At the very least, under the loosest possible interpretation of GDPR they need a SPECIFIC checkbox for " I accept and agree Facebook may share my PII with third parties", which can not be mandatory AND they need to have specific agreements with third parties on how those third parties are supposed to store the data, what they are allowed to do with it, when they have to delete it and who gets access to the data. (The third party has to be GDPR compliant to begin with for it to be legal for Facebook to share data with them)
Biting the hand that feeds IT
