Coinbase Lawsuit: Alarming Claims Over Illinois Biometric Privacy Act

A significant legal challenge is brewing for one of the largest cryptocurrency exchanges. A new Coinbase lawsuit has been filed, bringing into focus critical questions about user data and privacy rights, specifically concerning the collection of biometric privacy data.

Understanding the Illinois Biometric Privacy Act (BIPA)

At the heart of this legal action is the Illinois Biometric Information Privacy Act, commonly known as BIPA. This state law, enacted in 2008, is one of the strictest in the U.S. regarding the collection and handling of biometric data. It requires companies to:

• Inform individuals in writing that their biometric data is being collected or stored.
• State the specific purpose and length of time the data will be collected, stored, and used.
• Obtain a written release from the individual.
• Develop a publicly available retention schedule and guidelines for permanently destroying the data when the initial purpose is satisfied or within three years, whichever occurs first.
• Not sell, lease, trade, or profit from biometric data.
• Not disclose or disseminate biometric data without consent or a legal warrant.

The lawsuit alleges that Coinbase failed to meet these strict requirements when verifying user identities.

Why Are Users Filing This Coinbase Lawsuit?

A group of Coinbase users residing in Illinois initiated this class-action Coinbase lawsuit. They claim the exchange’s identity verification process, which is part of its standard KYC (Know Your Customer) requirements, violates BIPA.

Specifically, the plaintiffs allege that Coinbase’s process involves collecting faceprints without providing clear, written notice about:

• The fact that their biometric data was being collected.
• How the data would be stored.
• Whether it would be shared with others.
• How long the data would be kept (retention schedule).
• When the data would be permanently destroyed.

They argue that this ‘wholesale collection’ of sensitive biometric privacy information did not comply with the legal mandates of the Illinois law.

How Does Coinbase’s KYC Process Relate to Biometric Data?

Coinbase, like many financial platforms, requires users to undergo identity verification to comply with regulations like KYC and AML (Anti-Money Laundering). The lawsuit describes Coinbase’s process involving users uploading a government-issued photo ID and a selfie. This selfie is then reportedly sent to third-party software designed to scan and extract facial geometry – a form of biometric privacy data.

The plaintiffs contend that by directing third-party vendors to use software that collects this biometric privacy data, Coinbase is effectively ‘obtaining’ the data itself, and doing so without the explicit informed written consent required by BIPA.

What Do the Plaintiffs Claim About Data Sharing and Arbitration?

Beyond the initial collection, the lawsuit also claims Coinbase violated BIPA by allegedly sharing the collected biometric privacy data with third-party verification providers. Companies like Jumio, Onfido, Au10tix, and Solaris are mentioned as vendors who potentially received this data without user consent, another point of contention under Illinois law.

Adding another layer to the legal dispute, the plaintiffs mention that over 10,000 individuals have previously attempted to resolve similar issues through arbitration with the American Arbitration Association. They claim Coinbase has refused to pay the necessary arbitration fees, leading to the dismissal of those demands. This has potentially pushed more users toward filing class-action lawsuits like the current one.

What’s at Stake in This Biometric Privacy Case?

The plaintiffs in this Coinbase lawsuit are seeking significant relief. They are asking the court for statutory damages as defined by BIPA: $5,000 for each willful or reckless violation found, and $1,000 for each negligent violation found. Given the large user base, the potential financial impact could be substantial if the court finds in favor of the plaintiffs. They are also seeking injunctive relief, which could force Coinbase to change its identity verification practices in Illinois, and reimbursement for litigation costs.

This case highlights the increasing scrutiny on how technology companies, including those in the crypto space, handle sensitive user data, particularly biometric privacy information. It underscores the importance of transparency and explicit consent when collecting such data, especially in states with specific privacy laws like BIPA in Illinois.

It’s worth noting this isn’t the first time Coinbase has faced a BIPA lawsuit. A similar case was filed in May 2023 but was later dismissed without prejudice after the parties reportedly agreed to drop the action, pending arbitration.

In conclusion, this new Coinbase lawsuit over biometric privacy in Illinois serves as a stark reminder for all platforms handling user data. Compliance with evolving privacy regulations like BIPA is crucial, and failure to adequately inform users about the collection, use, and retention of their sensitive biometric privacy data can lead to significant legal challenges and financial penalties. The outcome of this case could set important precedents for how crypto exchanges conduct KYC and handle biometric privacy data moving forward.