Companies can do it, but they refuse to, because noone knows what entity is really behind a specific corporation. So when a breach occurs it's basically a we handed over your information to whomever we collected it originally, but in a way that is untraceable.