Coinbase · Coinbase Privacy Policy

Identity Verification and Biometric Data Collection

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Coinbase collects copies of your government-issued ID (passport, driver's license) and may use facial recognition technology through third-party vendors to confirm who you are.

Change history

modified Apr 19, 2026

Expanded from brief statement about facial geometry to comprehensive list including specific document types and explicit mention of third-party identity verification services using facial recognition.

View full change record →

Consumer impact (what this means for users)

Your facial biometric data and government ID scans are collected and processed by Coinbase and its third-party identity verification vendors, creating exposure to biometric privacy laws and data breach risks that cannot be remedied by simply changing account credentials.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Submit a data deletion request to privacy@coinbase.com specifying that you wish to delete your biometric and identity verification data; note that Coinbase may be required to retain certain data under AML/KYC regulatory obligations.

How other platforms handle this

PayPal Medium

You also consent to PayPal obtaining your personal and/or business credit report from a credit reporting agency at account opening and whenever we reasonably believe there may be an increased level of risk associated with your business account.

Robinhood Medium

We, and some of our service providers and third-party partners, also use technologies, including cookies and web beacons and software development kits ("SDKs"), to automatically collect certain types of usage and device information when you use our Services or interact with our emails. For example, ...

Cash App Medium

Geolocation Information. The location of your device, including your IP address and location of your network provider. This may include precise geolocation information. For more information and to learn how to disable collection of precise geolocation information from your mobile device, please see ...

See all platforms with this clause type →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Biometric and government ID data is among the most sensitive personal information — if breached or misused, it cannot be changed like a password and can enable identity fraud.

View original clause language
We collect personal information from you when you use our Services or otherwise interact with us. This includes: Identity Verification Information: government-issued identity documents (e.g., passport, driver's license), photographs, and other information needed to verify your identity in accordance with applicable law. We may use third-party identity verification services that collect and process biometric data, including facial recognition data, to verify your identity.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision implicates Illinois BIPA (740 ILCS 14/1 et seq.), which requires written consent, retention schedules, and destruction policies for biometric identifiers; Texas CUBI (Tex. Bus. & Com. Code §503.001); Washington My Health MY Data Act; GDPR Art. 9 (special category biometric data requiring explicit consent or necessity for a legal obligation); CCPA/CPRA definition of 'sensitive personal information' (Cal. Civ. Code §1798.140(ae)); and FinCEN KYC/CIP requirements (31 CFR §1020.220) mandating identity verification. Enforcement authorities include the Illinois AG, FTC, and EU national supervisory authorities. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC has enforcement authority over unfair or deceptive data practices under Section 5 of the FTC Act, including inadequate disclosure of biometric data collection and third-party sharing.
    File a complaint →
  • State AG
    Illinois, Texas, and Washington state attorneys general have enforcement authority over biometric privacy laws including BIPA, CUBI, and the My Health MY Data Act.
    File a complaint →

Applicable regulations

EU AI Act
European Union
BIPA
Illinois, USA
CCPA/CPRA
California, USA
COPPA
United States Federal
CAN-SPAM
United States Federal
DMA
European Union
FCRA
United States Federal
GDPR
European Union
GLBA
United States Federal
HIPAA
United States Federal
TCPA
United States Federal
UK GDPR
United Kingdom

Provision details

Document information
Document
Coinbase Privacy Policy
Entity
Coinbase
Document last updated
March 24, 2026
Tracking information
First tracked
April 9, 2026
Last verified
April 9, 2026
Record ID
CA-P-002481
Document ID
CA-D-00048
Evidence Provenance
Source URL
https://www.coinbase.com/legal/privacy
Wayback Machine
View archived versions →
SHA-256
78a7819594fbdda870b5d87062a20d9bc35a005cd93b3d670553ddb635dc7b75
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Coinbase | Document: Coinbase Privacy Policy | Record: CA-P-002481
Captured: 2026-04-09 14:51:12 UTC | SHA-256: 78a7819594fbdda8…
URL: https://conductatlas.com/platform/coinbase/coinbase-privacy-policy/identity-verification-and-biometric-data-collection/
Accessed: April 29, 2026
Classification
Severity
High
Categories
Data collection

Other provisions in this document

Related Analysis