We can't use product X user's data in our product B's marketing, can't access the phone contact without need, can't call the contacts like RL were doing etc. Can't buy or share the customer's personal information.
We have to delete merchant's data if asked by merchant or account not in use (once its purpose is solved).
Broadly it applies to direct customer-facing applications like e-commerce, banks, etc.