A proposed class action complaint filed in a California Court claims digital asset exchange Coinbase (NASDAQ: COIN) broke the law in its collection, storage, and use of biometric data.
A May 1 filing with the District Court for the Northern District Of California accuses digital asset exchange Coinbase of keeping the biometric data collected from customers in the account creation process without notifying them in writing that it would be doing so. According to the lawsuit, such retention is illegal based on the Illinois Biometric Information Privacy Act (BIPA).
Coinbase requires users to upload scans of a valid identity card and a selfie, which it uses to create a biometric template of a user’s face in order to confirm a facial match. This is to comply with Know Your Customer (KYC) requirements by which, as a listed company in the U.S., Coinbase must abide.
Brought by Michael Massel and “on behalf of all others similarly situated,” the case hinges on the BIPA Act, which demands that companies with operations in the State of Illinois may not obtain or possess an individual’s biometrics unless it:
– Informs that person in writing that biometric information will be collected or stored.
– Informs that person in writing of the specific purpose and length of time for which it is being collected, stored, and used.
– Receives a written release from the person for the collection of his or her biometric data.
– Publishes publicly available written retention schedules and guidelines for permanently destroying the data.
The plaintiff alleges that Coinbase has fallen foul of all these rules by storing and using the biometric data without written permission or notification and that in the absence of such permissions, the company should have permanently destroyed the biometric information after completing the KYC compliance procedures.
The complaint states that the reason the digital asset exchange keeps biometric data is because it “wrongfully profits” from the information and “disseminates its users’ biometric data to, amongst other things, further enhance Coinbase and its online app-based platform.”
Another primary concern of the class action is focused on the safety of the data, claiming that Coinbase “would have no protection against identity theft if the company’s biometric data database was hacked.”
The suit seeks $5,000 per intentional and reckless violation of BIPA or statutory damages of $1,000 per violation—if the court finds that Coinbase’s violations of BIPA were not willful—as well as attorneys’ fees and court costs of the class action.
However, if the suit is rubberstamped, its most interesting consequences may come via discovery, as Massel’s suit promises that it will seek to ascertain ‘all of the ways in which Coinbase disclosed, redisclosed, or otherwise disseminated’ the data.
This latest legal case will be an unwelcome distraction for the company, coming as it does a week after the U.S. digital asset giant filed a suit against the Securities and Exchange Commission (SEC). Coinbase aims to force the financial markets regulator to respond to a petition lodged with the court last July, asking the SEC for regulatory clarity and rules specific to the unique nature of digital assets.
The petition was an attempt to fend off any impending SEC charges in the light of a Wells notice that Coinbase received from the commission in March 2022 informing the company that an enforcement action should be expected.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
