Consumer privacy concerns date back to the first commercial couriers and bankers, who in every culture took strong measures to protect customer privacy, but also in every culture tended to be subject to very harsh punitive measures for failures to keep a customer's information private. The Hippocratic Oath includes a requirement for doctors to avoid mentioning ills of patients to others, not only to protect them, but to protect their families - the same basic idea as modern consumer privacy law and regulation, which recognizes that innocent third parties can be harmed by the loss of control of sensitive information, and that therefore there is a responsibility beyond that to the 'customer' or 'client'. Today the ethical codes of most professions very clearly specify privacy measures beyond that for the 'consumer' of an arbitrary service. Those measures are discussed in other articles on medical privacy, client confidentiality and national security - and to a degree in carceral state (where no privacy in any form nor limits on state oversight or data use exist).
Modern consumer privacy law in a recognizable form originated in telecom regulation, when it was recognized that a telco, especially a monopoly (known in most nations as a PTT), had access to unprecedented levels of information about not only the direct customer's communications habits and correspondents, but also that of those who shared his or her household. It was also often the case that telephone operators could hear conversations, inadvertently or deliberately, and were required to dial the exact numbers.
The data gathering required for billing began to become an obvious privacy risk as well. Accordingly, strong rules on operator behavior, customer confidentiality, records keeping and destruction were enforced on telcos in every country. Typically only police and military authorities had powers to 'wiretap' or see records. Even stricter requirements emerged for banks' electronic records - in some countries financial privacy is a major focus of the economy, and penalties for violating it are severe and criminal penalties applied. In Austria in the 1990s mere mention of a client's name in a semi-public social setting was enough to earn a junior bank executive a stiff jail sentence.
Through the 1970s many other organizations in developed nations began to acquire sensitive data, but there were few or no regulations in place to prevent them from sharing or abusing it. Customer trust and goodwill was generally thought to be sufficient in some nations, notably the United States, to ensure protection of truly sensitive data. 'Caveat emptor' applied. But in the 1980s much smaller organizations began to get access to computer hardware and software, and these simply did not have the procedures or personnel or expertise, nor less the time, to take rigorous measures to protect their customers. Meanwhile, via target marketing and rewards programs, they were acquiring ever more data.
Gradually, customer privacy measures alone proved insufficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, theft of hard drives or other data-carrying hardware from work.
Talk began to turn to explicit regulation, especially in the European Union, where each nation had laws that were incompatible, e.g. some restricted the collection, some the compilation, and some the dissemination of data, and it was possible to violate anyone's privacy within the EU simply by doing these things from different places in the European Common Market as it existed before 1992.
Through the 1990s the proliferation of mobile telecom (which typically bills every call), the introduction of customer relationship management and the use of the Internet by the public in all developed nations, brought the situation to a head, and most countries had to implement strong consumer privacy laws, usually over the objections of business.
The European Union and New Zealand passed particularly strong laws that were used as a template for more limited laws in Australia and Canada and some states of the United States (where no federal law for consumer privacy exists, although there are requirements specific to banking and telecom privacy).
After the September 11, 2001, terrorist attacks on the United States, privacy took a back-seat to national security in most legislators' minds. Accordingly concerns of consumer privacy in the United States have tended to go unheard as questions of citizen privacy versus the state, and the development of a police state or carceral state, have occupied advocates of strong privacy measures.
Whereas it may have appeared prior to 2002 that commercial organizations and the consumer data they gathered were of primary concern, it has appeared since then in most developed nations to be much less of a concern than political privacy and medical privacy, e.g. as violated by biometrics. Indeed, people have been stopped at airports solely due to their political views recently (see No-fly list) and there appears to be little public will to stop practices of this nature. Privacy of body or habits may be 'dead', for all practical purposes, until political approaches or threats change.
See also: customer privacy, political privacy, medical privacy