Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Coinbase's practices for collecting, using, and sharing personal information from users of its cryptocurrency exchange and related products. Coinbase collects government-issued identification documents, bank account details, transaction records, device identifiers, IP addresses, and biometric data, and authorizes sharing this information with identity verification vendors, analytics firms, blockchain analytics companies, payment processors, and government agencies. The policy establishes data subject rights for California residents and EU users, including mechanisms to request data access, deletion, and opt-out of certain data uses through Coinbase's privacy request portal.
This document is Coinbase's Global Privacy Policy, governing the collection, use, storage, and disclosure of personal information for users of Coinbase's cryptocurrency exchange platform and related services, with legal basis varying by jurisdiction including consent, contractual necessity, legal obligation, and legitimate interests. The policy states that Coinbase collects personal identifiers (name, email, phone, government-issued ID), financial information (bank account numbers, transaction history, crypto wallet addresses), device and usage data (IP address, browser type, operating system, cookies), biometric data for identity verification, and geolocation data; the terms authorize sharing this information with identity verification partners, payment processors, analytics providers, marketing partners, blockchain analytics firms, and government or law enforcement agencies upon legally required or permissible request. The policy authorizes sharing of transaction data with blockchain analytics companies and the use of on-chain transaction data for compliance and fraud purposes, which is operationally distinct given the immutable and publicly traceable nature of blockchain records; the agreement asserts broad discretion over how aggregated or de-identified data may be used, though applicable law in specific jurisdictions may constrain these assertions. The policy engages GDPR and UK GDPR for EU and UK users, CCPA and CPRA for California residents, and financial services data obligations under FinCEN and BSA requirements relevant to Coinbase's status as a registered money services business; SEC-related data obligations may apply depending on the specific Coinbase entity and product used. Material compliance considerations include the policy's cross-border data transfer provisions referencing Standard Contractual Clauses for EU data flows, the scope of biometric data processing which may engage Illinois BIPA and similar state-level biometric laws, and the retention periods tied to regulatory recordkeeping requirements that may extend significantly beyond account closure.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial9 important changes detected
9 versions captured · Last updated: May 2026
Coinbase updated internal section references in its Privacy Policy on April 29, 2026 by renumbering sections throughout the document. The policy previously referenced Section 7, 11, 4, and 9 for …
View change record →Coinbase's privacy policy was updated on April 19, 2026, with a minor modification to a sentence describing how the platform uses customer data to provide access to Verified Pools, a …
View change record →Coinbase modified a single sentence in their Privacy Policy on April 5, 2026, regarding the Verified Pools blockchain protocol. The change involved adding a single space character in the description …
View change record →Coinbase removed a single sentence from its privacy policy that previously provided a link to access the prior version of the policy. The updated policy no longer includes explicit language …
View change record →Coinbase removed a single sentence from its privacy policy that previously stated 'Previous Privacy Policy can be found here.' This removal eliminates the direct link or reference to accessing prior …
View change record →Coinbase modified language in its Privacy Policy on March 25, 2026. One sentence was added and one was modified, though the specific text of these changes was not provided in …
View change record →Coinbase updated its Privacy Policy on March 6, 2026, making primarily technical and formatting corrections. The changes include correcting section reference numbers throughout the policy (for example, changing references from …
View change record →Addition of explicit GDPR/UK GDPR rights provision demonstrates increased regulatory compliance transparency for EU and UK users, filling a gap that previously only mentioned California residents.
Removal of this standalone provision represents consolidation into 'Government ID and Biometric Data Collection,' removing specific examples like passport, driver's license, and tax ID that made the scope explicit.
Removal of explicit mention of advertising partners and targeted advertising, combined with downgrading severity from high to medium, suggests a de-emphasis of advertising-related data sharing in the updated policy.
Removal of this standalone provision consolidates blockchain analytics sharing into the broader third-party sharing provision, removing the explicit justifications about AML compliance and ecosystem integrity that were previously highlighted.
Removal of California-specific CCPA provision represented by revised 'California Resident Rights (CCPA/CPRA)' with updated language that adds CPRA requirements, so this is a substantial revision rather than true removal.
Complete removal of children's data and COPPA compliance provision suggests either a policy change regarding child user handling or consolidation into general terms of service.
Current version consolidates biometric and KYC data collection into a single provision and changes language from 'may collect' to 'collect,' emphasizing active collection of government-issued ID alongside biometric data.
Text is substantively identical; provision name simplified from 'Law Enforcement Disclosure Without User Notification' to 'Law Enforcement and Government Disclosure' to be more concise.
Current version consolidates three separate sharing provisions into one, removes specific mention of advertising partners and targeted advertising, downgraded from high to medium severity, and removes detailed justifications about AML and ecosystem integrity.
Current version replaces specific reference to post-closure retention for AML/financial reporting with a more general multi-factor retention assessment framework, and text appears truncated in the current version.
Current version explicitly mentions third-party service providers and tracking technologies like web beacons, removes reference to 'referring URLs' and 'usage patterns/interactions,' and adds 'pages visited' and 'browsing activity.'
Monitoring
Coinbase has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Automated Decision-Making and Profiling and similar clauses.
Compare across platforms →Coinbase's User Agreement includes a mandatory arbitration clause that most users may not have reviewed. Here is what the clause states and…
Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.