Do I need to disclose Coinbase in my privacy policy?

Yes. If your website collects data through Coinbase or directs users to Coinbase for transactions, you must disclose this in your privacy policy. Coinbase processes sensitive financial and identity data subject to FinCEN BSA/AML regulations and state money transmitter laws, making disclosure legally required under most privacy frameworks.

What specific data does Coinbase collect?

Coinbase collects wallet addresses and balances, complete transaction history and trade data, Know-Your-Customer (KYC) identity documents including government-issued IDs, and bank account information for deposits and withdrawals. While cryptocurrency transactions are pseudonymous, they remain linkable to verified user identities through KYC requirements.

Does Coinbase require a cookie consent banner?

No cookie implementation is documented for Coinbase integration. However, Coinbase's own website uses analytics and functionality cookies. If embedding Coinbase services, review your site's cookie usage separately and consult Coinbase's current privacy documentation at https://www.coinbase.com/legal/privacy for any updates.

Who processes Coinbase data and where is it stored?

Coinbase Inc., a United States-based company, acts as the data processor. Data is transferred to and processed within the United States. Users should be aware that U.S. data transfers may lack equivalency determinations under GDPR, and transfers to the U.S. require appropriate legal mechanisms such as Standard Contractual Clauses.

Fintech

Privacy policy clauses for Coinbase

Coinbase is a cryptocurrency exchange and wallet platform that enables users to buy, sell, and store digital assets. Websites integrate Coinbase for payment processing, asset management features, or to facilitate cryptocurrency transactions on behalf of users.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Coinbase collects

Your privacy policy must disclose each of the following data types when you use Coinbase.

Wallet addresses and balances

Transaction history and trade data

KYC identity documents

Bank account information for deposits/withdrawals

When does Coinbase trigger privacy obligations?

Data Flows That Trigger Obligations

Adding Coinbase to your product initiates collection of financial and identity data immediately upon user signup or wallet connection. Users submit KYC documents (government IDs, proof of address), bank account details, and cryptocurrency wallet addresses—all linked to real identities. Transaction history and trade data flow to Coinbase servers in the United States.

Regulatory Triggers

FinCEN/BSA/AML: If you integrate Coinbase payments or enable cryptocurrency transactions through your platform, you may be facilitating money transmission. FinCEN guidance (2019) treats custodial wallet providers as money services businesses (MSBs). If your SaaS product acts as an intermediary or custodian, you likely trigger BSA/AML obligations including customer identification programs (CIP) and suspicious activity reporting (SAR)—not just Coinbase's.

Common compliance pitfalls

Pitfall 1: Omitting Coinbase from Privacy Disclosures

The mistake: Founders add Coinbase payment rails or wallet integration but don't update the privacy policy to name Coinbase or disclose that KYC identity documents are collected. The policy might say "we work with payment processors" generically.

Why it happens: Coinbase is treated as a backend service; founders assume it's "internal" rather than a third-party processor. Or they delay policy updates until launch.

Consequence: Non-compliance with GDPR Article 13 (information to be provided) and CCPA Section 1798.100 (disclosure of third parties). EU/California regulators flag this immediately in audits. Users cannot exercise data subject rights (GDPR Articles 15–22) if they don't know Coinbase holds their data. Fines up to €20M or 4% annual revenue (GDPR) or $7,500/violation (CCPA).

Pitfall 2: Missing Data Processing Agreement (DPA)

The mistake: Integrating Coinbase without executing a data processing agreement or addendum. Founders assume Coinbase's standard terms cover GDPR/CCPA processor obligations.

Why it happens: Coinbase's terms of service are written for end users, not for B2B data processors. Many founders don't realize they are a "data controller" and Coinbase is a "processor" under GDPR Article 28.

Consequence: GDPR Article 28 requires a written contract governing data processing, including Coinbase's obligations to assist with data subject requests, implement security measures, and notify of breaches. Without a DPA, you have no contractual basis to enforce these obligations. Regulators treat absence of a DPA as a critical breach of controller obligations. Fines and corrective orders typically follow.

Pitfall 3: Failing to Account for Cross-Border Data Transfer & Money Transmitter Licensing

The mistake: Integrating Coinbase (US-based processor) without understanding that user KYC data flows to the US, or launching in jurisdictions where you require money transmitter licensure.

Why it happens: Founders focus on product velocity and assume Coinbase handles compliance. Or they launch in multiple states/countries without auditing licensing requirements per jurisdiction.

Consequence: GDPR Chapter V (International Data Transfers) requires adequacy decisions or Standard Contractual Clauses (SCCs) when personal data goes to the US. Post-Schrems II (2020), SCCs alone are insufficient; you must assess US surveillance law risks and implement supplementary measures. Operating as an unlicensed money transmitter triggers state enforcement (cease-and-desist orders, fines up to $10k/day in some states). Money Transmitter Licensing requires 6–12 months and surety bonds ($250k–$2M depending on state).

What regulators look for

DPA/GDPR Audit Priorities

EU data protection authorities (especially UK ICO, Dutch DPA) and California AG focus on:

1. Transparency & Disclosure (GDPR Article 13, CCPA 1798.100): Does the privacy policy name Coinbase and disclose that KYC documents, wallet addresses, and transaction histories are collected? Auditors request screenshots of disclosure language.

2. Data Processing Agreement (GDPR Article 28): Is there a signed DPA with Coinbase? Regulators request the contract itself. Absence = immediate finding.

3. Data Subject Rights (GDPR Articles 15–22, CCPA 1798.100–1798.120): Can you provide data access or deletion requests to Coinbase and retrieve compliant responses within 30–45 days? Regulators test by submitting test deletion requests and measuring your capability to service them. Coinbase's response time directly impacts your compliance.

4. International Data Transfer (GDPR Chapter V, Schrems II): For EU users, do you have Standard Contractual Clauses (SCCs) with Coinbase? Have you documented a Transfer Impact Assessment (TIA) addressing US surveillance law risks (Executive Order 12333, NSA programs)? Post-Schrems II (CJEU, 2020), SCCs are a floor, not a ceiling.

FinCEN/State Money Transmitter Audits

FinCEN and state financial regulators (e.g., NY DFS, CA Department of Financial Protection) examine:

–Whether your integration creates a custodial relationship (you hold or control user assets/keys). If yes, you likely require MSB registration and BSA/AML compliance.
–Customer Identification Program (CIP): Can you prove CIP is in place? Coinbase may perform KYC, but you may retain compliance responsibility as the direct service provider to end users.
–Suspicious Activity Reporting (SAR): Do you have procedures to detect and report suspicious transactions to FinCEN? Failure to file SARs is a federal crime.

Enforcement Pattern

Recent enforcement (Ripple Labs, 2023; Kraken, 2021) shows regulators pursue unregistered money transmission vigorously. Initial enforcement vectors: state cease-and-desist orders, followed by federal BSA/AML civil money penalties ($100k–$500k+).