They can still use sufficiently anonymized data under GDPR. They also will have data from people who have consented to have their data used. They will also have data from visitors who are not in the Union.
I would not at all be surprised if this is enough for the machine learning and data science people to be effective, especially at very high traffic sites like Facebook and Twitter.
I don't believe for a second that they can make the data "sufficiently anonymized". That is extremely hard and pretty much every time "sufficiently anonymized" data gets leaked it turns out it weasn't sufficiently anonymized after all.
Anonymization won't really help because you can't store unique identifiers. IPs, emails device identifiers, etc and anything derived from them (no hashes of that data either) are all prohibited. So you can't really build a profile of someone if you've got no key to look it up when you need to target someone.
But that still prevents the entire targeted ad industry. If you can't hold any identifying information on a user that didn't opt-in to tracking, you can't show targeted ads to that user.
I would not at all be surprised if this is enough for the machine learning and data science people to be effective, especially at very high traffic sites like Facebook and Twitter.