Re: I'm (still) puzzled.......
Well, on at least one point:
1. The sale of hacked data (e.g. the Equifax hack)
...there is something lawmakers can do to address the problem, and that is: Make it more costly, and less lucrative (in both the financial sense, and otherwise) to collect and keep so much data in the first place. To the point that, hopefully, companies think twice about glomming onto every piece of information they can hoover up, and are more circumspect in their handling of what they DO collect.
If there's less data in third-party hands, and it's better protected, then there will be less opportunity for hackers to acquire it, and they'll come away with less when they do. Or, at least, here's hopin'.
We'd all better hope, because it's clear the only chance lawmakers have of fighting illicit data transactions is if they choke off the supply. To accomplish that, they have a choice: They can either try to educate the public about better protecting their own data, or force companies to curb their appetites.
It seems they've correctly concluded that the education option is a lost cause. (Plus, to your second point, it's awfully hard to protect yourself when companies are pulling shady tricks behind-the-scenes to invade your privacy. Even harder if those tricks are technically completely legal!
So, it's privacy laws all 'round.
Just as soon as they settle on something everyone can agr—ohhhh shit, we're fucked.