I also have an Internet birthday that is different from my real birthday. This results in lots of good wishes on 1 January from people who don't know me well enough to spot the discrepancy
It would be unusual for a law to say that a company must know your birthday, especially as birthdays get used in identity theft and are therefore confidential information. Usually, it goes like this:
- The law says that companies must take reasonable steps to avoid use of certain services by minors
- The company decides (and may well be right) that asking for date of birth provides reasonable confidence of age
"You must tell us your date of birth" is therefore short-hand for "We are required to get evidence of your age, and that's what
we've chosen". Arguments that DoB does not provide very strong evidence (which it doesn't), or that it's an invasion of privacy, will fall on deaf ears. But it remains untrue that the law requires them to ask DoB, because the law establishes a principle of a need to make reasonable checks, and leaves it to individual companies to work out what those should be.
In practice, of course, they might just as well ask "Are you over 18", since that would provide evidence nearly as strong. The only additional evidence provided by asking DoB is that the subject is able to do maths well enough to invent a date that actually is more than 18 years ago.
Strictly, if they tell you that the DoB is for a security check, and then additionally use it for other reasons, such as to target you with age-appropriate products or even send you birthday wishes, that's a breach of GDPR, which requires them to declare the reasons for which they will use the information, and then limit themselves to those.