Key takeaways:
- In Illinois, Coinbase is being sued collectively for allegedly violating biometric data privacy.
- BIPA mandated that Coinbase obtain users’ consent before collecting their biometric data.
According to an intended class-action complaint, Coinbase collected and stored client fingerprint and facial template data, violating Illinois’ biometric privacy regulations.
A Coinbase user filed a lawsuit against the exchange on May 1, alleging that specific provisions of the Illinois Biometric Information Privacy Act (BIPA) were violated by the exchange’s requirement that customers upload images of a valid ID and a self-portrait for the company to conduct Know Your Customer (KYC) checks.
According to the lawsuit, BIPA mandated that Coinbase obtain users’ consent before collecting their biometric data. Additionally, Coinbase had to state why the information was being collected, how long it would be kept, what it would be used for, and how it would be permanently destroyed. The complaint read:
“Coinbase had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information,”
According to the lawsuit, Coinbase scans the images and produces a biometric template of a user’s face in a method similar to that other exchanges utilize. It uses the data to verify that the self-portrait and the face on the provided ID match. In the course of the exchange, Illinois residents’ fingerprints and “thousands” of “highly detailed geometric maps of the face” reportedly underwent improper collection and storage.
As per the lawsuit, Coinbase’s mobile app uses biometric authentication, such as a fingerprint or facial scan, to confirm the user when they log into their account. It was claimed that Coinbase’s collection, acquisition, storage, and use of this data was “illegal” and put consumers’ privacy at serious and irrevocable risk.
The complaint claimed that because biometric data was used exclusively for account opening, Coinbase should have “permanently destroyed” it after a customer opened a Coinbase account.
In addition to paying the class action’s legal fees and costs, the lawsuit is currently asking for damages of $5,000 per willful BIPA violation or $1,000 if the court determines that the claimed violations were not deliberate. Users of Coinbase have no recourse if the company’s database, which contains sensitive, proprietary biometric information like facial geometry scans, is breached, compromised, or otherwise made public.
Coinbase recently filed a lawsuit against SEC in a federal court in the United States to compel the nation’s securities regulator to answer “yes” or “no” to a petition that the exchange has had pending since July.
