Coinbase Faces Class-Action Lawsuit Over Biometric Data Harvesting

Over 10,000 users have filed a class-action lawsuit against Coinbase, alleging that the cryptocurrency exchange has been secretly harvesting and sharing their biometric data without proper consent. The lawsuit, filed in the U.S. District Court for the Northern District of Illinois, claims that Coinbase violated the Illinois Biometric Information Privacy Act (BIPA) by collecting users' facial geometry data during its Know Your Customer (KYC) process. The plaintiffs, Scott Bernstein, Gina Greeder, and James Lonergan, argue that Coinbase failed to inform users in writing about the collection, use, and storage of their biometric data, as required by BIPA.

The lawsuit alleges that users are required to upload a government-issued ID along with a selfie for identity verification. These images are then processed by third-party facial recognition services such as Jumio, Onfido, Au10tix, and Solaris, allegedly at Coinbase’s direction, without user knowledge or consent. This process captures unique facial data, considered sensitive biometric identifiers, without adhering to BIPA’s requirement for advance written notice and informed consent.

The plaintiffs further allege that Coinbase has never made public any retention schedules or data destruction policies, another requirement under BIPA. The law mandates that companies clearly inform users how long their biometric data will be stored and when it will be permanently deleted. Coinbase is said to still be storing this data and possibly sharing it with outside suppliers, with no defined deadline or control. This lack of transparency and protocol puts users’ sensitive biometric data at risk for an extended period.

The lawsuit adds to the controversy by stating that more than 10,000 Coinbase users have attempted to file arbitration claims over the same privacy issues. However, these claims were reportedly dismissed because Coinbase refused to pay the American Arbitration Association (AAA) the necessary fees. This move could be part of Coinbase’s larger legal strategy to avoid individual arbitration, a common method for businesses to avoid expensive class-action lawsuits.

The lawsuit seeks damages of $5,000 per willful or reckless violation, $1,000 per negligent violation, injunctive relief, and attorney fees. The complaint also claims that Coinbase violated the Illinois Consumer Fraud and Deceptive Business Practices Act by misleading users about how their data would be used.

This is not the first time Coinbase has faced allegations of mishandling biometric data. A similar action from 2023 was sent to arbitration and then dropped without prejudice. However, the current case involves tens of thousands of affected users and well-known third-party providers, leading legal experts to believe that this action could set a significant precedent for how biometric data is handled in the cryptocurrency industry.

As of the latest information, Coinbase has not officially responded to the allegations. The outcome of this lawsuit could have far-reaching implications for how cryptocurrency exchanges handle biometric data and the importance of transparency and user consent in data collection practices.