No company can possibly be expected to know exactly who they have information about, as would be needed to publish the disclosure you're talking about. On any web server, you have countless logged HTTP requests that are effectively anonymous to the business, but if a subpoena comes in asking for all activity from a specific IP, they're forced to disclose that activity. Only once the data is in law enforcement's hands does it cease to be anonymous, so sites can rat you out without knowing your name.
The same scenario applies to third-party data sales. A company pays you to serve a tiny JS tracking snippet on your site, and because they have many such sites they can resolve the traffic back to real names, but you as a webmaster cannot. You've just sold data about a person you can't identify.
If they cannot identify me they don't have to publish.
If they subscribe to one of those services that has a pixel sized session on every page, aggregating all my details - then they have identifiable information, publish and pay up
The same scenario applies to third-party data sales. A company pays you to serve a tiny JS tracking snippet on your site, and because they have many such sites they can resolve the traffic back to real names, but you as a webmaster cannot. You've just sold data about a person you can't identify.