If you give your ID to a 3rd party company in the US, it's impossible to know if they will delete you ID or whether you'll be added secretly to a facial recognition system.

The US is allowed to issue secret orders to companies demanding they do things in the interest of "security." They can also issue gag orders forcing companies to not talk about the secret orders. Therefore, any US company may be secretly forced to violate it's supposed terms. A company that collects biometric information seems like it would be especially likely to be targeted.

Facebook, Instagram, and other social media such as Linked In are likely the largest source of law enforcement information being fed to facial recognition systems. Given the dystopian "ideals" of some politicians, I consider it a risk and wouldn't do it. Your country may not be sharing that information with the US already.

Additionally, some of these companies have become the main way people get employed, rent things, or buy things. Because these companies serve a public function but are officially private, they can de-platform people for any reason, with no meaningful appeal, creating havoc and misery for an affected person. If you have been flagged to be banned, by giving them your ID, you will let them ban you based on a government document forever. Their system may have flagged you for verification, but it could have also flagged you to be banned forever based on TOS violations.

If you abandon your account, you can always create a new account, then later claim a hacker got you or your forgot your email password. If you provide an ID, you may be linking a government record to biometric information to something they can ban.

A company may also be claiming that they get rid of an ID but still keep a hash of some combination of biometric information.

In theory, anyone in Facebook in California should be able to submit a CCPA request to delete all information, including ban information, and then go on Facebook again, even after a lifetime ban. Anyone in the EU should be able to do this too through GDPR. But this doesn't happen, because Facebook lies and is also just a rebranding of Lifelog.

Would you prefer that anyone be able to request that any non-verified account be deleted?

I'd bet their security system saw you log in from a new IP, maybe even over VPN(?), then change the email and add 2fa, which are exactly the steps a malicious actor takes when securing an account acquired using credential stuffing. They presumably expect that your account has been compromised and are treating you as untrusted until you provide some form of validation that you are who you say you are.

I suspect that if you were to seek legal action against them they would claim that you refused to take basic actions to positively prove your identity and throw out some statistics, ie (making this up) 98% of users are able to verify using their system without any issues.

If you do seek to bring them to court under article 77, would you not then be putting into the public record a permanent association between your real identity and the account you seek to delete? Is that better than simply sending them a picture of your ID? With this in mind, is it worth the cost of legal representation to resolve the issue? I'm not sure where you're from and you don't need to answer me but I would encourage you to consider those questions when determining your path forward.

Following. I'm working to get all my old accounts moved away from my gmail account so I'm guessing I'd run into this too.

LinkedIn was doing this to me, too. But then I randomly was able to log on again. I wasn't able to for months and thought it was ridiculous that they were asking for my ID.

You can try logging in on an IP address you previously logged in on. Then, delete your account ofc.

Send them a fake/photoshopped ID. I did that with Facebook when they pulled that shit to try and stop me from deleting my account by locking it.