The last time one of these "ordering services" [https://www.justeat.it] targeted me with ads (via sms), I tracked back the data, crawled the web for their mails, sent them a good list of laws, so they have been forced to reply and delete all my personal data in a timely manner.
Never seen a single ad again, I am unsure this would have worked in the US.
Please remember that the laws are only modeled on the EU directives, one have to expect a substantial compatibility, but the specific terms may change on a country basis.
One of the aims of the GDPR has been to standardize the protection, zeroing the differences.
Specifically ask the removal of any information that may lead to any form of authentication (prior or post any processing, the deanonymisation trick is not allowed).
You just need to prove they have obtained your data in violation of anyone of the provisions.
In my case "they incorporated a company, embedding the data in the datastore in such a way that they violated the term of service of the previous company, their own tos (I never subscribed to their website yet they insistently phoned and texted me) and the actual privacy law, adding to this the delete form was unmaintained and didn't work, which is another violation".
Edit: sorry for the multiple updates, I am typing from my iPhone.
