A proposed class-action lawsuit charges that Coinbase violated Illinois' biometric privacy law by collecting and storing customers' fingerprints and facial templates.
A Coinbase user filed in California District Court on May 1 allegations that the exchange violated certain regulations in the state of Illinois by requiring customers to upload a valid ID and a photo of themselves for the company to perform know-your-customer (KYC) checks .Biometric Information Privacy Act (BIPA).
BIPA requires Coinbase to obtain permission from users when collecting their biometric information, the lawsuit says. Coinbase is also required to provide the purpose for collecting such data, how long it is stored, how it will be used, and how Coinbase will permanently destroy the data. "Coinbase did not have a written policy, publicly available, that established a retention schedule and guidelines for the permanent destruction of biometric information," the lawsuit argues.
In a similar process used by other exchanges, the suit says Coinbase scans photos and creates biometric templates of users' faces. It uses this information to confirm that the self-portrait matches the face on the ID provided. The exchange allegedly illegally collected and s tored "thousands" of "highly detailed facial geometry maps" and fingerprints of Illinois residents.
Coinbase's mobile app also uses biometric authentication such as fingerprints or facial scans to verify a user's identity when logging into an account, the lawsuit said. Coinbase's “collection, acquisition, storage, and use” of such data is accused to be “unlaw ful” and exposes users to “serious and irreversible privacy risks.”
“If Coinbase databases containing facial geometry scans or other sensitive, proprietary biometric data were hacked, compromised, or otherwise exposed, Coinbase users would have no protection against identity theft.”
The document says that after a user opens a Coinbase account, Coinbase should "permanently destroy" biometric data because such information is only used to open the account. The suit seeks $5,000 for each willful violation of BIPA, or $1,000 if the court finds the alleg ed Violations were not intentional, as well as attorneys' fees and court costs for the class action. When asked about the lawsuit, Coinbase told Cointelegraph that it had no comment to add.
