Many privacy advocates take corporate mendacity as a premise. From there, it’s easy to reach the conclusion that companies won’t protect privacy. For these privacy advocates, the fight for privacy is a fight against business.

In a sense, their conclusion about corporate behavior is true. Businesses won’t protect privacy beyond what they perceive consumers to want—doing so would just give away profits. Businesses will protect privacy when it’s a consumer demand they’ve promised to fulfill. Companies and their executives take considerable risks when they fail to meet that demand.

The exceptions are what get noticed, and Prudence Chan is an example for others to learn from. She was the head of Hong Kong cashless payment operator Octopus Holdings Ltd. until she resigned this week. Under her watch, the company sold data about users of the system for marketing purposes. Octopus will forfeit to charity the money it made on the sales. (Should be given to the affected users, but anyway…)

Hong Kong is debating whether its legal privacy protections are sufficient. But privacy officers and executives in companies around the world are looking at this story and considering how they would tolerate losing their jobs, status, and reputations. Their self-interest will drive them to protect privacy as demanded by their customers.

Sure, it might be nice for them to do it out of altruism or kindliness, but the result is the same.