[rcxdude]

Some of GDPR's language around consent for data processing (which, I will note, you only need if you don't have a legitimate and expected purpose for storing and processing it!) has implications for friction: many 'cookie popups' are not compliant because they make not giving consent harder than giving consent.

But deletion requests are not so strong: if you make people really jump through hoops then you might get in some trouble, but the expencted standard is basically at 'sending an email and getting a result within 30 days'.

[jve]

Depending on the data "sending an email and getting a result within 30 days" may not be basis for approving deletion request. You have no way to identify whether the data is associated with the person (if the data is not associated with the email).

So additional validation would surely be subject to friction.