May 24–Facebook, Google and other Silicon Valley internet giants have reaped billions in advertising profits from detailed information they glean from users of their free online services.

But those profits could be threatened by stronger European digital privacy protections scheduled to take effect Friday that put limits around the personal data those companies can collect and store. The General Data Protection Regulation, commonly called GDPR, is expected to pave the way for similar laws in the United States.

"For people interested in privacy, that's undoubtedly going to be a good thing," said Abhishek Nagaraj, an assistant professor at UC Berkeley's Haas School of Business.

"But the impact (on) the design of future technologies cannot be overstated," Nagaraj said. "Anyone wanting to start an online business will have to worry about it. That's something that might be an unintended consequence of this legislation."

The GDPR is a broad set of digital privacy regulations passed by the European Parliament and Council in 2016 to replace older rules enacted in 1995. The regulations widen the definition of personal data that can provide information about an individual, including names, internet protocol addresses or identification numbers. It also gives consumers control over what companies can do with that data and the right to request that data be erased.

The penalties for breaking the rules are potentially massive — 20 million euros, about $24 million or 4 percent of a company's global revenue for the previous year, whichever is higher.

Because the GDPR covers the digital rights of European Union citizens wherever they are, companies that conduct business online know they could be affected. Facebook and Google, for example, have each extensively revised privacy policies to prepare for the GDPR.

Facebook CEO Mark Zuckerberg, who's become the poster boy for data privacy problems because of the Cambridge Analytica scandal, told European Parliament leaders Tuesday the Menlo Park social network will be fully compliant with GDPR when it starts. European users will be prompted to review an "extensive flow" of information before they can use Facebook that day, although many have already chosen to go through the steps ahead of time, he said.

The looming threat of penalties is one reason people around the world are seeing a slew of emails and pop-up messages from their favorite websites and apps asking them to review carefully reworded privacy policies or to actively agree to keep receiving marketing emails.

"In order to comply with the new European Union's General Data Protection Regulation (GDPR), from May 25 on, we can only send emails (approx. once every 6 weeks) to subscribers who have requested them," read one typical email from a wine industry group.

But advertisers and marketers who have relied on technologies to target specific messages based on a consumer's location, interests or activities online could see their business upended.

"GDPR has the potential to cause a very seismic, cataclysmic eruption in the advertising landscape," said Michael Priem, founder and CEO of Minneapolis advertising firm Modern Impact. Priem's company has long relied on tech-fueled strategies.

On the other hand, Priem said the regulations will force marketers to better communicate with customers. "When consumers feel they're giving up data and not getting anything in return, that's when they feel concerned," he said. "That's what the advertising world has not done a good job of."

Advertising expert David "Doc" Searls, a fellow at the Center for Information Technology and Society at UC Santa Barbara, said the GDPR will "pop the ad-tech bubble."

"Marketing and advertising were both doing fine before they became trackoholics and started driving drunk on personal data," Searls said in an email. "I don't know if the GDPR will break their addiction, but it is already sobering them up. We'll know a lot more after the EU starts laying fines on violators."

Anne Toth, head of data policy for the World Economic Forum, doesn't expect the GDPR to cause drastic changes immediately, at least until after the first fines are levied.

"The internet is not going to blow up, these companies are not going to go away," said Toth, a former privacy and policy executive for Google, Yahoo and Slack. "It will take a year or two longer to figure out what actual compliance looks like."

Toth also doesn't believe consumers will change their online behavior dramatically.

"Individuals want the convenience and benefits of technology," Toth said. "The question is how do we put the appropriate controls on these organizations and services that are collecting this information. GDPR at its core is trying to give substantial teeth to the notion that you control that information yourself."

Liz Miller, senior vice president of the CMO Council, a San Jose organization representing corporate chief marketing officers, said she has met "few people who have said this is horrible."

"People are like, when is the other shoe going to drop here in the United States?" Miller said, speaking of the advent of EU-style regulation. "It's a matter of when, not a matter of if. But it's not a bad thing to try to do. For major marketers, the GDPR is going to be a great thing, to actually help improve the customer experience. It's going to be an opportunity to build trust."

A council survey across Europe last year found that 80 percent of people were willing to share some personal data with companies, Miller said. The other 20 percent, who were predominantly men ages 55 and older, did not want to share any data, she said.

But consumers also said they wanted something in exchange for their information and not feel like they were being stalked "with things they don't want," she said. "What consumers want is responsible usage of that information."

San Francisco Chronicle staff writer Wendy Lee contributed to this report.

Benny Evangelista is a San Francisco Chronicle staff writer. Email: [email protected] Twitter: @ChronicleBenny

About the GDPR

GDPR stands for General Data Protection Regulation, a set of European Union rules effective Friday covering the processing and storage of personal data.

What does GDPR cover?

GDPR specifies how a company can request, use and store personal identification, including:

name, address, personal ID numbers and other basic data

location, IP address, cookie data, RFID tags

medical or biometric data

racial or ethnic data

political opinions

sexual orientation

Who does GDPR cover?

European Union citizens, even those living outside the EU

What happens if the rules are broken?

Companies pay a maximum fine of $24 million, or 4 percent of worldwide annual revenue for the prior fiscal year, whichever is greater.

Source: Chronicle research