Facebook may be correct in insisting the Cambridge Analytica scandal was not a security breach. And yet the fallout from the incident is still building several years later — with a $5 billion dollar fine levied and the recent reveal of emails suggesting Facebook knew about the problem earlier than previously thought.

While Cambridge Analytica did, in fact, shut down as a result of the scandal, reportedly no individuals were charged. Meanwhile, Facebook may still be under a tremendous amount of scrutiny.

So what should we take away from the incident? Here are six lessons the Cambridge Analytica scandal can teach American businesses, and what we as consumers can watch for.

1. Misusing personal data may be just as serious, if not more so, than a breach

A breach occurs against a company’s wishes, bypassing whatever security measures were in place. Misusing personal data, on the other hand, is a decision made by a company to use that data in an unsanctioned or inappropriate manner. This can make a huge difference in public opinion as well as the response from regulatory and legislative bodies.

Things to watch for as a consumer: signs that a company might be playing loose with your data, such as vague or missing privacy policies and unexpected contacts from related sources after providing them with personal data

2. Transparency builds trust when requesting personal data

Every submission form — whether it’s an online transaction, a newsletter subscription, or a request for information — should have a privacy policy attached. This should clearly let you know how committed a business is to your privacy, what they intend to do with your data, and under which conditions, if any, they would share your data.

Things to watch for as a consumer: policies that are so complicated you can’t understand what the company intends to do with your data

3.  Ask ethical questions when privacy issues are involved

It’s easy to view data privacy as a simple matter of following laws and regulations. But the Cambridge Analytica breach should teach us that people view their private data as something more… something that should be constrained by ethics as well as by law. Many consumers simply don’t understand how supplying data here and there can grow their digital footprint, or what companies can do with that data. They assume each company will respect and protect their privacy, but some companies may not see an ethical dilemma as long as the actions they take are legal. Cambridge Analytica revealed that potential divide between corporate and consumer expectations.

Things to watch for as a consumer: read the company’s terms of use before supplying it with your data to see what type of caretaker it aspires to be. Keep in mind that while ethics might figure prominently in those terms — and even in vision and mission statements — it might not be a true indicator of what’s really happening with your data

4. Individuals prefer having a choice in how their personal data is used

When consumers give data to a company, they might be open to the idea of that company learning more about them so as to serve them better in the future… as in building a relationship. Or they might expect their data to be used only for the express purpose it was given for. The problem is, companies don’t know those expectations unless they ask. When companies assume whatever data they receive is fair game rather than asking, the result could hurt rather than build some relationships. Double opt-in subscriptions are one example where companies try to solve this problem by asking for explicit permission before sending anything from an email list… even though it’s already been requested. Another way for companies to provide data usage choices is through account settings, where consumers can authorize or turn off privacy and data-related features.

Things to watch for as a consumer: when it comes to signing up for social media or online accounts, is it clear exactly how the site will use your data and are there options to limit that use? Are you able to opt out of features like data tracking, location sharing or email notifications within the app or by using the account settings function?

5.  Protecting all that data requires more than cybersecurity

As we pointed out in a previous post, from a consumer viewpoint the convenience of storing elements of your digital footprint with many companies might not be worth the risk. The same can be said from a business viewpoint, too.

Storing large amounts of consumer data does give a business certain insights and advantages, if properly analyzed. But the lessons from Cambridge Analytica suggest that it requires a certain amount of responsibility, too.

So if companies choose to collect large quantities of consumer data, they should be prepared to protect it not only from external hacking, but also from internal temptation and misuse. A clearly defined privacy policy and ethical standards for data use can provide helpful guidance for companies deciding what they should and shouldn’t do with their data.

Things to watch for as a consumer: your expectation should be that the companies you do business with learn something from experiences like the Cambridge Analytica scandal. Providing good service while demanding less of your personal data is just the beginning.