Cryptocurrency exchange Coinbase is currently the target of a class-action lawsuit filed in Illinois, alleging violations of the state's Biometric Information Privacy Act (BIPA). The lawsuit claims Coinbase improperly collected and stored users' facial biometric data during its Know Your Customer (KYC) verification process without proper notice or consent. Specifically, customers had to upload government-issued IDs and selfies, which were analyzed by third-party facial recognition vendors such as Jumio, Onfido, Au10tix, and Solaris.
The plaintiffs argue Coinbase failed to provide required written notices about biometric data collection and did not obtain explicit permissions from users, violating BIPA's strict regulations. The biometric data involved includes permanent identifiers like facial geometry, which pose unique privacy risks if compromised. BIPA mandates companies notify individuals in writing, obtain informed consent, have publicly available data retention policies, and prohibits profiting from biometric data.
This is not Coinbase's first brush with BIPA-related litigation. A previous class-action lawsuit about facial and fingerprint data collection through Coinbase’s mobile app was paused and later dismissed without prejudice after moving to arbitration. Additionally, Coinbase faces scrutiny due to a recent data breach linked to customer support agents bribed to leak user data, resulting in multiple related lawsuits.
The current legal action seeks financial penalties up to $5,000 per willful violation plus legal fees and injunctions. If the court sides with plaintiffs, Coinbase may need to revamp its identity verification procedures in Illinois to comply explicitly with BIPA, potentially affecting its operations in similar jurisdictions. The case highlights the ongoing tension between crypto platforms’ regulatory requirements for KYC/AML compliance and users’ biometric privacy rights.
Users of crypto exchanges are reminded of the importance of understanding privacy policies related to biometric data and considering the risks of sharing sensitive facial and identity verification information. The outcome of this lawsuit could set a precedent influencing how crypto platforms manage biometric identity verification under state privacy laws.