Cryptocurrency exchange Coinbase is facing a class-action lawsuit in the U.S. state of Illinois, which claims that the company may have violated the state’s Biometric Information Privacy Act.
A group of Coinbase customers has accused the platform of improperly collecting and storing facial data during its identity verification process.
Filed in the U.S. District Court for the Northern District of Illinois on May 13, the lawsuit alleges that Coinbase’s Know Your Customer checks involve scanning users’ facial geometry without proper notice or consent, a move the plaintiffs say directly breaches Illinois’ biometric privacy laws.
According to the complaint, users were required to upload a government-issued ID and a selfie, which were then processed by third-party facial recognition software.
The group claims this process captured their biometric identifiers, such as faceprints, without prior written notice or notification of the collection without a publicly available “retention schedule or guidelines” for data destruction, as required under BIPA.
“[…] At no point during the Verification Process are Coinbase users asked to consent to the collection of their biometric information, notified that their biometric data will be collected by an unrelated third party, nor provided with any information about the process, how it works, the type of information and data collected, whether said data is stored or disclosed to other entities, or any information about the retention or destruction of their biometric information.”
Bernstein v. Coinbase Global, Inc.
According to the complaint, Coinbase transmitted facial data to third-party vendors, including Jumio, Onfido, Au10tix, and Solaris, without obtaining explicit permission.
Further, it claims that more than 10,000 individuals have filed for arbitration over these issues, but Coinbase has allegedly failed to pay the necessary arbitration fees, resulting in many of those cases being dismissed.
That being said, the group is pushing for financial penalties of up to $5,000 per reckless violation, or $1,000 where negligence is found, in addition to legal expenses and injunctive relief.
Coinbase has not publicly commented on the lawsuit at the time of writing.
Interestingly, this isn’t the first time Coinbase has been in hot water over alleged BIPA violations in Illinois. As previously reported by crypto.news, a class-action lawsuit filed by a local in May 2023 targeted the exchange over its collection of facial data and fingerprint templates through its mobile app.
That case was eventually paused after a judge approved Coinbase’s motion to move the dispute into arbitration. The lawsuit was dismissed without prejudice in February this year, after both parties agreed to drop the case.
Making matters worse, Coinbase has also come under fire over a recent data breach involving customer support agents allegedly bribed to leak user data. At least six related lawsuits have since been filed, intensifying scrutiny over the platform’s handling of sensitive information.
In other news, Illinois recently dropped a separate lawsuit against Coinbase over its staking program, following similar moves by Kentucky, Vermont, and South Carolina after the SEC dismissed its own case.
