spirit of the GDPR
Lots of American commentary is getting hung-up on this point- that really the EU wants companies to stop collecting data, so have come up with a draconian law to make it difficult.
But that is simply not what has happened. The EU just wants companies to be responsible with data, under threat of a potentially massive fine.
6(1)(f), for those who don't want to look it up, is the "Legitimate interests" grounds for data collection. It states:
Art. 6 GDPR Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
That's the letter of the law, and it is pretty easy to comply. The onerous bit is implementing encryption everywhere, documenting everything, implementing user access controls, creating data deletion regimes, training staff in Right to Erase, Right to Object, Right to Access etc.
Collecting data is still easy. Very easy. This is not a response to Facebook/Cambridge Analytica. It predates it.
All you have to do is state what you are collecting, that it is in your legitimate interests to collect it, and what you are using it for. And then not to REPURPOSE that data once you have it.