GDPR, CCPA and BIPA: KYC Data Privacy in 2026
KYC collects exactly the data privacy laws care most about. Here's how to be compliant on both sides at once.
KYC programs collect government IDs, biometrics, addresses and financial data — the exact categories privacy laws regulate most strictly. GDPR, CCPA/CPRA, BIPA, India's DPDP Act and a growing list of US state laws all create binding obligations that AML compliance alone does not satisfy.
This guide explains how to design a KYC program that satisfies both your AML regulator and your privacy regulator simultaneously.
Lawful Basis for Processing KYC Data
Under GDPR you need a lawful basis. For KYC the strongest basis is 'legal obligation' (Article 6(1)(c)) — you must collect this data to comply with AML law. For biometrics, you additionally need an Article 9 exception, typically 'reasons of substantial public interest'.
Data Minimization in KYC
Collect only what regulation requires. Don't keep raw selfie videos when an embedding suffices. Don't retain full ID images after verification if extracted data is enough for your obligations. Minimization is both a privacy and security win.
Retention and Deletion
AML rules require five-year retention. Privacy law requires deletion when no longer needed. Reconcile by retaining only what AML mandates, deleting the rest at the end of the regulatory period, and documenting the retention schedule.
DSARs and the Right to Erasure
Customers can request access, rectification and deletion. KYC data is generally exempt from erasure during the AML retention period, but you must still respond to the request, explain the legal basis and delete on schedule.
BIPA: The Biggest US Biometric Risk
Illinois BIPA requires written, informed consent before collecting biometric identifiers. Penalties are $1,000–$5,000 per violation with a private right of action. Settlements have reached hundreds of millions of dollars. Get explicit consent, publish a retention schedule and delete embeddings on schedule.
International Transfers
If your KYC vendor processes EU data outside the EEA, you need an adequacy decision, Standard Contractual Clauses plus a Transfer Impact Assessment, or Binding Corporate Rules. Document the chosen mechanism in your vendor file.
Key Takeaways
- Legal-obligation basis covers KYC; biometrics needs an Article 9 exception.
- Minimize aggressively — retain embeddings, not raw videos.
- Reconcile 5-year AML retention with privacy-law deletion duties.
- BIPA is the highest-dollar US privacy risk — get explicit consent.
Related Verification Services
Annual/quarterly recertification of customer data.
Review existing AML compliance programs.
Annual/quarterly recertification of customer data.
Compare one face against one reference photo.
Frequently Asked Questions
Do I need consent to run KYC under GDPR?
Generally no — legal obligation is a stronger basis than consent for AML-driven KYC. Consent is needed for ancillary uses like marketing.
How long should I keep KYC records?
Five years after the end of the customer relationship is the standard AML retention period in most jurisdictions.
Does CCPA apply to KYC data?
Yes, but the AML legal-obligation carve-out limits deletion rights during the retention period.
Privacy-safe KYC, by design.
We run GDPR-, CCPA- and BIPA-compliant KYC with documented lawful basis, minimized retention and full DSAR support.