[joewadcan]

Worrying yes, but i think it's required. KYC laws in the US mandate a 5 year retention AFTER the account is closed:

https://bsaaml.ffiec.gov/manual/Appendices/17 > A bank must retain the identifying information about a customer for a period of five years after the date the account is closed, or in the case of credit card accounts, five years after the account becomes closed or dormant.

[DamnYuppie]

I have a Coinbase account and when they asked for ID they referenced the KYC regulations as the reason.

https://www.investopedia.com/terms/k/knowyourclient.asp

[mike_d]

KYC as well as account recovery. If you ask someone to provide photo ID or a verification photo to remove a 2FA token for example, having a previously supplied photo of the same ID helps a lot.

[jstx1]

How do those US KYC laws interact with EU's GDPR?

[voxic11]

The GDPR right to erasure doesn't apply when there is a legal obligation to keep the data.

> The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:

...

> there is a legal obligation to keep that data;

https://commission.europa.eu/law/law-topic/data-protection/r...

[mytailorisrich]

GDPR only say not to collect more data than needed and then not to keep them longer than needed. If you have a legal obligation to collect specific data and to keep them for a specific duration the GDPR are fine with that.

There are similar KYC regulations and data retention laws in Europe.

[mike_d]

For a US based company? American laws win every time.

[jstx1]

Not how it works at all - they're serving EU customers which is what matters to GDPR. Apparently the two aren't in conflict like some other comments pointed out, but it has nothing to do with Coinbase being an American company.

[ronsor]

GDPR has exceptions for mandatory retention due to financial regulations