Tell HN: Coinbase keeps photos of your ID indefinitely

35 points by shortcake27 ↗ HN
I verified my identity with Coinbase in 2017. I recently submitted a privacy access request and Coinbase sent me back unredacted photos of my ID, as well as previous addresses and phone numbers I no longer possess.

I’m not sure if this is due to regulation, I’ve worked with ID verification and sensitive data was redacted after 30 days. Indefinite retention seems pretty dangerous. There have been quite a few reports of Coinbase account takeovers, so this provides a vector for bad actors to gain full copies of your ID. Not to mention the data being leaked if Coinbase itself is hacked.

18 comments

[ 3.0 ms ] story [ 51.5 ms ] thread
Worrying yes, but i think it's required. KYC laws in the US mandate a 5 year retention AFTER the account is closed:

https://bsaaml.ffiec.gov/manual/Appendices/17 > A bank must retain the identifying information about a customer for a period of five years after the date the account is closed, or in the case of credit card accounts, five years after the account becomes closed or dormant.

How do those US KYC laws interact with EU's GDPR?
For a US based company? American laws win every time.
(comment deleted)
Not how it works at all - they're serving EU customers which is what matters to GDPR. Apparently the two aren't in conflict like some other comments pointed out, but it has nothing to do with Coinbase being an American company.
GDPR has exceptions for mandatory retention due to financial regulations
GDPR only say not to collect more data than needed and then not to keep them longer than needed. If you have a legal obligation to collect specific data and to keep them for a specific duration the GDPR are fine with that.

There are similar KYC regulations and data retention laws in Europe.

The GDPR right to erasure doesn't apply when there is a legal obligation to keep the data.

> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:

...

> there is a legal obligation to keep that data;

https://commission.europa.eu/law/law-topic/data-protection/r...

KYC as well as account recovery. If you ask someone to provide photo ID or a verification photo to remove a 2FA token for example, having a previously supplied photo of the same ID helps a lot.
May be a SOX requirement that requires auditable data be held for at least 7 years. I'd try again next year to truly check if it's "indefinite"
In the UK, the "Know Your Customer" regulations state that organisations need to keep records for five years.

https://www.gov.uk/guidance/money-laundering-regulations-you...

I assume most civilised jurisdictions have similar requirements.

Five years after the relationship has ended. So for instance here that would be 5 years from the day you close your Coinbase account.

In the UK the limit to sue someone in the vast majority of cases is 6 years, so I would keep anything I could need to counter a civil suit or to sue for 6 years after the fact in any case. I expect it's similar in other countries.

This is unfortunate. I tried to revive my Coinbase account this week after a few years. Submitted my ids and all again.

Have a new number, so had to update 2FA. It gave me one try to update my 2FA, but the message never arrived, and now I am locked out again.

i think you mean "KYC laws"