Is it necessary to use CSRF protection?

Is it always necessary to use CSRF protection? What happens if you don't?

It is something you should add. You risk accounts being compromised, data being changed that the user didn't do themselves, and more.