Coinbase, one of the leading cryptocurrency exchanges in the world, is now at the center of a class-action lawsuit filed in Illinois. The suit accuses the platform of violating the Illinois Biometric Information Privacy Act (BIPA) by collecting and using customers’ biometric data without proper consent—raising significant concerns around data privacy in the crypto industry.
Biometric Data Collection Under Scrutiny
According to the lawsuit, Coinbase’s identity verification process—designed to meet regulatory “Know Your Customer” (KYC) requirements—requires users to submit a government-issued ID and a selfie. These images are allegedly scanned using facial recognition software to extract biometric identifiers, such as facial geometry.
The plaintiffs claim Coinbase did not obtain informed written consent, nor did it disclose how long this data would be stored or when it would be deleted—both required under BIPA.
Additionally, it is alleged that Coinbase shared this sensitive biometric data with third-party vendors including Jumio, Onfido, Au10tix, and Solaris—without informing users or gaining explicit consent.
Mass Arbitration Rejected, Class Action Filed
Before filing the lawsuit, over 10,000 Coinbase users submitted arbitration demands related to these alleged violations. However, Coinbase allegedly refused to pay the necessary arbitration fees, which led to the dismissal of these claims.
Now, those users have turned to the courts, filing a class-action complaint in the U.S. District Court for the Northern District of Illinois.
The lawsuit seeks $5,000 per willful violation and $1,000 per negligent violation, as well as injunctive relief and legal costs.
It also includes a claim under the Illinois Consumer Fraud and Deceptive Business Practices Act, further increasing potential penalties for the exchange.
Why This Case Matters
This legal challenge highlights the urgent need for crypto companies to ensure biometric compliance. As digital identity verification becomes standard practice in fintech and crypto onboarding, companies must prioritize privacy laws and obtain explicit consent from users.
BIPA is considered one of the strongest biometric privacy laws in the U.S., and non-compliance—even without a data breach—can result in severe financial consequences.
Conclusion
As Coinbase battles this lawsuit, it sends a clear message to the broader crypto and tech ecosystem:
Handling biometric data isn’t just a technical challenge—it’s a legal one.
Platforms must adopt clear, transparent policies, gain user consent, and comply with all data privacy laws—or risk facing major lawsuits and reputational damage.