You can’t un-sell data though. Sure you may ask nicely that the buyer doesn’t use it and deletes it, but at that point the cat’s out of the bag.

In praxis, yes especially if it has already left the jurisdiction.

Disregarding that, laws don't apply to the first processing party only. If you keep data, that you got informed are not consented to anymore, it is the same as if you keep selling fenced goods.

I'm not sure the entities buying that kind of data care too much.

Corporations seem deathly scared of GDPR, for some reason, while in reality it's enforced about as much as American antitrust (not at all).

Same goes for any "regulation" in the states. Gov't does their job only when it brings revenue in the $$$$$$ territory. Everything else is civil and ignored - even if it's promoting the sale of millions of protected information.

Of all the reports I've submitted (evidence included) followups and fines have been issued to exactly 0 companies. Hell, Quadlock [phone mount company] happily acknowledged that their policy is to verify identity by requesting plain emails including photocopies of the credit card used for purchase and full state ID. Absolutely against regs.. who cares? Not the SCC nor the FTC.

While it’s not enforced perfectly, saying it’s not enforced not at all is just untrue.

Noyb alone has several hundred successful GDPR lawsuits: https://noyb.eu/en/project/cases