I agree, however its somewhat disturbing how often I have to view customer data in my current job. I think the bigger companies that have good processes in place probably don't have to have people do it much but lets just say some companies that have older applications (like the one I work for) that have seen better days end up having people have to make a lot of manual database updates and also end up giving access to production DB to their developers in case of emergencies.

I'm not sure I understand what you're saying here.

The only contract with the customer is the privacy policy. The privacy policy is just a promise from a site to abide by certain rules. In the case that there is not a privacy policy, then whatever you tell that site can and will be used against you. From tracking cookies to the most sensitive of files, if you are providing information to a site then you have to assume that it will be used in any way the company sees fit unless they promise otherwise.

Ethically there may be different obligations, but to say that there is some implicit "contract with the customer" is simply not the case.

Since 1890 in the United States, the tort law has had concepts of invasion of privacy and breach of trust. Further on a state by state level there may be laws, such as COPPA 2003 in California, which required a privacy policy to be published. Canada and the EU have even more protective laws if you trade there.

I feel it is safer and more realistic to presume the first paragraph I wrote is the case and cover yourself with a privacy policy if you want to do otherwise as I mentioned.

As always, ask a lawyer if you want professional advice.

I came here to post exactly that. In most serious cloud teams you have very few select people with authorization to look at customer data (the operations team), and everybody else is outside of that group. When debugging the service, you have to pass instructions to that team so that in case confidential data is revealed, only they get to see it.