When privacy and AML laws conflict: Crypto projects’ impossible choice

Crypto was originally most closely associated with anonymity, but in 2025, the crypto ecosystem has changed.

User privacy is diminishing, as new laws in different jurisdictions across the globe require Know Your Customer and ID checks for wallets or exchange accounts to combat money laundering. The increasing sophistication of blockchain analysis tools means that every transaction has a transparent trail that can be traced back to its source.

As a result, onchain privacy has become a major theme. In October, the Ethereum Foundation announced the formation of its Privacy Cluster, a group of some 47 researchers, engineers and cryptographers who are working to make the base layer of Ethereum private.

This takes the form of Kohaku, a modular framework for the network that allows senders and receivers to hide their real wallet address, among other functions. It claims to be compliant, but Signal, from ZK privacy solution Onflow, argued that from a legality perspective, in ~0% of the large jurisdictions would view keys be considered compliance.

It turns out crypto platforms face a seemingly impossible task in complying with opaque rules designed for centralized entities to protect the data privacy of individuals, while still being compliant with financial rules around transparency.

To better understand these complexities, Magazine spoke with Charlyn Ho, CEO of Rikka a law and consulting firm specializing in privacy, technology transactions and cybersecurity.

This conversation has been edited for clarity and length.

Magazine: Whats even legal when it comes to private crypto transactions?

Ho: Its a little bit complicated because every single jurisdiction has its own privacy laws. So, for example, lets just take Europe.

Europe has the GDPR [General Data Protection Regulation]. But in recent times, its promulgated all these other laws that are kind of layered on top or adjacent to GDPR. For example, its got MiCA [Markets in Crypto-Assets Regulation], which is the crypto law, and that intersects.

Magazine: So, how do privacy laws relate to Ethereum and blockchain in general?

Well, it kind of depends because a lot of times these [privacy] laws have exceptions.

For Anti-Money Laundering and Know Your Customer, there are exceptions where people cant keep their data private necessarily. If its being used to commit crimes, you cant say, Because of my privacy, Im not going to disclose my information to the regulator.

Thats where some of the complexities are, like with Tornado Cash or Telegram. In some of these cases, private mechanisms or privacy-preserving protocols have kind of butted up against the regulators ability to regulate.

Magazine: How are legal opinions and legal treatment of tools like privacy pools and zero-knowledge proofs developing?

Ho: The public discourse in the US is basically, If youre going to be developing crypto products, then they better follow the laws. Were not going to write specific laws that change the underlying privacy laws just for crypto.

And so, we have the laws we have, and they do not have crypto in mind.

A few years ago, the European Commission had a study about blockchain. And there was some genesis or movement towards embracing self-sovereign identity as a privacy-preserving mechanism. But the ultimate conclusion of the regulator was that no matter if your intent is to preserve privacy, that doesnt obviate your requirement to comply with GDPR, for example.

Astrology could make you a better crypto trader: It has been foretold

Real AI use cases in crypto, No. 3: Smart contract audits & cybersecurity

So, if using a public permissionless blockchain is not going to allow you to satisfy GDPR, then you cant really build on that platform. Theres not a very satisfactory response.

From a regulators perspective, I can understand why they would not give an exemption to a particular type of technology. The laws are just the laws.

Magazine: What laws do developers need to take into consideration when developing privacy tools?

Ho: This is an unsettled area of law. Whats interesting about crypto is that, because theres no central body, its kind of like the developers are the ones that are being held liable for their users actions.

Lets just take Facebook as an example. Facebook as a company can be sued like privacy violations because there is a Facebook to sue. You dont go after the third-party developers that Facebook has hired.

Whereas in the case of Ethereum, you cant just sue Vitalik [Buterin] theres no central entity. So, the individual developers are kind of being held responsible for their users actions, which is an unusual outcome in privacy law.

Under GDPR, for example, theres this concept called a controller and a processor. The controller is the entity or person that decides how the personal data is to be used. And the processor is essentially somebody that acts on behalf of that controller.

For example, Google would provide software, like G-Suite, to a company, lets say its Cointelegraph. Cointelegraph decides how theyre going to use that information, and Google is just providing a tool. So, the developer is not responsible for how Cointelegraph uses it. But when you take it into the decentralized world, it doesnt really make sense anymore.

Recent enforcement actions, like Telegram, where the CEO is being held liable for people doing illicit things on their platform, I think thats a very scary thing for a developer. They should be wary that their liability may be more enhanced as opposed to a non-decentralized platform.

Also, with Anti-Money Laundering laws, there is definitely a tension. FinCEN was trying to come out with some rulemaking on convertible virtual currency mixers, but I dont think it actually was finalized.

At least in the US, its not 100% clear where privacy laws end and Anti-Money Laundering laws begin. Because whether or not crypto mixers are legal, it depends on how theyre actually being used.

The White Houses report on cryptocurrency highlighted this tension, too. It comes up with all things relating to privacy, like the ability to self-custody. So, if youre self-custodying and youre not reporting data to the government, there is a potential that youre committing crimes or at least the government doesnt know. And so, there again, there is some tension between those inherent rights that are relating to your privacy versus the governments regulatory authority.

I dont think the line is clear yet.

Magazine: Do developers work together with legal experts when working on these tools?

Ho: Some developers that have money will hire legal experts, but a lot have just kind of moved on and just taken the risk. I will say that this is a personal opinion, but as a legal person in this field for a while, I will say privacy has been low on the totem pole of peoples concerns.

Most crypto developers that Ive worked with are much more concerned about securities laws and making sure that theyre not in violation of that. Privacy has only recently become more important in my observation.

Magazine: What do institutions need to be able to adopt these privacy solutions?

Ho: Initially, crypto and blockchain companies just needed to get off the ground. Getting over that hump, just raising the funds to operate, was first and foremost.

Now, platforms have matured, so theyre essentially operating just the same as centralized products and services. So, theyre now kind of coming around to realize they need compliance with privacy laws and compliance measures. I think a lot of it was kind of like the Wild West, where a lot of companies just kind of skipped over all of that, and they were just rushing so fast, and it was a bit of a mess, to be honest.

Institutions need to make sure that they know what privacy laws theyre subject to. Lets just take the CCPA [California Consumer Privacy Act] as an example. The CCPA doesnt apply to everybody. It only applies to an entity that is qualifying as a business and has a three-part test. If youre not subject to CCPA, then you dont need to worry about it. But there may be other laws youre subject to. So, thats number one is just knowing what privacy laws apply.

Number two, lets just say you do recognize or you conclude with a lawyer that CCPA does apply. Well, if it does apply, then your obligation is to allow consumers to satisfy their data subject rights. So, that includes the right to delete. If the privacy-preserving solution has personal data in it, are you going to be able to delete it if somebody requests? Well, blockchain is immutable. Maybe not. Then youre going to be in violation of the law. That is very obviously not in compliance.

The argument from blockchain developers has been, Were not storing any personal data. Its just a public key. Thats not personal data. Well, as I said, that is a kind of a common rebuttal from a non-privacy lawyer. But thats not going to fly with a regulator. So, if you cant design your solution, whether its intended to preserve privacy or not, to actually fulfill these rights, then youre not in compliance.

Email address

SUBSCRIBE