Any tech site that provide private user data via an API needs to make sure that data is guarded like it was their own site, as if their own employees were accessing the data.
Maybe what's needed is a PCI-compliance standard or a HIPPA-act for general user data?
GDPR is coming. In my opinion it has flaws and I'm personally not a fan (big corps will have resources to comply and small ones will find it to be a barrier to entry), but if you want regulations this is as strict as it gets.
As a startup founder, GDPR is an enormous pain in my butt. As a human, I think it's terrific.
A lot of the adoption pain reveals just how much we built businesses that couldn't care less about what individuals would like done with their data over time. If GDPR had been alive early in the web, I think we'd see different and more human business models, and technology to support them.
That seems like the only way out of this mess. Reading this, there's not a good reason to not sell user data to interested third parties if the only consequences are getting your app removed and your account suspended.
Maybe what's needed is a PCI-compliance standard or a HIPPA-act for general user data?