If you're referring to Cambridge Analytica with your Facebook example, Google have provided APIs for 3rd-parties to access private user data for many of it's services, just as Facebook did with Cambridge Analytica. For example, the G Suite Marketplace lets many companies read all of your emails.
Both require an auth consent screen with permissions listed, where it may or may not be clear to the user what's being shared.
Only a few thousand people clicked through consent pages to share data specifically with the Cambridge professor who shared data with Cambridge Analytica. Facebook's APIs allowed that professor to then get data about those users' friends, who never made an agreement with that professor. Facebook has since shut down that API. https://techcrunch.com/2015/04/28/facebook-api-shut-down/
Both require an auth consent screen with permissions listed, where it may or may not be clear to the user what's being shared.