Coinbase Sued for Privacy Violations Over Users' Biometric Data

Crypto exchange Coinbase is being sued for the unauthorized collection and improper use of customers’ biometric data and for violating Illinois’ Biometric Information Privacy Act, according to a lawsuit filed yesterday with a District Court in California. 

Plaintiff Michael Massel is seeking $5,000 in damages for every “intentional and reckless violation” of Illinois’ Biometric Information Privacy Act (BIPA) and a further $1,000 for each other violation his legal team can find. 

The suit alleges that Coinbase’s collection of biometric data through its Know Your Customer (KYC) practices—in this case, fingerprints and facial scans—were unlawfully obtained, used, stored and disseminated. 

According to BIPA rules, a company wishing to collect biometric data has to inform a person in writing that such data is being obtained, including the specific purpose and length of term for which the data will be stored. 

Written consent is also required from the customer and the company has to publish “publicly‐available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information.”

The suit argues Coinbase does none of the above when collecting customers’ biometric data both before and after creating new accounts. 

Coinbase Asks Court to Force SEC to Clarify Crypto Regulations

Cryptocurrency exchange Coinbase took action against the Securities and Exchange Commission (SEC) late Monday, asking a federal court to compel the agency to respond to its demand for clearer crypto regulations. The exchange sent the SEC its so-called “petition for rulemaking” last July, and asked the regulator to propose and adopt rules for digital assets securities. It also sought answers to 50 specific questions that would provide “clarity and certainty regarding the regulatory treatment of d...

According to the suit, Coinbase had no legal right to collect and store the data, so the facial recognition data collected prior to opening an account should have been destroyed after the customers’ accounts were opened, as should the fingerprint data whenever customers log out.  

Furthermore, the suit claims that Coinbase collects biometric data to “further enhance Coinbase and its online ‘app-based’ platform” and in doing so, “wrongfully profits” from the data. 

Lastly, the suit alleges that Coinbase “disclosed, redisclosed, or otherwise disseminated Plaintiff’s biometric information to numerous third parties including, but not limited to, Jumio Corporation, Onfido, Inc., Au10tix LTD, Solaris AG, and Liquid Co., Ltd.”

Decrypt has reached out to Coinbase for comment and will update this article should we receive a response.

Coinbase’s other legal challenges

Coinbase is also taking heat from U.S. regulators pursuing what the industry describes as a “regulation-by-enforcement strategy,” whereby agencies such as the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) prefer to serve up lawsuits and legal threats rather than draft new guidelines for the still-nascent industry. 

Earlier this year, the SEC alleged that the staking services offered by exchanges like Kraken and Coinbase were unregistered securities and began a crackdown against them, issuing the former with a $30 million fine and the latter with a Wells Notice. 

The hostile climate appears to be driving Coinbase—a publicly traded U.S. company—further offshore. 

Last month the exchange announced it received a license to operate in Bermuda and is in talks with the Financial Services Regulatory Authority (FRSA), a regulator of the Abu Dhabi Global Market (ADGM)—a crypto-friendly free economic zone in the territory of UAE—about the potential of opening a regulated exchange there.