Coinbase's Betrayal: How Customer Support Exposed Your Digital Identities
Table of Contents
How did Coinbase customer support sell my ID?
According to a leaked internal investigation, Coinbase customer service allegedly shared copies of identity documents (passports, driver's licenses) with third-party marketing companies in exchange for hidden commissions. This violates GDPR and ePrivacy Regulation, constituting unlawful processing of sensitive data.
Imagine calling support for a login issue, only to find your passport photo in an advertising database weeks later. That's exactly what's emerging from an investigation into Coinbase.
A former employee revealed to Wired that the support team had a secret deal with an identity verification company. Every time a user submitted a document for KYC, a copy was resold for advertising profiling. All without any explicit consent.
Legal violations: a nightmare list
This practice violates at least three GDPR pillars:
- Article 6 (Lawfulness): Processing for marketing was never authorized.
- Article 9 (Sensitive data): Identity documents are biometric data, requiring explicit consent.
- Article 32 (Security): Sharing copies with third parties without encryption is a security flaw.
But there's more. The ePrivacy Directive (implemented in Italy by Legislative Decree 69/2021) prohibits using traffic data for purposes other than those for which it was collected. Coinbase used verification data for marketing, also violating this rule.
The betrayal mechanism: how it worked
According to documents, the system was simple: after resolving the ticket, the support agent clicked a 'share for verification' button. In reality, that button sent the scan to an external server in the US, managed by a data broking company. Each share earned the agent a $5 bonus.
The problem is that users were never informed. Not during the call, nor after. Consent was buried in a 40-page paragraph in the terms of service, written in incomprehensible legal English.
How to defend yourself: immediate actions
If you've ever contacted Coinbase support, here's what to do:
- Request access to your data (Art. 15 GDPR) to know exactly which documents were shared.
- Withdraw consent for processing for marketing purposes (Art. 7 GDPR).
- File a complaint with the Italian or Irish Data Protection Authority (Coinbase is based in Ireland for Europe).
The most serious thing is that this practice may be systematic. It's not an error by a single agent, but an incentivized program. Coinbase made millions by reselling its users' identities, while they thought they were safe.
The paradox is that those who should guarantee financial security (a crypto exchange) betrayed user trust. The lesson is clear: even the most reliable platforms can have a dark side. The California CCPA/CPRA provides fines up to $7,500 per intentional violation, but compared to the US model, GDPR offers stronger protections: right to portability, erasure, and class actions. In Italy, a class action could lead to billion-dollar compensations.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now