Coinbase Faces Class-Action Lawsuit in Illinois Over Biometric Data Practices

Over 10,000 Coinbase users in Illinois are part of a class-action lawsuit that could cost the company millions due to alleged violations of the state’s strict Biometric Information Privacy Act (BIPA). The lawsuit claims that Coinbase has been collecting and storing facial data during its Know Your Customer (KYC) verification process without obtaining proper consent or providing necessary disclosures.

• Coinbase lawsuit over biometric data in Illinois
• Violation of BIPA during KYC verification
• Potential penalties up to $5,000 per violation

The Lawsuit Details

The lawsuit, filed on May 13 in the U.S. District Court for the Northern District of Illinois, centers around Coinbase’s KYC verification process. This process requires users to upload a government-issued ID and a selfie, which are then processed by software from other companies that analyzes faces, such as Jumio, Onfido, Au10tix, and Solaris. The plaintiffs argue that Coinbase transmitted these images to third parties without the explicit permission of its users.

The Biometric Information Privacy Act (BIPA) is a law in Illinois that requires companies to get explicit consent before collecting biometric data, like fingerprints or facial scans. The lawsuit claims that Coinbase did not adhere to these requirements:

“[…] At no point during the Verification Process are Coinbase users asked to consent to the collection of their biometric information, notified that their biometric data will be collected by an unrelated third party, nor provided with any information about the process, how it works, the type of information and data collected, whether said data is stored or disclosed to other entities, or any information about the retention or destruction of their biometric information.” – Bernstein v. Coinbase Global, Inc.

Previous Legal Troubles

This isn’t the first time Coinbase has faced legal challenges over its data practices. A similar BIPA-related lawsuit in Illinois was dismissed without a final decision in February after being moved to arbitration. However, over 10,000 individuals have already filed for arbitration related to these issues, and many cases were dismissed because Coinbase did not pay the arbitration fees. The current lawsuit seeks financial penalties of up to $5,000 per reckless violation or $1,000 per negligent violation, along with legal expenses and injunctive relief. As of now, Coinbase has remained silent on the matter.

The recent data breach involving bribed customer support agents leaking user data has further intensified scrutiny on Coinbase’s data handling practices. The breach, disclosed on May 15, led to at least six additional lawsuits against the company. Meanwhile, Illinois, along with Kentucky, Vermont, and South Carolina, recently dropped lawsuits against Coinbase over its staking program following the SEC’s dismissal of its own case.

Broader Implications

These legal battles highlight the ongoing challenges cryptocurrency platforms face in balancing regulatory compliance with user privacy. Illinois’ BIPA is particularly strict, but it’s not the only jurisdiction with stringent data privacy laws. As the cryptocurrency industry grows, the need for robust data protection and clear user consent policies becomes increasingly critical. Coinbase’s repeated legal troubles suggest that the company may need to overhaul its data protection measures to avoid future litigation.

Interestingly, despite the data breach, Coinbase’s stock initially dropped 7% but later recovered to a 9% increase, showing the resilience of the market amidst these legal storms. However, the potential for significant financial penalties if found guilty of BIPA violations could still impact Coinbase’s bottom line. For users, the stakes are high; a breach of biometric data could lead to identity theft and financial fraud.

Counterpoints and Coinbase’s Response

While Coinbase has not publicly commented on the BIPA lawsuit, it’s worth considering potential defenses or arguments the company could make. They might argue that their KYC process is necessary for compliance with anti-money laundering (AML) regulations, and that they have taken steps to secure user data. However, their silence on the issue is deafening, leaving users in the dark about their data’s fate.

Coinbase’s response to the recent data breach, including refusing to pay a $20 million ransom and plans to reimburse users affected by phishing scams, shows an effort to address security concerns. Yet, the accumulation of lawsuits suggests that these efforts may not be enough.

Future Outlook

The outcome of this lawsuit could set a precedent for data privacy laws in the crypto industry. If Coinbase is found guilty, it could face significant financial penalties and be forced to implement more stringent data protection measures. For the broader industry, it may lead to increased compliance costs and a greater emphasis on user privacy.

As the industry continues to evolve, it’s crucial for users to stay informed about their data rights and the legal landscape of cryptocurrencies. The promise of decentralization and financial freedom is alluring, but the path to achieving it is fraught with regulatory hurdles and privacy concerns.

Key Questions and Takeaways

• What is the basis of the lawsuit against Coinbase in Illinois?

  The lawsuit claims that Coinbase violated Illinois’ Biometric Information Privacy Act by collecting and storing facial data during its KYC verification process without obtaining proper consent or providing necessary disclosures.

• What specific practices of Coinbase are being challenged in the lawsuit?

  The challenged practices include requiring users to upload a government-issued ID and a selfie, which are then processed by third-party facial recognition software without consent or proper notification.

• Which third-party vendors are mentioned in the lawsuit?

  The lawsuit mentions Jumio, Onfido, Au10tix, and Solaris as the third-party vendors to whom Coinbase allegedly transmitted facial data without explicit permission.

• What are the potential financial penalties Coinbase faces if found guilty of BIPA violations?

  Coinbase could face financial penalties of up to $5,000 per reckless violation or $1,000 per negligent violation, along with legal expenses and injunctive relief.

• Has Coinbase faced similar lawsuits in the past?

  Yes, Coinbase faced a similar BIPA-related lawsuit in Illinois in May 2023, which was dismissed without a final decision after being moved to arbitration.

• What recent event has added scrutiny to Coinbase’s data handling practices?

  A recent data breach involving bribed customer support agents leaking user data has added scrutiny to Coinbase’s handling of sensitive information.

• What other regulatory actions have been taken against Coinbase recently?

  Illinois, along with Kentucky, Vermont, and South Carolina, recently dropped lawsuits against Coinbase over its staking program following the SEC’s dismissal of its own case.