Exactly. If a company wants to sell my data, they should have to make an explicit agreement with me to do that. If law enforcement wants data from my phone company, they should either produce a warrant or get my permission to release it. And so on.
If a company holds my data, they should be legally accountable for safeguarding it, and liable if it gets in the hands of someone I don’t have an agreement with. Banks do that with my money, I don’t see why social media companies should have any less expectation here.
And no, burying some form of consent in a TOS isn’t sufficient, it needs to be explicit and there needs to be a reasonable expectation that the customer understands the terms.
Cool, put some actual rules in place. I recommend a law that states that customers own their data and it cannot be stored or transferred without an explicit agreement to do so. And no, burying something dozens of pages deep into a TOS doesn’t count. And companies should have a very clear custodial obligation to safeguard any data they store, similar to how banks have guarantees against fraud.