Coinbase KYC via Persona: 47 Data Points When Law Requires 5
Analysis of Persona KYC verification flows implemented at Coinbase reveals that the process collects 47 distinct data points when Bank Secrecy Act and FinCEN Customer Due Diligence regulations require only 5: legal name, date of birth, address, identification number, and a document image. The additional 42 data points include facial-geometry biometric templates, device fingerprints, browser metadata, typing cadence patterns, IP geolocation at city level, cellular carrier information, screen resolution, installed fonts, battery level, accelerometer data from mobile devices, and behavioral signals captured during the verification interaction. This data collection far exceeds the data-minimization requirements of both GDPR and CCPA, and the excess data feeds directly into Persona cross-platform identity graph and data-broker partnerships.
Regulatory Requirements vs. Actual Collection
FinCEN Customer Due Diligence Rule (31 CFR 1010.230) requires five data elements for individual customers: legal name, date of birth, residential address, identification number (SSN or passport number), and a copy of an identifying document. These five elements satisfy the regulatory purpose of verifying customer identity to prevent money laundering and terrorist financing. Persona verification flow for Coinbase captures these five required elements plus 42 additional data points that serve no regulatory purpose. The excess collection includes biometric measurements, device intelligence, and behavioral analytics that feed Persona commercial data products rather than Coinbase compliance obligations.
Technical Analysis of Data Collection
Network traffic analysis of the Persona verification flow on Coinbase reveals API calls transmitting data to seven distinct endpoints. The primary verification endpoint receives document images and selfie captures. A secondary device-intelligence endpoint collects 23 browser and device attributes including canvas fingerprint, WebGL renderer, audio context fingerprint, installed plugins, timezone, language preferences, and screen dimensions. A third behavioral-analytics endpoint records mouse movement patterns, typing cadence, scroll behavior, and time spent on each verification screen. Fourth through seventh endpoints handle geolocation enrichment, carrier detection, risk scoring, and cross-reference queries against Persona existing identity graph.
Data Minimization Violations
GDPR Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary for the purpose of processing. CCPA regulations similarly require disclosure of all categories of personal information collected and the business purpose for each. Persona collection of accelerometer data, typing cadence, and installed fonts during a KYC identity check serves no verification or compliance purpose. Privacy researchers who filed DSARs received data exports containing all 47 data points, confirming server-side retention of excess collection. The Irish Data Protection Commission opened a cross-border investigation in October 2025 after complaints from EU Coinbase users.
Key Findings
- 47 data points collected when regulations require only 5
- 42 excess data points feed commercial identity graph
- Accelerometer, typing cadence, and fonts collected during KYC
- Irish DPC cross-border investigation opened October 2025
Timeline
Persona deploys expanded data-collection flow for Coinbase KYC
Network traffic analysis reveals 47-point collection
Irish DPC opens cross-border investigation
DSAR responses confirm server-side retention of all 47 data points