Data protection has been in the news a lot lately from Facebook selling its users’ data to Cambridge Analytica to the upcoming European General Data Protection Regulation (GDPR) law. Data protection is getting complicated.

What, if anything, will happen to Facebook is unclear as of press time. Mark Zuckerberg, Facebook CEO, apologized on CNN on March 22, 2018 for the company’s actions but Facebook faces international investigation, and, in the most brutal cut of all, Facebook shares fell $60 billion in the aftermath with Zuckerberg himself losing $10 billion in wealth. Short of deleting third-party apps that mine their data such as those quizzes that will tell you what ’80s movie you are, Facebook users need to tread lightly and realize the platform really isn’t free, present company included.

The sweeping GDPR law goes into effect this May and, according to, “introduces a completely new regime in terms of data protection. The balance of ownership of personal data shifts from the company to the person, with greater rights for the individual to decide how corporations use their data.”

“Company” in this case can mean any company — including data centers in both Europe and the U.S. — that collect data about European customers. Failure to comply can mean stiff penalties, from greater than €10 million or 2% of global annual turnover related to technical failure to the greater of €20 million or 4% of global annual turnover for “non-compliance with key provisions … including infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection,” according to Imperva.

Hmm. Facebook’s actions will not win it many friends in the industry who were hoping that GDPR enforcement will be lax. According to Digiday, “vagueness around how the GDPR will be enforced has lulled many businesses, particularly in ad tech, into what may be a false sense of security.” This belief has all but dissipated now and companies will be watching what happens to Facebook as an indication of how serious the ePrivacy regulations will be taken once the law goes into effect.

And if nothing happens to Facebook? Watch your data anyway and don’t trust it to just anybody, no matter how bad you want to know what ’90s sitcom best represents your character.