Coinbase Faces Class-Action Lawsuit Over Biometric Data Privacy

A group of Coinbase users from Illinois have initiated a class-action lawsuit against the cryptocurrency exchange, alleging that its identity verification processes violate the state’s Biometric Information Privacy Act (BIPA). The plaintiffs, Scott Bernstein, Gina Greeder, and James Lonergan, filed the lawsuit on May 13 in a federal court, claiming that Coinbase’s collection of faceprints for its Know Your Customer (KYC) requirements does not comply with BIPA. The lawsuit asserts that Coinbase failed to notify users in writing about the collection, storage, sharing, and retention schedule of their biometric data.

The complaint details that Coinbase requires users to verify their identity by uploading a government-issued photo ID and a selfie, which is then sent to third-party facial recognition software to scan and extract facial geometry. This process, according to the plaintiffs, captures biometric identifiers without users’ informed written consent, thereby violating BIPA. The lawsuit further alleges that Coinbase shares biometric data with third-party verification vendors such as Jumio, Onfido, Au10tix, and Solaris without users’ consent, which is also a violation of the law.

The plaintiffs claim that more than 10,000 individuals have filed demands for arbitration over these issues with the American Arbitration Association. However, Coinbase has allegedly refused to pay the required arbitration fees, leading to the dismissal of these cases. The lawsuit brings three claims of violating state biometric privacy laws and one for consumer fraud under the Illinois Consumer Fraud and Deceptive Business Practices Act. The group is seeking relief of $5,000 per willful or reckless violation found, $1,000 per negligent violation found, along with injunctive relief and litigation costs.

This lawsuit comes at a time when Coinbase is already facing legal challenges. The exchange has recently been hit with at least six lawsuits over its May 15 disclosure that some of its customer support agents were bribed to leak users' data. In May 2023, a similar lawsuit was filed against Coinbase under accusations of BIPA violations. A judge later allowed that lawsuit to pause pending arbitration and dismissed the lawsuit without prejudice on Feb. 3 after Coinbase and the group of users agreed to drop the action.

This latest legal action against Coinbase underscores the growing scrutiny and legal challenges faced by cryptocurrency exchanges regarding data privacy and security. The lawsuit highlights the importance of compliance with biometric privacy laws and the potential consequences of failing to do so. As the legal battle unfolds, it remains to be seen how Coinbase will address these allegations and what impact this will have on its operations and user trust.