If targeted advertising needed indicators of both enormous growth and potential threats ahead, several recent events have been only too happy to oblige. On the one hand, this is the year mobile will edge out TV as the dominant advertising medium in the U.S., according to a forecast from eMarketer, just as Google continues to roll out products and services that make life and its logistics more seamless. On the other hand, the Cambridge Analytica episode has provided a cautionary tale in what can go wrong when a trusted tech giant like Facebook loses control over its users’ private data.

Another wild card has just begun to reveal itself. The General Data Protection Regulation (GDPR) went into effect last month, granting individuals a greater degree of control over how firms gather, store and use their personal data. The GDPR was crafted by and for members of the European Union, but because commerce and data move freely across international borders, many firms in the U.S. and across the globe have decided to conform to its guidelines.

What exactly will it mean in the U.S.? Even the federal government appears to be unsure. “GDPR’s implementation could significantly interrupt transatlantic cooperation and create unnecessary barriers to trade, not only for the U.S. but for everyone outside the E.U.,” wrote U.S. commerce secretary Wilbur Ross in the Financial Times. “We do not have a clear understanding of what is required to comply.”

What the GDPR does clearly promise, says Wharton marketing professor Peter Fader, is both some benefits and hurdles. “It will force companies to take a closer look at their data infrastructure, much more so than they would otherwise — and we know it’s a big mess out there,” says Fader.

It does, however, also pose a threat to targeted advertising, he notes. “I think it’s well intended. And if it would be to simply have a greater sense of privacy, who could argue? But I don’t think there was a lot of data science taken into account when they came up with the regulations. I don’t think they fully appreciate the value, even societal value, that people’s lives are improved by having nice products and services catered to their needs. I think there is a bit of baby with the bath water here.”

The GDPR, which is another iteration in the ever-evolving concept of what it means to have the right to be forgotten, will “have a significant impact on the ability of firms to target,” says Wharton marketing professor Eric T. Bradlow, faculty director of the Wharton Customer Analytics Initiative. “I think about advances in targeted advertising in the past 15 or 20 years, and one is that we do better targeting because we have better data. The other is machine learning and our ability to find patterns we couldn’t find before, and computing and cloud computing will allow us to do more in a faster time. I’ve been a data person, and most advances come from better data, and if you restrict access to certain kinds of information, some people say that will be made up for by better modeling or better computing. I don’t think so.”

“[GDPR] will force companies to take a closer look at their data infrastructure, much more so than they would otherwise — and we know it’s a big mess out there.”–Peter Fader

Designed to Serve Mankind

Not all targeted advertising is created equal. At the simple end of the scale, advertisers place ads on websites where they think subject interests align. One degree more sophisticated is contextual advertising – where, say, a car ad shows up only alongside articles about cars. And then there are ads that take into account private data, such as location or demographic information. Still, even at the sophisticated end of the scale, nearly everyone knows the feeling of being shown digital ads for car insurance when you don’t even own a car, or banners for a sale on clothing for the opposite sex.

“It’s ineffective as well as annoying,” says Fader of some targeted advertising, and over time, “a lot of the annoying stuff will collapse under its own weight.”

The smart companies, he says, are ones like Netflix, which has “looked at DVD movie preferences and made that into a broader array of content to the point where they know what they should be producing.” Electronic Arts, the video game company, is another. “They are looking at granular customer data to come up with ads and targeting strategies to figure out what kinds of products they should be producing in the first place. By being smart about it they are even using less data,” says Fader.

The ability for the data to be more predictive will grow, says Wharton marketing professor Gideon Nave. Key to being predictive is the ability to peer into people’s personalities, and often this data can be extrapolated from sources users might never suspect – such as musical preferences. Reactions to unfamiliar musical excerpts predicted individual differences in personality – most notably openness and extraversion – above and beyond demographic characteristics, showed Nave and his co-authors in “Musical Preferences Predict Personality: Evidence from Active Listening and Facebook Likes,” published in March in Psychological Science. Another part of the study showed that Facebook “likes” for musical artists also predicted individual differences in personality.

“The effects of one ‘like’ are not big. But with 300 ‘likes’ you can predict one’s personality as good as his or her spouse,” says Nave, speaking not about the study, but about “likes’ generally.

Where are we in the arc of potential efficacy of targeted advertising? “I think on the mathematical and computing side, we are in the second half,” says Bradlow. “On the kind of data we can use for re-targeting, I think we are in the first quarter. It’s still an open question of what’s predictive, what kind of data are available in the future of brain science that would be predictive. On the modeling/computing side, we’re pretty far advanced. I think the new data streams is the bigger part of the future that remains unknowable.”

With potential advances on the way, it’s easy to understand the impulse for regulation, and “better and more comprehensive privacy laws are necessary and important,” says Kevin Werbach, Wharton professor of legal studies and business ethics. “The challenge with GDPR is inherently a trade-off between creating something that is strong and comprehensive and something that is sufficiently flexible and workable. The question is what enforcement is going to look like. It’s really impossible for any major enterprise to be confident that it is fully compliant across the board. There are a large number of provisions that leave room for interpretation. There is so much information flowing through organizations these days that while it’s an admirable goal to have consistent policies and to adhere to standards to protect users, it’s just impossible for any company to try to keep track of everything and ensure it is meeting these standards. GDPR is a very tangled, complex law with many overlapping provisions.”

“[Most] advances come from better data, and if you restrict access to certain kinds of information, some people say that will be made up for by better modeling or better computing. I don’t think so.”–Eric T. Bradlow

The European law sets out certain rights for individuals: that their personal data collected by firms be stored in certain ways, that it be shared with the individual upon request and that it not be shared without explicit permission. Penalties potentially range from warnings to fines as high as 4% of worldwide sales.

Broadly speaking, the GDPR itself states that its intention is to “contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.”

Its 99 articles set down on 88 pages are largely prosaic, though it also enshrines ideals in a flourish of poetry that declares it was designed to serve mankind – a striking reminder in an age when many workers feel as if they, the humans, are constantly finding themselves answering to the technology.

“The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality,” states the GDPR, which goes on to speak about “respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”

Like the right to liberty, we don’t know exactly what technology will mean 100 or even 20 years from now, “so because of that the language has these grand strokes about how it attempts to guide policy for a long time,” says Maurice Schweitzer, Wharton professor of operations, information and decisions. “It does underscore that they are taking the issue quite seriously. I think it’s going to be an enduring challenge where there isn’t a way to easily get this right. When you ask for a recipe, do we want the search engine to know that you’re gluten-free? Maybe we do. And when Amazon gives you a book recommendation, do you want it to know you gave a great review to three other books? Maybe we do. So the privacy challenges are incredible and reflect a completely different type of thinking than we’ve had in the past.”

With Constraint Comes Creativity

That the GDPR might stanch the flow of information is not all bad, many say. “Firms will have to think more carefully about the data they collect,” says Bradlow. “Certain kinds will become more popular or relevant. It’s not that firms will find ways around what’s legal. But they will find legal and appropriate data to collect that they hope will allow them to do targeted advertising.”

“The challenge with GDPR is inherently a trade-off between creating something that is strong and comprehensive and something that is sufficiently flexible and workable.”–Kevin Werbach

In any case, many firms are currently scooping up more data than they actually need for their purposes. “A rule of thumb for good data that is predictive and helpful – if it’s creepy, if it makes someone uneasy, then it’s probably not very predictive anyway,” says Fader. Just because you are walking past a Starbucks and your iPhone senses that and shows you an ad doesn’t mean you’re likely to walk in, he points out. “A lot of stuff isn’t really useful, or it’s data that is very compelling because you can picture it, as opposed to boring transaction log data. To me that is the gold. Tell me who did what but not the cheap talk about how many stars they gave on Yelp.”

GDPR has elements that are likely bad news for some firms and good news for others, says Wharton marketing professor Ron Berman. “I think it’s a big blow to many companies who were using what I would call potentially unethical practices, scraping Facebook without permission or using third-party information on the gray line,” says Berman. “If you still do contextual advertising and you’re not using anyone’s private information, this is not going to change anything.”

On the upside, because GDPR also gives customers access to data about themselves if they want it, it means companies can incentivize customers to get that data and pass it on to them. “Which means I can say, ‘If you want better service, give me that data.’ So GDPR makes it hard to use this information without consent, but at the same time it opens up a lot of information that was behind closed doors. This way I can learn to better target people on Facebook or Google,” says Berman.

One example: When customers find products through Google searches, advertisers would like to know what other competing products they considered before they made their choice, so they can target those other keywords for ads, or emphasize the differences from these products. “Now you can ask your best customers to share their search information with you, which would have been hard before,” says Berman.

For targeting techniques using a person’s Facebook “likes,” a company that asks that an ad be shown to everyone who ‘likes’ brands A, B and C would be able to have direct access to that information. “In order to be able to target people by their ‘likes,’ you need to know what other brands your customers ‘like.’ Having them download their Facebook data and provide it to you will allow you to do this analysis,” he says.

The potential echoes the kind of crossover appeal that Amazon has leveraged by learning that many of their Prime customers are also Whole Foods customers. “A company can do a similar thing,” says Berman. “If they are a backpack brand, and they learn that their customers ‘like’ a specific clothing brand, they can approach them for a collaboration to create a new clothing/bag collection, and their customers will be happier.”

“The privacy challenges are incredible and reflect a completely different type of thinking than we’ve had in the past.”–Maurice Schweitzer

Will the U.S. Adopt GDPR-like Regulations?

Should firms beyond the E.U. fear that the GDPR is the thin end of the regulation wedge? GDPR follows of a string of European activity on this issue for more than 20 years, Werbach points out. It’s not likely that a U.S. version is coming anytime soon, but perhaps someday, he says. “I think the level of frustration is growing and the Cambridge Analytica case and others have started to change the tenor of the debate. If it’s just about privacy, there is a much stronger perspective in the U.S. that this is a market phenomenon as opposed to a human-rights phenomenon. So it’s always been hard to succeed in adopting principled privacy legislation when there is such a strong expectation that when there is a problem it’s a market failure. I could see more pressure. We weren’t that far away during the Obama administration. There was a proposed consumer privacy bill of rights, not as huge as GDPR, but it was the foundation for comprehensive digital privacy legislation. It didn’t pass, but it wasn’t crazy to think it might have passed Congress. When the political climate changes, yes, I think we’ll see things.”

But it will likely take public sentiment to propel government action. What kind of an event could steer public sentiment in the U.S. to get behind GDPR-like regulations here? “I’m not sure I have a great answer,” says Bradlow, “except I would think if a widespread breach of data happened, with identity theft on a massive scale, that would have a dramatic impact on regulations and society.”

Right now, with the increasing integration of technology into the daily tasks and routines of millions and its corresponding monetization for firms like Google and Facebook, the incentives for doing nothing are only growing.

“At the end of the day, if we ignore the safety and security side for a moment, do consumers benefit? Of course they do,” says Bradlow. “We get better recommendations, better products and better prices, and a lot of the time we get things for free on the Internet because of targeted advertising. We have to see how things evolve societally. There is an individual difference, there are groups that care about privacy and groups that don’t care. It is the classic tradeoff.”

Which will prevail: the right to be forgotten, or the knowledge that firms have that the public forgets quickly? Cambridge Analytica was probably a wakeup call for Facebook, says Nave. “But I don’t know about for people. I am not convinced that people care and that they have not already forgotten everything about it.”