The issue would be, that the website developers / their management contributes to the issue, by enabling partier to do that spying. If no data was send to another party, then spying on that data is much harder and probably unattractive for most use-cases. GA data becomes valuable through collecting from many many senders.
While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.
