Unless you live under a rock, then you’ll know that the EU’s General Data Protection Regulation (GDPR) comes into effect later this month.

In short, it’s a new regulation that will impact any firm, anywhere in the world, offering a product or service to individuals inside of the EU, which means US companies are bound by the mandates of the regulation if they process EU data.

You’ll also know that it couldn’t come at a better time in light of the recent Facebook/Cambridge Analytica scandal (which—after 50 million people’s data was harvested without their consent—forced the data firm to cease trading, wiped $60billion off the value of Facebook’s shares, and saw Mark Zuckerberg called before US Congress—a really bad time by anybody’s standards).

In the seven weeks since the story broke, the question on everyone’s lips on both sides of the Atlantic has been: would Facebook and Cambridge Analytica be in breach of GDPR had it happened after May 25th?

Listen up fence-sitters, this next part affects you…

The answer is yes. Why? Because GDPR exists to protect personal information from this exact type of misuse. What’s more, if any of the 50 million impacted users had been EU citizens—yep, that includes US citizens living in an EU country—Facebook would have been asked to cough up a $1.6billion financial penalty (no, really).

Interestingly, residency is the criteria used to determine the application of GDPR, not citizenship. This makes it even harder for companies to establish whether or not the personal information they hold is protected by the regulation.

The lesson here then, is:

If in doubt, don’t use it, share it, or collect it without explicit consent.

And DEFINITELY don’t sell it.

While the jury is still out on whether or not Facebook’s actions have had a “meaningful impact” on the company, data and privacy is a really hot topic among your consumers right now. Failure to put them first, and you can bet your ass you’ll finish last…