If consent rules were properly applied and, if breached, properly sanctioned, that's part of the answer. There's an issue if a first company acquires information. To do that, there needs to be a link to the services it offers to the customer. Then consent can be obtained for other purposes. Is that consent properly applied? If not, which happens, there should be a sanction against that company, which leads to another company that also has an obligation to collect but only for certain purposes.
If you follow that chain, I think the concepts exist in the law, consent being an important one. What's missing, at least in Canada, are the real sanctions for those who violate these laws.