I really feel like the first step here should be to make deanonymization illegal. Obviously it wouldn't fix everything, but there's a bit of an implicit breach of contract if people are promised their data is anonymous, but then it's sold to someone else who breaks that, but as far as I can tell there's no law against what's pretty clearly a violation of the premise under which the data was allowed to be collected.