Let's look at it from both sides.
I've heard that because of new regulations KYC is possibly also required for airdrops. If that's true then there's little choice but to comply if you acknowledge those regulations.
On the other side, some companies in charge of the KYC process have strange terms and conditions that allow them to use your information for both their own purposes as well as the purposes of their clients, in this case the team behind the airdrop.
Jumio makes the Services available to third parties for integration into those third parties websites, applications, and online services. Jumio collects, uses, and discloses individual users information only as directed by these third parties and, accordingly, Jumio is a mere processor of user information with respect to the Services and not a controller. Further, some features of the Services may be disabled or altered by the data controller, or the controller may require Jumio to collect, use, disclose, or otherwise process data in ways that differ from those described below. Thus, to fully understand how your information will be handled when you use the Services, you must review not just this Policy, but also the privacy policy of the third party with whom you are dealing directly (the Third-Party Data Controller).
Notwithstanding the above, Jumio may process certain individual users information in pseudonymized or anonymized form for its own purposes, thereby acting as a controller in this limited regard.
That's not harmless boilerplate legalese. Turns out those clients may instruct the KYC processor to hand over the personal documents - and in case of Bittrex, transmit them over plain text, unencrypted e-mail.
https://cointelegraph.com/news/bittrex-leaks-user-passports-in-support-emails-says-russian-telegram-channelGoing one step further I wouldn't put it past bad actors to abuse the mandatory KYC regulation to harvest passports for identity theft.