I think the more direct approach has a good chance. They can’t update your birthday, reasonably IMO, because they would be giving you access to the data after you failed the authentication. But they wouldn’t actually be leaking any info by just deleting the account.