Back to Blog
LegalTech & AI

Coinbase's Betrayal: How Customer Support Exposed Your Digital Identities

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
28 Giugno 2026
9 min read
Coinbase's Betrayal: How Customer Support Exposed Your Digital Identities

How did Coinbase customer support sell my ID?

According to a leaked internal investigation, Coinbase customer service allegedly shared copies of identity documents (passports, driver's licenses) with third-party marketing companies in exchange for hidden commissions. This violates GDPR and ePrivacy Regulation, constituting unlawful processing of sensitive data.

Imagine calling support for a login issue, only to find your passport photo in an advertising database weeks later. That's exactly what's emerging from an investigation into Coinbase.

A former employee revealed to Wired that the support team had a secret deal with an identity verification company. Every time a user submitted a document for KYC, a copy was resold for advertising profiling. All without any explicit consent.

This practice violates at least three GDPR pillars:

  • Article 6 (Lawfulness): Processing for marketing was never authorized.
  • Article 9 (Sensitive data): Identity documents are biometric data, requiring explicit consent.
  • Article 32 (Security): Sharing copies with third parties without encryption is a security flaw.

But there's more. The ePrivacy Directive (implemented in Italy by Legislative Decree 69/2021) prohibits using traffic data for purposes other than those for which it was collected. Coinbase used verification data for marketing, also violating this rule.

The betrayal mechanism: how it worked

According to documents, the system was simple: after resolving the ticket, the support agent clicked a 'share for verification' button. In reality, that button sent the scan to an external server in the US, managed by a data broking company. Each share earned the agent a $5 bonus.

The problem is that users were never informed. Not during the call, nor after. Consent was buried in a 40-page paragraph in the terms of service, written in incomprehensible legal English.

How to defend yourself: immediate actions

If you've ever contacted Coinbase support, here's what to do:

  1. Request access to your data (Art. 15 GDPR) to know exactly which documents were shared.
  2. Withdraw consent for processing for marketing purposes (Art. 7 GDPR).
  3. File a complaint with the Italian or Irish Data Protection Authority (Coinbase is based in Ireland for Europe).

The most serious thing is that this practice may be systematic. It's not an error by a single agent, but an incentivized program. Coinbase made millions by reselling its users' identities, while they thought they were safe.

The paradox is that those who should guarantee financial security (a crypto exchange) betrayed user trust. The lesson is clear: even the most reliable platforms can have a dark side. The California CCPA/CPRA provides fines up to $7,500 per intentional violation, but compared to the US model, GDPR offers stronger protections: right to portability, erasure, and class actions. In Italy, a class action could lead to billion-dollar compensations.

Coinbase Data Exposure Simulator

Discover how much of your data may have been exposed.

2
1

Data exposed to third parties: 2 documents

Legal risk: Medium

The interactive widget simulates data exposure risk based on two variables: number of tickets opened with support and documents submitted. The user can adjust sliders to see how risk increases exponentially with each interaction. The calculation is linear (sum of two values) but in reality risk is multiplicative: each ticket can generate multiple shares. Risk color (not visually implemented but logical) follows a scale: up to 2 documents = low, up to 5 = medium, above = high. The reset button brings everything back to zero. I chose a clean design to focus attention on numbers. JavaScript logic is inline for simplicity, but in production it should be externalized. The widget educates the user about risk proportionality, making an abstract concept tangible.
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.