosing the relationship, as they do not address the root cause of the risk, do not mitigate the potential harm to the data subjects, or do not align with the privacy principles and best practices.

A bug bounty program is an assurance approach that involves offering rewards to external security researchers who find and report vulnerabilities in an API or other software. A bug bounty program can be more effective than other assurance approaches in identifying API vulnerabilities because it leverages the skills, creativity, and diversity of a large pool of ethical hackers who can test the API from different perspectives and scenarios. A bug bounty program can also incentivize continuous testing and reporting of vulnerabilities, which can help improve the security posture of the API over time.
Reference:
10 top API security testing tools, CSO Online
Bug Bounty Programs: What You Need to Know, ISACA Journal

Restricting access to authorized users is the best control to secure application programming interfaces (APIs) that may contain personal information, as it would prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries. Restricting access to authorized users can be achieved by using various methods, such as authentication, authorization, encryption, tokens or certificates. The other options are not effective controls to secure APIs that may contain personal information. Encrypting APIs with the organization's private key is not a feasible or desirable method, as it would make the APIs unreadable by anyone who does not have the corresponding public key, which would defeat the purpose of using APIs for interoperability and integration. Requiring nondisclosure agreements (NDAs) when sharing APIs is not a reliable or enforceable method, as it would depend on the compliance and cooperation of the parties who receive the APIs, and it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who are not bound by the NDAs. Sharing only digitally signed APIs is not a sufficient method, as it would only ensure the authenticity and integrity of the APIs, but it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who can read or intercept the APIs1, p. 90-91 Reference: 1: CDPSE Review Manual (Digital Version)

A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be conducted as early as possible in the system lifecycle, preferably during the development stage, to ensure that privacy risks are identified and mitigated before the system is deployed. Conducting a PIA during functional testing, UAT or production stages may be too late to address privacy issues effectively and may result in costly rework or delays1, p. 67 Reference: 1: CDPSE Review Manual (Digital Version)