It doesn't even have to be a third party. Failed ICOs could very easily choose to make money off the data they own because they really have nothing else to lose at that point. They're probably even likelier to turn rogue than specialized third parties, because those usually have to employ special protocols.

I'd say there are certain cases where KYC can't be helped, but I'd never comply with in on ICOs.