Coinbase, a popular cryptocurrency exchange, is facing legal action over alleged violations of biometric privacy laws. A lawsuit was filed in a California District Court on May 1, alleging that Coinbase violated certain provisions of Illinois’ Biometric Information Privacy Act (BIPA). This was due to the company’s requirement for customers to upload pictures of a valid ID and a self-portrait in order to conduct Know Your Customer (KYC) checks.
Violation of Biometric Information Privacy Act
The lawsuit asserts that users’ permission was necessary for Coinbase to collect their biometrics and that the company should have provided information regarding the purpose of collecting such data, its storage duration, usage, and how Coinbase would permanently dispose of it. However, Coinbase had no written policy establishing a retention schedule and guidelines for permanently destroying biometric information.
“Coinbase had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information.”
In a similar process used by other exchanges, Coinbase scans the photographs and creates a biometric template of a user’s face, which it uses to confirm a match between the self-portrait and the face on the supplied ID. The exchange is accused in the suit of illegally collecting and storing “thousands” of “highly detailed geometric maps of the face” and fingerprints from Illinois residents.
Serious and Irreversible Privacy Risks
The lawsuit further alleges that Coinbase uses biometric authentication, such as fingerprint or face scans. This is to verify the user when they log into their account on the mobile app. According to the suit, this exposes users to serious and irreversible privacy risks. After a user opened a Coinbase account using biometric data, should have permanently destroyed such information.
The suit is seeking damages of $5,000 per intentional BIPA violation or $1,000 if the court finds the alleged violations were not willful. In addition, Coinbase is expected to pay the attorneys fees and court costs of the class action. A hacker breaching Coinbase’s database could expose sensitive biometric data, leaving users vulnerable to identity theft.