Facebook is sorry. Really sorry.

So sorry that it put a full-page apology in some of the world’s largest newspapers.

But the company—responding to a series of revelations that started with a report that it failed to prevent an analytics firm tied to the Trump administration from stealing data from millions of users through its platforms and ended with the knowledge that the social network grabbed call records from close friends who used Android devices—will be stuck doing more than apologizing in the days to come.

On Monday, the Federal Trade Commission announced it was investigating Facebook, further worsening the situation for the social network. Cambridge Analytica’s CEO, Alexander Nix, has also been suspended.

The revelations have had a shattering effect on a company whose technology has defined the shape of online privacy more than any other in the past decade.

It’s not just the way that business fortunes, including those at associations, are tied to the black-box algorithms that have defined the social network and those of its competitors over the years. (Though that’s certainly part of it.) Really, the issue here is that people are becoming cognizant of data-collection tactics that are at best questionable and at worst downright shady.

And while Facebook has led the way with these practices—allowing many of them to happen in the first place by having a downright sieve-like approach to data access in their apps—they’re now common throughout the world of modern marketing.

“The tactic of collecting friend data, which has been featured prominently in the Cambridge Analytica coverage, was a well-known way of turning a handful of app users into a goldmine,” explained technology writer and former data company executive Alexandra Samuel in a piece for The Verge.

This whole Facebook situation is a mess, and odds are that it’s going to catch lots of organizations in its wake.

You can see shades of these tactics everywhere, from the email newsletters that show up in your inbox that you never signed up for (something that frequently happens to me) to the way that other networks, like LinkedIn, acquire so many details about you that they’re susceptible to data miners—some of which want to mine your profile for information that suggests you might be about to leave your company.

(If the latter case sounds Orwellian, I’m sorry to tell you that it’s not only a thing,  but that LinkedIn is losing its court battle against hiQ Labs, the company trying to do just that. The Microsoft-owned LinkedIn is throwing all its legal firepower into the battle, though.)

Expect Ripple Effects

This whole Facebook situation is a mess, and odds are that it’s going to catch lots of organizations in its wake. Online marketing is built on data. So are the data rolls that associations acquire when someone signs up for membership.

And something like Cambridge Analytica’s use of a quiz app to steal the personal information of lots of people for marketing purposes further underlines points about data security and personalization that have already been getting a front-row seat during the early months of 2018, thanks to the European Union’s General Data Protection Regulation (GDPR), which take effect in May.

In fact, Cambridge Analytica might sharpen the effects of GDPR noncompliance. In a recent op-ed piece for The Drum, Rapp UK Digital Media Director Jess Geary noted that the scandal was a perfect example of the potential impacts of GDPR in action.

“What is particularly interesting for marketers, is that this scandal feels almost like a movie trailer for the upcoming GDPR legislation in May,” she wrote in her piece. “This gives us a real working answer to the much-asked GDPR question of ‘how much do you think this will affect consumer behavior on the whole?’ If this is anything to go by, then it will affect their behavior to the tune of destroying brand trust along with billions in market share losses.”

To put this all another way, GDPR gives the EU’s data protection laws teeth, and the Cambridge Analytica saga—which also has a component that may have directly infected the Brexit vote, so it affects the EU, too—gives the public a reason to bite. Not exactly great news if you’re trying to keep on the straight and narrow with your data protection policy.

Worsening GDPR’s Pain

A while back, PwC Canada’s Constantine Karbaliotis, who heads that firm’s leader managed privacy services, wrote an article on LinkedIn in which he created a templated “nightmare letter” for any firm to be affected by GDPR compliance rules. The subject access request letter he created, essentially a thought exercise, was intended to show just how deep the GDPR rules could go and how much they could sting if used to the full extent of the law.

“It might be very entertaining to have this kind of letter actually sent by a friendly party to your own organization to see exactly how it would be responded to,” Karbaliotis wrote in the post.

And that’s if, from a compliance perspective, your organization is doing everything right.

Clearly, not everyone will—and the lingering damage created by Facebook and Cambridge Analytica highlights the depths of what could happen if organizations do everything wrong when it comes to protecting customer data.

We’ll see how this shakes out in the end, but at a time when “data compliance” was already a begrudging buzzword in many parts of the business world, the Cambridge Analytica saga makes things no easier.

If it was already giving you headaches, those headaches might be just a little worse.

Cambridge Analytica CEO Alexander Nix, who is currently suspended from his leadership role. (Web Summit/Flickr)