The New York Times reports that Facebook has "data sharing partnerships" with "at least sixty device makers". That Facebook formed these partnerships in apparent violation of its own 2011 consent agreement with the FTC is also no surprise.
The simple fact is that Facebook is in the personal data farming business. Finding a zillion ways to use personal data is a design feature of Facebook's service infrastructure, and as unsurprising as finding out that there are a zillion ways to use wheat or corn.
This is why contractual limits on data use by Facebook and its partners won't exclude countless other first, second and third-order uses—especially when the appetite for personal data is flat-out boundless in the direct marketing industry that advertising has become in our digital age.
The GDPR didn't happen in a vacuum. Bad acting with personal data in the adtech business (the one that aims advertising with personal data) is the norm, not the exception. Promises by perpetrators of that business to respect personal privacy don't just ring hollow. They scream absolute disrespect straight at your eyeballs every time they interrupt your "experience" (as the marketers like to call it) and require "consent" to being tracked by them and the posse of spies that are invited to invade and set up house your browser every time you visit.
This is why the real fight here is not just for privacy. It's for human agency: the power to act with full effect in the world. The only way we get full agency is by operating as first parties at scale across all the entities we deal with online.
For that we need standard ways to signal what's okay and what's not okay, and to reach agreements on our terms, as first parties. It is as second parties that we click "accept" dozens of times every day, acquiring cookies with every one of those clicks, each recording certifications of acquiescence rather than of consent.
With full personal agency, the whole consent system goes the other way, at scale.