This article needs additional citations for verification. (September 2012) (Learn how and when to remove this template message)
Consumer privacy is information privacy as it relates to the consumers of products and services.
A variety of social, legal and political issues arise from the interaction of the public's potential expectation of privacy and the collection and dissemination of data by businesses or merchants. Consumer privacy concerns date back to the first commercial couriers and bankers who enforced strong measures to protect customer privacy. In modern times, the ethical codes of various professions specify measures to protect customer privacy, including medical privacy and client confidentiality. State interests include matters of national security. Many organizations have a competitive incentive to collect, retain, and use customer data for various purposes, and many companies adopt security engineering measures to control this data and manage customer expectations and legal requirements for consumer privacy.
Consumer privacy protection is the use of laws and regulations to protect individuals from privacy loss due to the failures and limitations of corporate customer privacy measures. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company had access to unprecedented levels of information. Customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (e.g., hard drives) that could store a large amount of data in a portable location.
Consumer privacy concerns date back to the first commercial couriers and bankers who enforced strong measures to protect customer privacy. Harsh punitive measures were passed as the result of failing to keep a customer's information private. In modern times, the ethical codes of most professions specify privacy measures for the consumer of any service, including medical privacy, client confidentiality, and national security. These codes are particularly important in a carceral state, where no privacy in any form nor limits on state oversight or data use exists. Corporate customer privacy practices are approaches taken by commercial organizations to ensure that confidential customer data is not stolen or abused. Since most organizations have strong competitive incentives to retain exclusive access to customer data, and since customer trust is usually a high priority, most companies take some security engineering measures to protect customer privacy. There is also a concern that companies may sell consumer data if they have to declare bankruptcy, although it often violates their own privacy policies.
The measures companies take to protect consumer privacy vary in effectiveness, and would not typically meet the much higher standards of client confidentiality applied by ethical codes or legal codes in banking or law, nor patient privacy measures in medicine, nor rigorous national security measures in military and intelligence organizations. Since companies operate to generate a profit, commercial organizations also cannot spend unlimited funds on precautions while remaining competitive; a commercial context tends to limit privacy measures and to motivate organizations to share data when working in partnership. The damage done by privacy loss is not measurable, nor can it be undone, and commercial organizations have little or no interest in taking unprofitable measures to drastically increase the privacy of customers. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. This has led to many moral hazards and customer privacy violation incidents.
Some services—notably telecommunications, including Internet—require collecting a vast array of information about users’ activities in the course of business, and may also require consultation of these data to prepare bills. In the US and Canada, telecom data must be kept for seven years to permit dispute and consultation about phone charges. These sensitivities have led telecom regulation to be a leader in consumer privacy regulation, enforcing a high level of confidentiality on the sensitive customer communication records. The focus of consumer rights activists on the telecoms industry has super-sided as other industries also gather sensitive consumer data. Such common commercial measures as software-based customer relationship management, rewards programs, and target marketing tend to drastically increase the amount of information gathered (and sometimes shared). These very drastically increase privacy risks and have accelerated the shift to regulation, rather than relying on the corporate desire to preserve goodwill.
Concerns have led to consumer privacy laws in most countries, especially in the European Union, Australia, New Zealand and Canada. Notably, among developed countries, the United States has no such law and relies on corporate customer privacy disclosed in privacy policies to ensure consumer privacy in general. Modern privacy law and regulation may be compared to parts of the Hippocratic Oath, which includes a requirement for doctors to avoid mentioning the ills of patients to others—not only to protect them, but to protect their families— and also recognizes that innocent third parties can be harmed by the loss of control of sensitive personal information.
Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company—especially a monopoly (known in many nations as a PTT)—had access to unprecedented levels of information: the direct customer's communication habits and correspondents and the data of those who shared the household. Telephone operators could frequently hear conversations—inadvertently or deliberately—and their job required them to dial the exact numbers. The data gathering required for the process of billing began to become a privacy risk as well. Accordingly, strong rules on operator behaviour, customer confidentiality, records keeping and destruction were enforced on telephone companies in every country. Typically only police and military authorities had legal powers to wiretap or see records. Even stricter requirements emerged for various banks' electronic records In some countries, financial privacy is a major focus of the economy, with severe criminal penalties for violating it.
Through the 1970s many other organizations in developed nations began to acquire sensitive data, but there were few or no regulations in place to prevent them from sharing or abusing the data. Customer trust and goodwill were generally thought to be sufficient in first-world countries, notably the United States, to ensure the protection of truly sensitive data; caveat emptor was applied in these situations. But in the 1980s, smaller organizations also began to get access to computer hardware and software, and these simply did not have the procedures or personnel or expertise, nor less the time, to take rigorous measures to protect their customers. Meanwhile, via target marketing and rewards programs, companies were acquiring ever more data.
Gradually, customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (eg hard drives) that could store a large amount of data in a portable location. Explicit regulation of consumer privacy gained further support, especially in the European Union, where each nation had laws that were incompatible (e.g., some restricted the data collection, the data compilation and the data dissemination); it was possible to violate privacy within the EU simply doing these things from different places in the European Common Market as it existed before 1992.
Through the 1990s, the proliferation of mobile telecom, the introduction of customer relationship management, and the use of the Internet in developed nations brought the situation to the forefront, and most countries had to implement strong consumer privacy laws, often over the objections of business. The European Union and New Zealand passed particularly strong laws that were used as a template for more limited laws in Australia and Canada and some states of the United States (where no federal law for consumer privacy exists, although there are requirements specific to banking and telecom privacy). In Austria around the 1990s, the mere mention of a client's name in a semi-public social setting was enough to earn a junior bank executive a stiff jail sentence.
After the terrorist attacks against the United States on September 11, 2001, privacy took a back-seat to national security in legislators' minds. Accordingly, concerns of consumer privacy in the United States have tended to go unheard of as questions of citizen privacy versus the state, and the development of a police state or carceral state, have occupied advocates of strong privacy measures. Whereas it may have appeared prior to 2002 that commercial organizations and the consumer data they gathered were of primary concern, it has appeared since then in most developed nations to be much less of a concern than political privacy and medical privacy (e.g., as violated by biometrics). Indeed, people have recently been stopped at airports solely due to their political views, and there appears to be minimal public will to stop practices of this nature.
- Lee, Dong-Joo (June 2011). "Managing Consumer Privacy Concerns in Personalization: A Strategic Analysis of Privacy Protection". MIS Quarterly. 35: 428-A8.
- Siam, Kayla (2017). "Coming to a Retailer near You: Consumer Privacy Protection in Retail Bankruptcies". Emory Bankruptcy Developments Journal. 33: 487–521.