There's a distinction between being a data controller and a data processor.
The businesses that use these platforms are the data *controllers* and are responsible for implementing consent, "do not sell my information", "show me my data", or "delete my data" flows as required by law. The platforms generally offer APIs to implement these required data flows in a centralized way, which is another major value prop for them.
The platforms serve as the data *processor* and can assume the data is compliantly obtained by the controller until informed otherwise.
The sustainability of that model of responsibility must be in doubt, though. Take a simple case like a website that loads a resource from somewhere else. Given how the technology works, any model where the original site is responsible for everything and the user's data is supposedly protected is obviously misleading, because very often it's the third party services that are run by the bigger, more powerful, data-hoovering businesses, and neither the original site nor the user may be fully aware of what is happening or have any practical control over it. The model assigns responsibility where it's convenient, not where it's reasonable.
In that situation, the third-party that is actively collecting and transmitting the data becomes a controller and is subject to regulation.
Under the predominant data transfer model, the third-parties cede responsibility by making the data transfer an active behavior by businesses. Ad tech companies can say "We didn't actively collect the data from customers - we passively received it from businesses." That makes a huge difference in term of regulatory compliance.
That said, this has been the most common data transfer model for years. "Data hoovering" is a misconception that allows millions of businesses who actively send customer data to Google/FB to shift privacy criticism onto the platforms.
In that situation, the third-party that is actively collecting and transmitting the data becomes a controller and is subject to regulation.
And yet they may have no direct interaction with the user/data subject, who may not even be aware that they exist, so this model is still flawed.
"Data hoovering" is a misconception that allows millions of businesses who actively send customer data to Google/FB to shift privacy criticism onto the platforms.
I would have much more sympathy for this point of view if the likes of Google and Facebook were transparent with businesses integrating with them about what that really means in practice. For example, if we did a survey of local stores with simple websites that include any Facebook asset on their site, how many of them do you think could accurately describe the implications in terms of tracking their users? What about sites that use Google Fonts? I'm not even talking about asking businesses to actively upload their user contact details for targeting or deliberate tracking like Google Analytics or Facebook pixels here, just the incorporation of any third party resource into a website.
It's also important to say that this isn't just about Google and Facebook. Many third party resources you might incorporate into a site for some reasonable purpose could also be used for tracking, while the site operators may or may not be fully aware of what is being done and the visitors may not be aware of the resources at all. Think of a CDN used to improve performance or a payment service that recommends including its scripts across all pages on a site to feed into risk analysis, for example.
The general problem is the same in all of these cases. The way the technology actually works doesn't match with the way authorities are attempting to regulate it. Unless you're willing to interpret the current regulations strongly enough that some behaviours with legitimate uses are also effectively prohibited across the entire Web (at least within your jurisdiction) I'm not sure you can ever square this circle as a regulator operating within the current frameworks.
CCPA/GDPR don't really prohibit you from doing things with data or sharing with 3rd parties you just have to be really upfront about it.
Say you were going to take the "Contact Us" form submissions from your website push those to Zapier to check if they were legitimate (before sending email to the addresses), you would need to disclose what 3rd parties you're using, what data is shared with them, etc.
