Crypto Exchange Coinbase Sued for Breaking Biometric Privacy Law
On Monday, May 1, 2023, a class action lawsuit has been filed in the United States District Court for the Northern District of California against crypto exchange Coinbase for allegedly violating Illinois’ biometric privacy law.
The lawsuit, filed by Illinois resident Michael Massel, alleges that the crypto exchange collected and stored biometric data without obtaining proper consent from its users, violating the state’s Biometric Information Privacy Act (BIPA).
BIPA ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they inform the person in writing of the specific purpose and length of time for which the data will be collected, stored, and used.
According to the lawsuit, Coinbase had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining such biometric information has been satisfied.
“Plaintiff’s fingerprints should have been permanently destroyed by Coinbase after Plaintiff logged out or ceased using the Coinbase mobile app. However, Coinbase failed to permanently destroy Plaintiff’s fingerprints after he logged out or ceased using the Coinbase mobile app,” the lawsuit said. “As such, Coinbase’s retention of Plaintiff’s biometric information was unlawful and in violation of 740 ILCS § 14/15(a). Coinbase did not inform Plaintiff in writing that Coinbase was collecting or storing his biometric information. Instead, Coinbase simply instructed Plaintiff to upload his state issued identification forms, “selfie” photograph, and fingerprints as part of the overall account opening process.”
The lawsuit also claims that Coinbase’s unlawful collection, storage, and use of its users’ biometric data exposes them to serious and irreversible privacy risks.
“For example, if Coinbase’s database containing facial geometry scans or other sensitive, proprietary biometric data is hacked, breached, or otherwise exposed, Coinbase users have no means by which to prevent identity theft, unauthorized tracking or other unlawful or improper use of this highly personal and private information,” the lawsuit said.
The lawsuit is seeking damages of $5,000 for the intentional and reckless violation of BIPA or $1,000 if unintentional, plus other damages and attorney fees.
A copy of the original filing can be found here.
