The regulations generally have required businesses to respond to written requests.
While GPDR and others vary, at least with CCPA two data points are enough to get a release of data.
What's done is if general info on you has leaked (say email address / date of birth / social etc) then someone can use that to go to Apple and now request a full dump of everything they have on you.
So you can leverage one dump / leak, and now go after lots of players that have to comply with a data export request to get everything you want to know about someone.
Google / Microsoft / Apple / etc can have a surprising amount of sensitive data (every photo you have taken or that's been shared with you) and even though you've been hit by one data leak, you may not want those folks to be able to leverage that for more leaks.
The liability is usually very high if the companies DON'T release data - so the bias moves to releasing data (there are folks who go around putting requests in and complaining if the data dump is not easy to get).
