Coinbase Sued for Privacy Violations Over Users' Biometric Data

A new lawsuit alleges that Coinbase improperly collected, stored and disseminated customers' facial and fingerprint recognition data.

By Tim Hakki

3 min read

Crypto exchange Coinbase is being sued for the unauthorized collection and improper use of customers’ biometric data and for violating Illinois’ Biometric Information Privacy Act, according to a lawsuit filed yesterday with a District Court in California. 

Plaintiff Michael Massel is seeking $5,000 in damages for every “intentional and reckless violation” of Illinois’ Biometric Information Privacy Act (BIPA) and a further $1,000 for each other violation his legal team can find. 

The suit alleges that Coinbase’s collection of biometric data through its Know Your Customer (KYC) practices—in this case, fingerprints and facial scans—were unlawfully obtained, used, stored and disseminated. 

According to BIPA rules, a company wishing to collect biometric data has to inform a person in writing that such data is being obtained, including the specific purpose and length of term for which the data will be stored. 

Written consent is also required from the customer and the company has to publish “publicly‐available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information.”

The suit argues Coinbase does none of the above when collecting customers’ biometric data both before and after creating new accounts. 

According to the suit, Coinbase had no legal right to collect and store the data, so the facial recognition data collected prior to opening an account should have been destroyed after the customers’ accounts were opened, as should the fingerprint data whenever customers log out.  

Furthermore, the suit claims that Coinbase collects biometric data to “further enhance Coinbase and its online ‘app-based’ platform” and in doing so, “wrongfully profits” from the data. 

Lastly, the suit alleges that Coinbase “disclosed, redisclosed, or otherwise disseminated Plaintiff’s biometric information to numerous third parties including, but not limited to, Jumio Corporation, Onfido, Inc., Au10tix LTD, Solaris AG, and Liquid Co., Ltd.”

Decrypt has reached out to Coinbase for comment and will update this article should we receive a response.

Coinbase’s other legal challenges

Coinbase is also taking heat from U.S. regulators pursuing what the industry describes as a “regulation-by-enforcement strategy,” whereby agencies such as the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) prefer to serve up lawsuits and legal threats rather than draft new guidelines for the still-nascent industry. 

Earlier this year, the SEC alleged that the staking services offered by exchanges like Kraken and Coinbase were unregistered securities and began a crackdown against them, issuing the former with a $30 million fine and the latter with a Wells Notice

The hostile climate appears to be driving Coinbase—a publicly traded U.S. company—further offshore. 

Last month the exchange announced it received a license to operate in Bermuda and is in talks with the Financial Services Regulatory Authority (FRSA), a regulator of the Abu Dhabi Global Market (ADGM)—a crypto-friendly free economic zone in the territory of UAE—about the potential of opening a regulated exchange there.

Get crypto news straight to your inbox--

sign up for the Decrypt Daily below. (It’s free).

Recommended News