I've only worked on ~10 paid development gigs and one of the first ones was a pharma research company who hired my team to create an interface for a truckload of sensitive data after nothing more than a phone call and a quick NDA. This pattern has continued in a few subsequent projects, often with no NDA or contract whatsoever.

A great many companies stop caring about privacy the second they can make or save a few bucks, questionable legality or ethics notwithstanding one bit. Businesses in general are fortunate that MOST software engineers seem to be honest and good people, because they regularly hand over the keys to the castle, often without even realizing it or considering the potential implications at all, and to be honest I'm actually quite glad it works this way. For whatever reason, we as a profession have apparently been deemed highly trustworthy, and I much prefer this situation with all its risks to a world of bulletproof firewalls and bureaucratic red tape.