How about we take a few folks from the USDS put them on a project to audit any business selling personal data without opt in from individuals, and proactively require them to prove funds to cover monitoring for everyone in their databases in case of breach? If they can't cover, they can't operate. Or at the very least the government could put them on a watch list to warn other businesses not to purchase data from them because risk is high / quality is poor.
At the very least, this would shut down the long tail of small data grifters, maybe even force the bigger brokers to re-evaluate their business model.