Consumer privacy laws and regulations seek to protect any individual from loss of privacy due to failures or limitations of corporate customer privacy measures. They recognize that the damage done by privacy loss is typically not measurable, nor can it be undone, and that commercial organizations have little or no interest in taking unprofitable measures to drastically increase privacy of customers - indeed, their motivation is very often quite the opposite, to share data for commercial advantage, and to fail to officially recognize it as sensitive, so as to avoid legal liability for lapses of security that may occur.
Consumer privacy concerns date back to the first commercial couriers and bankers, who in every culture took strong measures to protect customer privacy, but also in every culture tended to be subject to very harsh punitive measures for failures to keep a customer's information private. The Hippocratic Oath includes a requirement for doctors to avoid mentioning ills of patients to others, not only to protect them, but to protect their families - the same basic idea as modern consumer privacy law and regulation, which recognizes that innocent third parties can be harmed by the loss of control of sensitive information, and that therefore there is a responsibility beyond that to the 'customer' or 'client'. Today the ethical codes of most professions very clearly specify privacy measures beyond that for the 'consumer' of an arbitrary service. Those measures are discussed in other articles on medical privacy, client confidentiality and national security - and to a degree in carceral state (where no privacy in any form nor limits on state oversight or data use exist).
Modern consumer privacy law in a recognizable form originated in telecom regulation, when it was recognized that a telco, especially a monopoly (known in most nations as a PTT), had access to unprecedented levels of information about not only the direct customer's communications habits and correspondents, but also that of those who shared his or her household. It was also often the case that telephone operators could hear conversations, inadvertently or deliberately, and were required to dial the exact numbers.
The data gathering required for billing began to become an obvious privacy risk as well. Accordingly, strong rules on operator behavior, customer confidentiality, records keeping and destruction were enforced on telcos in every country. Typically only police and military authorities had powers to 'wiretap' or see records. Even stricter requirements emerged for banks' electronic records - in some countries financial privacy is a major focus of the economy, and penalties for violating it are severe and criminal penalties applied. In Austria in the 1990s mere mention of a client's name in a semi-public social setting was enough to earn a junior bank executive a stiff jail sentence.
Through the 1970s many other organizations in developed nations began to acquire sensitive data, but there were few or no regulations in place to prevent them from sharing or abusing it. Customer trust and goodwill was generally thought to be sufficient in some nations, notably the United States, to ensure protection of truly sensitive data. 'Caveat emptor' applied. But in the 1980s much smaller organizations began to get access to computer hardware and software, and these simply did not have the procedures or personnel or expertise, nor less the time, to take rigorous measures to protect their customers. Meanwhile, via target marketing and rewards programs, they were acquiring ever more data.
Gradually, customer privacy measures alone proved insufficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, theft of hard drives or other data-carrying hardware from work.
Talk began to turn to explicit regulation, especially in the European Union, where each nation had laws that were incompatible, e.g. some restricted the collection, some the compilation, and some the dissemination of data, and it was possible to violate anyone's privacy within the EU simply by doing these things from different places in the European Common Market as it existed before 1992.
Through the 1990s the proliferation of mobile telecom (which typically bills every call), the introduction of customer relationship management and the use of the Internet by the public in all developed nations, brought the situation to a head, and most countries had to implement strong consumer privacy laws, usually over the objections of business.
The European Union and New Zealand passed particularly strong laws that were used as a template for more limited laws in Australia and Canada and some states of the United States (where no federal law for consumer privacy exists, although there are requirements specific to banking and telecom privacy).
After the September 11, 2001, terrorist attacks on the United States, privacy took a back-seat to national security in most legislators' minds. Accordingly, concerns of consumer privacy in the United States have tended to go unheard as questions of citizen privacy versus the state, and the development of a police state or carceral state, have occupied advocates of strong privacy measures.
Whereas it may have appeared prior to 2002 that commercial organizations and the consumer data they gathered were of primary concern, it has appeared since then in most developed nations to be much less of a concern than political privacy and medical privacy, e.g. as violated by biometrics. Indeed, people have been stopped at airports solely due to their political views recently (see No-fly list) and there appears to be little public will to stop practices of this nature. Privacy of body or habits may be 'dead', for all practical purposes, until political approaches or threats change.
Customer privacy measures are those taken by commercial organizations to ensure that confidential customer data is not stolen or abused. Since most such organizations have a strong competitive incentive to retain an exclusive access to these data, and since customer trust is usually a high priority, most companies take some security engineering measures to protect customer privacy.
However, these vary in effectiveness, and would not typically meet the much higher standards of client confidentiality applied by ethical codes or legal codes in banking or law, nor patient privacy measures in medicine, nor rigorous "national security" measures in military and intelligence organizations.
Since they operate for-profit, commercial organizations also cannot spend an unlimited amount on precautions and remain competitive - a commercial context tends to limit privacy measures, and to motivate organizations to share data when working in partnership. This has led to many moral hazards and outrageous customer privacy violation incidents, and has led to consumer privacy laws in most countries, especially in the European Union, Australia, New Zealand and Canada. The United States has no such law and relies on corporate customer privacy to ensure consumer privacy in general.
Some services, notably telecommunications including Internet, imply collecting a vast array of information about users’ activities in the course of things, and may also require consultation of these data to prepare bills. Telecom data must be kept for seven years in the US and Canada, to permit dispute and consultation about phone charges. Telecom regulation has always enforced a high level of confidentiality on these very sensitive customer communication bills and the underlying records. However, this approach has to a degree been outmoded as other industries also now gather sensitive data:
Such common commercial measures as software-based customer relationship management, rewards programs and target marketing tend to drastically increase the amount of information gathered (and sometimes shared). These very drastically increase privacy risks, and have accelerated the shift to regulation, rather than relying on corporate desire to preserve goodwill. Companies using coupon programs often set up coupon printers in grocery stores.
|Personal Data Ecosystem|
- Big data
- Information technology management
- Management information systems
- Privacy laws of the United States
|Wikibooks has a book on the topic of: Legal and Regulatory Issues in the Information Economy|
- Privacy International
- Protecting Consumer Privacy in an Era of Rapid Change, FTC Staff Report
- Privacy Rights Clearinghouse a Consumer Education and Privacy Rights Advocacy organization