They have that much data because data selling is also a business.
Not only the ad-servers are buying and selling data, your ISP is also selling your data, pretty much every website you visit is buying and selling data, thousands of times per second, and the acceptance of all that is hidden somewhere in the fine print of Terms of Use and Privacy Policy and under the fancy abusive-manipulative term of “How we serve our customers”.

The hypocrite society is debating toxic masculinity and toxic femininity meanwhile toxic governance and toxic business practices are nowhere on the radar.

GDPR tries to ensure that businesses collect no more data than necessary to provide the service, and save it for no longer than required for giving that service. It is a common sense security practice, which is not so common.
“The only sure way not to lose data is to not store it in the first place. If you don’t need it, don’t collect it. If you collect it, don’t store it any longer than needed.” See more https://arstechnica.com/tech-policy/2024/01/23andme-shamelessly-blaming-users-for-data-breach-lawyer-says/?comments=1&post=42477539

Something of the sort is also under progress in Pakistan by the name of Personal Data Protection Bill since 2014 or even before. It had been ratified by the Senate in 2022 https;//www,ajj,tv/news/30278741/, but still not enacted as an Act or Ordinance.

You can find the latest draft at the Draft Legislation page https://moitt.gov.pk/Detail/YjVmNzU0MWMtYzBkMC00Yjg5LTk1ODktOTJiODYzZTY5ZWRk or through direct link https://moitt.gov.pk/SiteImage/Misc/files/Final%20Draft%20Personal%20Data%20Protection%20Bill%20May%202023.pdf.