Coinbase Accused of Illegal Biometric Data Collection

Reading Time: 2 minutes
  • Coinbase has been accused of collecting and storing biometric data against Illinois law
  • A proposed class action lawsuit claims that the exchange has fallen foul of the 2008 Illinois Biometric Information Privacy Act
  • The act has been used to target multiple organizations since its creation

Coinbase has found itself on the receiving end of a few lawsuits recently, but this might be the strangest one yet; a proposed class action lawsuit has accused the company of flouting Illinois law in how it handles biometric data. The suit, filed Monday in the Northern District of California, alleges that Coinbase illegally collects face templates and fingerprints belonging to its customers in violation of Illinois’ biometric privacy law, claiming that it “wrongfully profits from the facial and fingerprint scans it has collected or otherwise obtained from its users.”

Coinbase Accused of “Unlawful” Data Collection

The suit has been filed by Coinbase customer Michael Massel who explains that the exchange requires users to upload a government ID and selfie for verification and set up biometric authentication (a fingerprint scan) to log into the mobile app. Massel says that Coinbase “collects, stores, possesses, otherwise obtains, uses, and disseminates its users’ biometric data to, amongst other things, further enhance Coinbase and its online ‘app-based’ Platform,” which he says is contrary to Illinois law:

Facial geometry and fingerprint scans are unique, permanent biometric identifiers associated with each user that cannot be changed or replaced if stolen or compromised. Coinbase’s unlawful collection, obtainment, storage, and use of its users’ biometric data expose them to serious and irreversible privacy risks.

BIPA Law Strikes Again

The suit cites the Illinois Biometric Information Privacy Act (BIPA), which has been in place since 2008, and has been used to target several companies across a wide range of industries in recent years.

The law requires companies who request and hold such information to obtain consent before doing so, including fingerprints or facial scans, and to let users know how long the data will be kept.