Regulatory challenges in Web3 identity stem from a tension between regulators requiring accountable identity checks and Web3 users expecting privacy, self-custody, and pseudonymous access. Protocols touching payments, lending, tokenized assets, or regulated financial activity must consider KYC, AML, sanctions screening, GDPR-style privacy rules, and auditability from the first architecture meeting. Public blockchains are transparent by design, while privacy law pushes toward data minimization and controlled disclosure. Three regulatory areas overlap: AML and CTF, which require monitoring suspicious transactions and screening sanctions exposure; KYC and customer due diligence, which require identifying customers and refreshing checks; and data protection under GDPR, which requires lawful processing, data minimization, purpose limitation, security, and erasure rights. The FATF Travel Rule, tied to Recommendation 16, is especially awkward in decentralized systems, as it requires virtual asset service providers to transmit originator and beneficiary information for certain transfers, which is difficult when one side is an unhosted wallet and the counterparty is a smart contract. Personal information should not be placed on a public blockchain, as hashed data may remain personal data if someone can reasonably re-identify the person. GDPR Article 5 emphasizes data minimization, and Article 17 includes the right to erasure, but a public blockchain record cannot be easily deleted. The safer pattern is to keep raw identity data off-chain, store only attestations or commitments on-chain, and design revocation.