Re: What to do
"... prohibit the transfer or sale of any personal data without informing the person of what data will be transferred and gaining the specific consent of the person for each and every transfer."
The transfer is far from the main problem. What gets done with the data by the recipient is the main issue.
This is where the GDPR fails to pass muster. It requires a data controller to fulfil their obligations to the data subject up to the point of transfer, but no further. Whether the recipient fulfils their obligations or not. A commercial originator of the transfer is in general only required to [a] establish that and "adequacy decision" is in place; [b] ensure the presence of contractual terms, binding corporate rules or approved codes of conduct with the recipient; [c] declare that the transfer is necessary for a contract with or in the interest of the data subject; [d] required by law; or [e] that they have obtained the data subject's consent for the transfer. (GDPR Chapter V).
The problem is that in case [a] an adequacy decision is a national scale matter that says nothing about the performance of an individual business notionally covered by it; compliance with contractual terms and rules is impossible for a data subject to verify; what is necessary for or "in the interest of" the data subject does not limit a data controller's choice of individual recipients of a transfer, only the general nature of the service provided by it; and consent for the transfer has no force to control how the data are processed once transferred.
While a data controller has various obligations to check the integrity and performance of data processors it uses, these obligations [a] do not extend significantly to recipients acting as data controllers, and [b] are entirely validated for adequacy by the data controller. So the party responsible for fulfilment approves their own performance.
The overall consequence is that a data subject has no real recourse in respect of data transfers. In order to exercise their rights, they would have to independently challenge the recipient (usually in a foreign jurisdiction) as well as the originator, and the disparity of scale and power typically precludes any challenge succeeding.
Consent, as will be apparent from the above, is not a sufficient protection.