The news that Cambridge Analytica, the shadowy, digital political consultancy, may have misused user data obtained from Facebook is reverberating throughout Washington and foreign capitals. The immediate fallout has been calls for Congressional and federal investigations into what happened. The Federal Trade Commission has taken the unusual step of publicly announcing a “non-public” investigation into whether Facebook breached the terms of a 2011 consent agreement with the agency. A coalition of 37 State Attorneys General has also sent a letter to Facebook demanding information about how the company handles information collected by users.

Of course, it doesn’t help that Cambridge Analytica’s Chief Executive Officer was caught on hidden camera pitching outright blackmail and dirty tricks to sway future elections. But, the real scandal appears to be that Cambridge misused information collected from Facebook members and their friends in order to psychologically manipulate them to favor one candidate over another. The ensuing media attention has brought to the fore concerns that have been simmering for years, but which have until now largely been ignored by average consumers.

Unfortunately, scarcely a day goes by that there is not news of a data breach from a retailer, financial institution, or healthcare company. The average consumer affected by such a breach receives a notice offering free credit-monitoring, which they may simply toss in the trash. The routinization of data breaches has made the experience of being one of the masses whose information was disclosed almost frictionless for the average consumer. And, while there are certainly horror stories about identity theft, most consumers are unaware that free, ad-supported websites can track and sell information from users. Most consumers do not understand their rights and remain largely unconcerned about privacy and data security. Until they are personally affected in a material way, that attitude is unlikely to change.

The Cambridge Analytica scandal, however, may be a watershed event. The pressure being brought initially to bear on Facebook is a harbinger of broader scrutiny on information collection practices across the ad-supported internet. As one commentator recently wrote, “the Cambridge Analytica scandal isn’t really about Cambridge Analytica at all. This is a data collection scandal.”

There has been an ever-expanding net of information collection practices and monetization of consumer information by internet companies, which sell such information to advertisers. If a backlash against information collection and sharing takes hold, as it appears it might, there may be profound implications for the ad-supported internet ecosystem.

Indeed, Facebook itself has called for actual regulation of some information collection and sharing practices. IBM and Apple have followed suit. What is that regulation likely to require? It is too early to say, precisely. But, early calls have been focused on curtailing the influence of foreign money on political advertising through social media channels. The so-called Honest Ads Act would regulate political ads on social media to the same extent as currently regulated on broadcast television. This is low-hanging fruit. In addition, the European Union is in the midst of implementing the General Data Protection Regulation (GDPR), which requires of companies that do business in the EU market who collect information on consumers to spell out clearly the information they seek and to get express consent to such practices. Although GDPR is an EU regulation, it is bound to affect a huge number of American companies doing transatlantic business and therefore, is being voluntarily adopted on a company-wide basis by many U.S. companies.

In the meantime, conditions may be ripe for market disruptors that have more protective data policies. At present, there are few competitors on the scale of Facebook to which consumers could migrate in order to avoid these extensive data collection practices. Perhaps this is why the #DeleteFacebook campaign on Twitter peaked last week, having garnered even fewer mentions that the #DeleteUber campaign last January.

Also standing in the way of such a migration are huge switching costs. Consumers, having spent years building up memories, photographs and networks on Facebook are reluctant to leave that all behind. What if users were allowed easily to export all of the data that they have created and bring it to another platform? Researchers have written to suggest that requiring data portability could enhance competition among online platforms, possibly encouraging the introduction of more privacy-protective social networks. Others, however, have written that the sheer scale and technology investment of companies at the size and development of Facebook make the barriers to entry huge and render data portability by itself unlikely to cause any serious change in market dynamics.

What happens in the meantime to Internet Advertising? Initially, little. The earliest impact will be to political advertising, which has always been a niche product. However, the measures required for compliance with GDPR, to the extent adopted by U.S. companies, are likely to be noticed by consumers and to raise awareness. In the advertising business, questions of information value and ability to monetize in light of regulation are growing massively in importance to investors. Privacy and data security, while once relegated to a “check the box” in due diligence, are now among the core concerns for any investor to a company with significant data operations or consumer-facing operations. Consumer product companies, which have been falling over themselves in a rush to develop online retailing platforms, will have to grapple with data sharing questions that they have not been accustomed to facing. And advertisers, which have sometimes mindlessly bought into “data analytics” for advertising targeting purposes, will need to pay more attention to the sources of those data.