Coinbase Sued for Collecting Biometric Data Without Permission

A class-action lawsuit has been initiated against Coinbase by a group of residents from Illinois, claiming that the cryptocurrency exchange unlawfully collected and shared their biometric information during the identity verification process.

This legal action, filed in federal court on May 13, asserts that the company breached Illinois’ Biometric Information Privacy Act (BIPA) by obtaining users’ facial data without adequate notification or consent.

Accusations of Consumer Fraud and Data Misuse

The lawsuit details that users were instructed to upload a government-issued ID alongside a selfie as part of the account creation process. These images were subsequently forwarded to third-party facial recognition services that evaluated facial characteristics such as contours and patterns. The complaint contends that this procedure lacked user consent, thereby breaching BIPA regulations.

“Throughout the verification procedure, users of Coinbase are neither asked to consent to the collection of their biometric data nor informed that such data would be shared with external third parties,” the legal filing asserts.

The suit further claims that Coinbase transmitted this biometric information to various third-party organizations, including Jumio, Onfido, Au10tix, and Solaris, without obtaining consent. Additionally, the complaint highlights that more than 10,000 users filed arbitration claims, which were dismissed when Coinbase refused to pay the necessary fees.

Consequently, the plaintiffs are accusing Coinbase of three violations related to state biometric privacy legislation, as well as one instance of consumer fraud under the Illinois Consumer Fraud and Deceptive Business Practices Act.

The plaintiffs are seeking compensation of $5,000 for each instance of intentional or reckless violation, and $1,000 for every negligent infraction. They are also petitioning for an injunction to prevent the alleged data practices and requesting that Coinbase cover their legal expenses.

Concerns Over Privacy Issues

This is not the first time Coinbase has faced legal challenges regarding data privacy. In May 2023, the company was similarly scrutinized for its approach to facial recognition during the onboarding process.

Additionally, Coinbase is grappling with the consequences of a recent data breach in which customer support personnel were reportedly bribed to disclose sensitive customer data. This led to at least six class-action lawsuits filed between May 15 and May 16, accusing Coinbase of negligence, inadequate cybersecurity protocols, and a delayed response.

Nanak Nihal Khalsa, co-founder of Holonym—a company focused on privacy in identity verification—stated that the issue transcends the platform itself.

“The incident with Coinbase underscores a significant threat; KYC without zero-knowledge principles creates a privacy hazard. You cannot gather and store millions of identities without ultimately becoming a target and a risk,” Khalsa remarked.

Khalsa emphasized that users should not be required to sacrifice their privacy to utilize cryptocurrency services. He argued that the future of identity verification lies in employing zero-knowledge technologies that allow individuals to substantiate their identity without disclosing personal information.