I think you might be missing the point. I'm sure gp does not doubt that you collect consent before collecting and using data. However, when presented with the choice of not giving up personal data and not using $awesome_service (or maybe even $essential_service), I’d imagine all but a very tiny percentage of people would reluctantly give up personal data. The data is then stored for three years, and if there's ever a leak, it would be hugely damaging given the scope:
> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.