Coinbase Accused of Unlawful Biometric Data Collection and Storage in Class Action Lawsuit
A proposed class-action lawsuit filed on May 1 in a California District Court alleges that Coinbase breached Illinois’ Biometric Information Privacy Act (BIPA) by collecting and storing customer fingerprints and facial templates.
To conduct Know Your Customer (KYC) checks, Coinbase requires customers to upload pictures of a valid ID and a self-portrait. However, the lawsuit claims that this requirement violates certain provisions of BIPA, as Coinbase did not obtain users’ permission to collect their biometrics or provide information about the purpose of collecting such data, how long it would be stored, and how it would be used and destroyed.
The lawsuit also alleges that Coinbase did not have a written policy establishing guidelines for the permanent destruction of biometric information, which is required by BIPA.
According to the proposed class-action lawsuit, Coinbase follows a process similar to other exchanges by scanning photographs uploaded by customers and creating a biometric template of their face. This information is used to confirm whether the self-portrait matches the face on the submitted ID.
As a result, the exchange is alleged to have illegally collected and stored “highly detailed geometric maps of the face” and fingerprints of thousands of Illinois residents.
The lawsuit also claims that Coinbase uses biometric authentication, such as fingerprint or face scans, on its mobile app to verify users when they log into their accounts.
This puts users at significant and permanent risk of having their privacy violated. If the sensitive and proprietary biometric data is hacked, breached, or exposed, there is no way for users to protect themselves against identity theft.
The suit claims that Coinbase should have permanently destroyed this data after using it to open an account for a user, as that was its sole purpose.
Therefore, the lawsuit is demanding compensation for intentional violations of the Illinois Biometric Information Privacy Act (BIPA) at a rate of $5,000 per violation, or $1,000 if the violations were not deliberate, along with the cost of legal fees and court expenses for the class action.