In the US company can buy your information from data brokers. It contains your social networks, opinions etc. In EU doing that would be huge risk and it's not generally done.
Just because there are loopholes and regulations can be violated does not make regulation pointless. It directs behaviour and what is considered acceptable.
I think there are two ways to manage these types of issues.
1. Bring it fully legal and have a large impact on how it is done in cooperation with government. It could be beneficial to allow government insight so that it can prepare the general public about what is going on or how society might reflect on it. In general I believe we should be aware of all of the things this data can do. If during full disclosure people want this data regulated so be it.
2. Criminalize it (hard mode). It looks like with GDPR it will be criminalized and it will rely on companies using good faith on acquiring data like this. It will be regularly impossible to defeat all criminal actions but there will be no question who has the athority on such measures.
With regards to both methods i see huge problems in the public understanding who is using and how the information is used. So it seems for now there is a few options left. One of which is to restrict knowledge and keep good people in power with the opportunity to use this data. Even with that we fail daily.
everything is a struggle but perhaps this issue might shape how humans interact with eachother in the future the most.
Just because there are loopholes and regulations can be violated does not make regulation pointless. It directs behaviour and what is considered acceptable.