Let’s say GMail (or whoever your email provider is) starts offering a secondary password for you mailbox that allows full read-only access (people can’t use it to send emails, delete or hide emails you received, etc. Only read).

Would you be comfortable putting that in plain sight where everyone could see it?

If you are comfortable with that, then no, you probably don’t need to care about who is selling what data to whom.

If you are not comfortable with that, then that’s your answer.

How it works? Well, just like how selling anything else in bulk works. Two companies: one which has the data, (e.g., MAGA), and one who wants to do stuff with it (Cambridge Analitica), dress up a price and a contract. With the contract in place the data transfer is implemented.