At what point do we not allow companies to own this data beyond a transaction.

Lets be honest no one can keep this data without eventually being hacked, so maybe they shouldn't have it after that transaction.